apparmor:apparmor-4.0

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

af88a13... by Christian Boltz <email address hidden> on 2024-05-14

Merge Include abi/4.0 when creating a new profile

... with aa-genprof or aa-autodep

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/392

I propose this patch for 4.0 and master.

Closes #392
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1231
Approved-by: Georgia Garcia <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit 74316fe1523639d90d57d10d7bf28968fb1fe918)

6c8ef381 Include abi/4.0 when creating a new profile

Co-authored-by: Christian Boltz <email address hidden>

8e74855... by Georgia Garcia on 2024-05-10

Merge Handle mount events/log entries without class

audit.log entries for mount events don't always include `class=mount`,
but can still be the base for mount rules.

Change logparser.py to also consider `operation=mount` as a mount event.

Actually we already had such a log and profile in our collection
(testcase_mount_01), but since it existed years before MountRule was
implemented, it was excluded in test-libapparmor-test_multi.py.
Therefore we didn't notice that it failed to produce a profile rule when
MountRule was introduced.

Remove testcase_mount_01 from the list of known failures so that it gets
tested - and fix the syntax error in the hand-written
testcase_mount_01.profile.

Also add testcase_mount_02 which is a mount event without fstype,
srcname and class.

I propose this fix for 4.0 and master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1229
Approved-by: Georgia Garcia <email address hidden>
Merged-by: Georgia Garcia <email address hidden>

(cherry picked from commit 48a936e98512258471a9912a405b0bd2aa915a43)

b475ed0d Handle mount events/log entries without class

Co-authored-by: Georgia Garcia <email address hidden>

951ea5b... by John Johansen <email address hidden> on 2024-05-08

Merge Cherry-pick: MountRule: Relaxing constraints on fstype and completing AARE support

- Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name.
 - Completing AARE support for fstype (brace expressions like ext{3,4} are now supported).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1198
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit baa8b67248f3467cde40683600d7a945b05f9a3b)

dad5ee28 MountRule: Relaxing constraints on fstype and completing AARE support

Co-authored-by: Christian Boltz <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1228
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>

eee5053... by Georgia Garcia on 2024-05-08

Merge MountRule: Relaxing constraints on fstype and completing AARE support

 - Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name.
 - Completing AARE support for fstype (brace expressions like ext{3,4} are now supported).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1198
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit baa8b67248f3467cde40683600d7a945b05f9a3b)

dad5ee28 MountRule: Relaxing constraints on fstype and completing AARE support

Co-authored-by: Christian Boltz <email address hidden>

86be5d3... by Christian Boltz on 2024-05-05

util/test/: Don't rely on argparse saying "options:"

Some argparse versions (for example on openSUSE Leap 15.5) instead say
"optional arguments:"

Don't rely on the "options:" line to allow both wordings.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1226
Approved-by: Steve Beattie <email address hidden>
Cherrypicked-by: Steve Beattie <email address hidden>

b7f9b66... by Georgia Garcia on 2024-05-02

Merge gitlab-ci.yml: fix pipeline for ubuntu:latest (noble)

Since we are using ubuntu:latest, and noble was released, some tests
are failing.

shellcheck needs python3 to run, which was possibly installed by
default in previous ubuntu images and is no longer the case.

Ignore dist-packages python files during our coverage tests.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/388

Signed-off-by: Georgia Garcia <email address hidden>

Closes #388
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1223
Merged-by: Steve Beattie <email address hidden>

(cherry picked from commit 8c9ac7a84eeff7bbf49e7bedb6f05be08d1dd6a3)

731880de gitlab-ci.yml: fix pipeline for ubuntu:latest (noble)
aaad725a apparmor.systemd: fix shellcheck false positive

Co-authored-by: Steve Beattie <email address hidden>

6d1e5db... by John Johansen <email address hidden> on 2024-04-22

Merge profiles: add fixes for samba from issue #386

Signed-off-by: Alex Murray <email address hidden>

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/386
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1219
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 1457eada8b421b4f39eb6e1381efecd2f3adcac7)
Signed-off-by: John Johansen <email address hidden>

f117337... by John Johansen <email address hidden> on 2024-04-22

Merge Fix redefinition of _

... which unsurprisingly broke using the translations.

This was a regression introduced in 4f51c93f9dc2516a32bfccc79b4dcf4985e61f47

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/387

This fix is needed in 4.0 and master. (3.x branches are not affected.)

Closes #387
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1218
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>

(cherry picked from commit 79226675fdfd99a2a260802b02a5f812ccc9d3f0)
Signed-off-by: John Johansen <email address hidden>

b0eb954... by John Johansen on 2024-04-12

Prepare for AppArmor 4.0.1 release

AppArmor 4.0.1 will be the official release superseding the 4.0.0 tag
the only change being it adds a regression test for CVE-2016-1585

- update version file

Signed-off-by: John Johansen <email address hidden>

5ad4efe... by John Johansen <email address hidden> on 2024-04-12

Merge regression tests: add mount test for CVE-2016-1585

Add infrastructure for calling the mount test binary with an fstype
instead of using the default hardcoded ext2 type, and then use that in a
test that exercises CVE-2016-1585, ensuring that mounting a procfs
filesystem isn't permitted when the only mount rule is

  mount options=(rw,make-slave) -> **,

to try to ensure that the generated and enforced policy is restricted to
what is intended.

Signed-off-by: Steve Beattie <email address hidden>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1597017

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1211
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 93c4c6fb9f3c837d1f26700d8d33a97303737e23)
Signed-off-by: John Johansen <email address hidden>