cc7d41e...
by
Georgia Garcia
on 2024-05-02
Merge gitlab-ci.yml: fix pipeline for ubuntu:latest (noble)
Since we are using ubuntu:latest, and noble was released, some tests
are failing.
shellcheck needs python3 to run, which was possibly installed by
default in previous ubuntu images and is no longer the case.
Ignore dist-packages python files during our coverage tests.
Fixes: https:/ /gitlab. com/apparmor/ apparmor/ -/issues/ 388
Signed-off-by: Georgia Garcia <email address hidden>
Closes #388
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1223
Merged-by: Steve Beattie <email address hidden>
(cherry picked from commit 8c9ac7a84eeff7b bf49e7bedb6f05b e08d1dd6a3)
731880de gitlab-ci.yml: fix pipeline for ubuntu:latest (noble)
aaad725a apparmor.systemd: fix shellcheck false positive
Co-authored-by: Steve Beattie <email address hidden>
6973865...
by
John Johansen <email address hidden>
on 2024-04-22
Merge profiles: add fixes for samba from issue #386
Signed-off-by: Alex Murray <email address hidden>
Fixes: https:/ /gitlab. com/apparmor/ apparmor/ -/issues/ 386
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1219
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 1457eada8b421b4 f39eb6e1381efec d2f3adcac7)
Signed-off-by: John Johansen <email address hidden>
97818f6...
by
John Johansen
on 2024-04-08
Revert abi change for unix_chkpwd introduced by 8ec76907c
commit
8ec76907c Merge Allow pam_unix to execute unix_chkpwd
is a backport of a fix but that fix also updated the abi and that change
was unfortunately not dropped when it should have been.
Signed-off-by: John Johansen <email address hidden>
af0ace2...
by
John Johansen <email address hidden>
on 2024-04-03
Merge Move pam-related permissions to abstractions/ authentication
... instead of keeping them in the smbd profile.
For details, see c09f58a36459460 7cdf5703d6e11ae c14ade3ea8 and
https:/ /bugzilla. opensuse. org/show_ bug.cgi? id=1220032# c12
Also replace /usr/etc/ with @{etc_ro} to that also /etc/ is covered.
Fixes: https:/ /bugzilla. opensuse. org/show_ bug.cgi? id=1220032# c12
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1191
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit f33488478753d2f 4138150cfc69b9d 120a7e7f25)
Signed-off-by: John Johansen <email address hidden>
8ec7690...
by
John Johansen <email address hidden>
on 2024-03-14
Merge Allow pam_unix to execute unix_chkpwd
Latest pam_unix always runs /usr/sbin/ unix_chkpwd instead of reading
/etc/shadow itsself. Add exec permissions to abstraction/ authentication.
It also needs to read /proc/@ {pid}/loginuid
Also cleanup the now-superfluous rules from the smbd profile.
Fixes: https:/ /bugzilla. opensuse. org/show_ bug.cgi? id=1219139
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1181
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 9a1838016c18aea 24fde26858311b4 8b2fd8f3d6)
Signed-off-by: John Johansen <email address hidden>
a1c05bb...
by
John Johansen <email address hidden>
on 2024-03-12
Merge abstractions/ crypto: allow read of more common crypto configuration files
Administrators might want to define global limits (e.g. disabling
a particular feature) via configuration files, but to make that work
all confined software needs to be allowed to read those files or
otherwise the risk is to silently fall back to internal defaults.
This adds the paths usually used by gnutls and openssl to improve these kind of use cases.
Fixes: https:/ /bugs.launchpad .net/ubuntu/ +source/ libvirt/ +bug/2056739
Fixes: https:/ /bugs.launchpad .net/ubuntu/ +source/ chrony/ +bug/2056747
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1178
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 3d1dedfa7e75ff6 7ec9282d1c7c42d db53422595)
Signed-off-by: John Johansen <email address hidden>
60efb98...
by
John Johansen <email address hidden>
on 2024-04-03
Merge profiles/samba*: allow /etc/gnutls/config & @{HOMEDIRS}
# abstractions/samba: allow /etc/gnutls/config
Various samba components want to read it. Without it, shares cannot be accessed.
apparmor= "DENIED" operation="open" class="file" profile="nmbd" name="/ etc/gnutls/ config" pid=23509 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile="smbd" name="/ etc/gnutls/ config" pid=23508 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24037 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24036 comm="rpcd_ epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24038 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24041 comm="rpcd_winreg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd" name="/ etc/gnutls/ config" pid=24039 comm="rpcd_mdssvc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd-spoolss" name="/ etc/gnutls/ config" pid=24040 comm="rpcd_spoolss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd-classic" name="/ etc/gnutls/ config" pid=24035 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
# profiles/ apparmor. d/samba- rpcd-classic: allow @{HOMEDIRS}
Give access to @{HOMEDIRS}, just like in usr.sbin.smbd, so that
usershares in /home/ can be accessed.
apparmor= "DENIED" operation="open" class="file" profile= "samba- rpcd-classic" name="/ home/user/ path/to/ usershare/ " pid=4781 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000
Fixes: https:/ /gitlab. com/apparmor/ apparmor/ -/issues/ 379
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1200
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 5998a0021a4f752 7fe0b64771e5b9e fe71267d8e)
Signed-off-by: John Johansen <email address hidden>
63f576c...
by
John Johansen <email address hidden>
on 2024-04-03
Merge usr.sbin.sshd: Add new permissions needed on Ubuntu 24.04
Testing on noble turned these up:
`2024-03- 27T00:10: 28.929314- 04:00 image-ubuntu64 kernel: audit: type=1400 audit(171151262 8.920:155) : apparmor="DENIED" operation="bind" class="net" profile= "/usr/sbin/ sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_ mask="bind" denied_mask="bind" addr="@ 63cf34db7fbab75 f/bus/sshd/ system" `
`2024-03- 27T00:41: 09.791826- 04:00 image-ubuntu64 kernel: audit: type=1107 audit(171151446 9.771:333907) : pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor= "DENIED" operation= "dbus_method_ call" bus="system" path="/ org/freedesktop /login1" interface= "org.freedeskto p.login1. Manager" member= "CreateSessionW ithPIDFD" mask="send" name="org. freedesktop. login1" pid=4528 label=" /usr/sbin/ sshd" peer_pid=688 peer_label= "unconfined" `
Fixes: https:/ /bugs.launchpad .net/ubuntu/ +source/ apparmor/ +bug/2060100
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1196
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 3aa40249cf153c1 7be5ad9d20a7736 5915397000)
Signed-off-by: John Johansen <email address hidden>
8acd1e5...
by
Christian Boltz
on 2024-03-29
Merge Fix several typos
Signed-off-by: Zygmunt Krynicki <email address hidden>
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1199
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>
(cherry picked from commit d23a864c2c06d62 95701bc96c214c5 23f3a7a5de)
d274eb39 fix typo: accumulate
6fddd31b fix typo: aggressive
42e7f5a5 fix typo: exercised
f750a8a2 fix typo: parameter
358a8a6a fix typo: globally
1f11ddd...
by
Georgia Garcia
on 2024-03-12
Merge Fix test-aa-notify on openSUSE Tumbleweed (new 'last')
The new 2037-proof `last` on openSUSE Tumbleweed doesn't support the
`-1` option.
Remove it, and cut off the output manually.
MR: https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1180
Approved-by: Georgia Garcia <email address hidden>
Merged-by: Georgia Garcia <email address hidden>
(cherry picked from commit ae978c19530e949 e4fe6b69588d629 5d039ee095)
d19db55a Fix test-aa-notify on openSUSE Tumbleweed (new 'last')