[apparmor] Reminder: IRC meeting today
Hello, http://wiki.apparmor.net/index.php/MeetingAgenda says we have a meeting today 20:00 UTC - that's in about 8 hours ;-) For me, it's an hour later than usual because we have summer time now. Don't ask how many (wo)man-hours are wasted to set most[1] clocks in europe twice a year... Regards, Christian Boltz [1] I'm not sure if all countries in europe use summer time. Also, there are more clever clocks (like in your computer) that fix themself ;-) -- Laß die Finger von Linux, wenn Du nur Linux haben willst, weil es cool ist, Linux zu haben. Linux will geliebt sein. [Bernd Brodesser in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch] update postfix-common abstraction
Update the postfix-common abstraction to cope with signal and unix socket mediation, update the access to the sasl library locations in a multiarch compliant way, and allow access to limited bits of the filesystem paths under which postfix chroots itself to (/var/spool/postfix/ on Ubuntu). Nominated for trunk and 2.9. Signed-off-by: Steve Beattie st...@nxnw.org --- profiles/apparmor.d/abstractions/postfix-common | 19 +++ 1 file changed, 15 insertions(+), 4 deletions(-) Index: b/profiles/apparmor.d/abstractions/postfix-common === --- a/profiles/apparmor.d/abstractions/postfix-common +++ b/profiles/apparmor.d/abstractions/postfix-common @@ -1,6 +1,7 @@ # -- # #Copyright (C) 2002-2005 Novell/SUSE +#Copyright (C) 2015 Canonical, Ltd. # #This program is free software; you can redistribute it and/or #modify it under the terms of version 2 of the GNU General Public @@ -14,11 +15,21 @@ capabilitysetgid, capabilitysys_chroot, + # postfix's master can send us signals + signal receive peer=/usr/lib/postfix/master, + + unix (send, receive) peer=(label=/usr/lib/postfix/master), + + /etc/mailname r, /etc/postfix/*.cf r, /etc/postfix/*.db r, @{PROC}/net/if_inet6 r, /usr/lib/postfix/*.so mr, - /usr/lib64/sasl2/*mr, - /usr/lib64/sasl2/ r, - /usr/lib/sasl2/* mr, - /usr/lib/sasl2/ r, + /usr/lib{,32,64}/sasl2/*mr, + /usr/lib{,32,64}/sasl2/ r, + /usr/lib/@{multiarch}/sasl2/* mr, + /usr/lib/@{multiarch}/sasl2/ r, + + /var/spool/postfix/etc/*r, + /var/spool/postfix/lib/lib*.so* mr, + /var/spool/postfix/lib/@{multiarch}/lib*.so* mr, -- Steve Beattie sbeat...@ubuntu.com http://NxNW.org/~steve/ signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch 0/3] introduce and use NetworkRule and NetworkRuleset classes
Hello, this patchset introduces and uses the NetworkRule and NetworkRuleset classes and changes aa.py etc. to use them instead of a sub-hasher. Regards, Christian Boltz -- rpmdb: PANIC: fatal region error detected; run recovery Du wohnst nicht zufällig in Bielefeld? [ Cornelia Böttge und Michael Raab in opensuse-de] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch 1/3] Add NetworkRule and NetworkRuleset classes
Hello, this patch adds utils/apparmor/rule/network.py with the NetworkRule and NetworkRuleset classes. These classes are meant to handle network rules. In comparison to the existing code in aa.py, relevant news are: - the keywords are checked against a list of allowed domains, types and protocols (these lists are based on what the utils/vim/Makefile generates - on the long term an autogenerated file with the keywords for all rule types would be nice ;-) - there are variables for domain and type_or_protocol instead of first_param and second_param. (If someone is bored enough to map the protocol shortcuts to their expanded meaning, that shouldn't be too hard.) - (obviously) more readable code because we have everything at one place now - some bugs are fixed along the way (for example, network foo will now be kept, not network foo bar - see my last mail about write_net_rules() for details) [ 44-add-NetworkRule-and-NetworkRuleset-classes.diff ] === added file 'utils/apparmor/rule/network.py' --- utils/apparmor/rule/network.py 1970-01-01 00:00:00 + +++ utils/apparmor/rule/network.py 2015-04-14 20:47:40 + @@ -0,0 +1,210 @@ +#!/usr/bin/env python +# -- +#Copyright (C) 2013 Kshitij Gupta kgupta8...@gmail.com +#Copyright (C) 2015 Christian Boltz appar...@cboltz.de +# +#This program is free software; you can redistribute it and/or +#modify it under the terms of version 2 of the GNU General Public +#License as published by the Free Software Foundation. +# +#This program is distributed in the hope that it will be useful, +#but WITHOUT ANY WARRANTY; without even the implied warranty of +#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +#GNU General Public License for more details. +# +# -- + +import re + +from apparmor.regex import RE_PROFILE_NETWORK +from apparmor.common import AppArmorBug, AppArmorException +from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers + +# setup module translations +from apparmor.translations import init_translation +_ = init_translation() + + +network_domain_keywords = [ 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6', + 'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna', + 'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet', + 'ieee802154', 'caif', 'alg', 'nfc', 'vsock' ] +# missing in manpage: 'unix', 'rds', 'llc', 'can', 'tipc', 'iucv', 'rxrpc', 'isdn', 'phonet', 'ieee802154', 'caif', 'alg', 'nfc', 'vsock' + +network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet'] +network_protocol_keywords = ['tcp', 'udp', 'icmp'] + + +RE_NETWORK_DOMAIN = '(' + '|'.join(network_domain_keywords) + ')' +RE_NETWORK_TYPE = '(' + '|'.join(network_type_keywords) + ')' +RE_NETWORK_PROTOCOL = '(' + '|'.join(network_protocol_keywords) + ')' + +RE_NETWORK_DETAILS = re.compile( +'^\s*(' + +'(?Pdomain' + RE_NETWORK_DOMAIN + ')(\s+(?Ptype_or_protocol' + RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + '))?' + # domain, optional type or protocol +'|' + # or +'(?Pprotocol' + RE_NETWORK_PROTOCOL + ')' + # protocol only +')\s*$') + + + + + + + +class NetworkRule(BaseRule): +'''Class to handle and store a single network rule''' + +# Nothing external should reference this class, all external users +# should reference the class field NetworkRule.ALL +class __NetworkAll(object): +pass + +ALL = __NetworkAll + +def __init__(self, domain, type_or_protocol, audit=False, deny=False, allow_keyword=False, + comment='', log_event=None): + +''' + NETWORK RULE = 'network' [ [ DOMAIN [ TYPE | PROTOCOL ] ] | [ PROTOCOL ] ] ',' +''' + +super(NetworkRule, self).__init__(audit=audit, deny=deny, + allow_keyword=allow_keyword, + comment=comment, + log_event=log_event) + +self.domain = None +self.all_domains = False +if domain == NetworkRule.ALL: +self.all_domains = True +elif type(domain) == str: +if domain in network_domain_keywords: +self.domain = domain +else: +raise AppArmorBug('Passed unknown domain to NetworkRule: %s' % str(domain)) +else: +raise AppArmorBug('Passed unknown object to NetworkRule: %s' % str(domain)) + +self.type_or_protocol = None +self.all_type_or_protocols = False +if type_or_protocol == NetworkRule.ALL: +
[apparmor] [patch 2/3] Add tests for NetworkRule and NetworkRuleset
Hello, this patch adds utils/test/test-network.py with tests for NetworkRule and NetworkRuleset. The tests are hopefully self-explaining, so let me just mention the most important things: - I started to play with namedtuple, which looks very useful (see exp) - the test loops make the tests much more readable (compare with test-capability.py!) and make it easy to add some more tests - 100% coverage :-) [ 45-add-tests-for-NetworkRule.diff ] === added file 'utils/test/test-network.py' --- utils/test/test-network.py 1970-01-01 00:00:00 + +++ utils/test/test-network.py 2015-04-14 21:19:41 + @@ -0,0 +1,428 @@ +#!/usr/bin/env python +# -- +#Copyright (C) 2015 Christian Boltz appar...@cboltz.de +# +#This program is free software; you can redistribute it and/or +#modify it under the terms of version 2 of the GNU General Public +#License as published by the Free Software Foundation. +# +#This program is distributed in the hope that it will be useful, +#but WITHOUT ANY WARRANTY; without even the implied warranty of +#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +#GNU General Public License for more details. +# +# -- + +import unittest +from common_test import AATest, setup_all_tests +from collections import namedtuple + +from apparmor.rule.network import NetworkRule, NetworkRuleset +from apparmor.rule import BaseRule, parse_modifiers +from apparmor.common import AppArmorException, AppArmorBug +from apparmor.logparser import ReadLog + +import re + +exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment', +'domain', 'all_domains', 'type_or_protocol', 'all_type_or_protocols']) + +# --- tests for single NetworkRule --- # + +class NetworkTest(AATest): +def _compare_obj(self, obj, expected): +self.assertEqual(expected.allow_keyword, obj.allow_keyword) +self.assertEqual(expected.audit, obj.audit) +self.assertEqual(expected.domain, obj.domain) +self.assertEqual(expected.type_or_protocol, obj.type_or_protocol) +self.assertEqual(expected.all_domains, obj.all_domains) +self.assertEqual(expected.all_type_or_protocols, obj.all_type_or_protocols) +self.assertEqual(expected.deny, obj.deny) +self.assertEqual(expected.comment, obj.comment) + +class NetworkTestParse(NetworkTest): +tests = [ +# rawrule audit allow deny commentdomainall? type/proto all? +('network,' , exp(False, False, False, '' , None , True , None , True )), +('network inet,', exp(False, False, False, '' , 'inet', False, None , True )), +('network inet stream,' , exp(False, False, False, '' , 'inet', False, 'stream' , False)), +('deny network inet stream, # comment' , exp(False, False, True , ' # comment' , 'inet', False, 'stream' , False)), +('audit allow network tcp,' , exp(True , True , False, '' , None , True , 'tcp', False)), +] + +def _run_test(self, rawrule, expected): +obj = NetworkRule.parse(rawrule) +self.assertEqual(rawrule.strip(), obj.raw_rule) +self._compare_obj(obj, expected) + +class NetworkTestParseInvalid(NetworkTest): +tests = [ +('network stream,' , AppArmorException), # domain missing +('network foo,' , AppArmorException), +('network foo bar,' , AppArmorException), +('network foo tcp,' , AppArmorException), +('network inet bar,', AppArmorException), +] + +def _run_test(self, rawrule, expected): +with self.assertRaises(expected): +NetworkRule.parse(rawrule) + +class NetworkTestParseFromLog(NetworkTest): +def test_net_from_log(self): +parser = ReadLog('', '', '', '', '') +event = 'type=AVC msg=audit(1428699242.551:386): apparmor=DENIED operation=create profile=/bin/ping pid=10589 comm=ping family=inet sock_type=raw protocol=1' + +parsed_event = parser.parse_event(event) + +self.assertEqual(parsed_event, { +'request_mask': set(), +'denied_mask': set(), +'error_code': 0, +'family': 'inet', +'magic_token': 0, +'parent': 0, +'profile': '/bin/ping', +'protocol': 'icmp', +'sock_type': 'raw', +'operation': 'create', +'resource': None, +'info': None, +'aamode': 'REJECTING', +'time': 1428699242, +'active_hat': None, +'pid': 10589, +'task': 0, +'attr': None, +'name2':
[apparmor] [patch 3/3] Convert existing code to use NetworkRule and NetworkRuleset
Hello, Change aa.py to use NetworkRule and NetworkRuleset instead of a sub-hasher to store, check and write network rules. In detail: - drop profile_known_network() and use is_known_rule() instead - replace match_net_includes() usage with match_includes() calls - drop delete_net_duplicates(), use the code in NetworkRule(set) instead - make match_net_includes() (still used by aa-mergeprof) a wrapper for match_includes() - drop all the network rule parsing from parse_profile_data() and serialize_profile_from_old_profile() - instead, just call NetworkRule.parse - now that write_net_rules() got fixed, drop it ;-) - change write_netdomain to use NetworkRuleset - drop netrules_access_check() - that's is_covered() now - use 'network' instead of 'netdomain' as storage keyword (log events still use 'netdomain') Also update cleanprofile.py to use the NetworkRuleset class. This also means to delete the (now superfluous) delete_net_duplicates() function. Finally, there are some changes in regex.py: - change RE_PROFILE_NETWORK in regex.py to named matches and to use RE_COMMA_EOL (not only RE_EOL) - drop the no longer needed RE_NETWORK_FAMILY and RE_NETWORK_FAMILY_TYPE (rule/network.py has regexes that check against the list of available keywords) Note: Some parts of this patch will only apply if you apply my other pending patches first. Diffstat for all 3 patches: apparmor/aa.py | 224 +++- apparmor/cleanprofile.py | 38 apparmor/regex.py|4 apparmor/rule/network.py | 210 +++ test/test-network.py | 428 +++ 5 files changed, 673 insertions(+), 231 deletions(-) [ 46-convert-to-use-NetworkRule.diff ] === modified file 'utils/apparmor/aa.py' --- utils/apparmor/aa.py2015-04-11 00:20:31 + +++ utils/apparmor/aa.py2015-04-11 18:04:51 + @@ -45,7 +45,7 @@ RE_PROFILE_BOOLEAN, RE_PROFILE_VARIABLE, RE_PROFILE_CONDITIONAL, RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN, RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY, RE_PROFILE_NETWORK, -RE_NETWORK_FAMILY_TYPE, RE_NETWORK_FAMILY, RE_PROFILE_CHANGE_HAT, +RE_PROFILE_CHANGE_HAT, RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT, RE_PROFILE_SIGNAL, RE_PROFILE_PTRACE, RE_PROFILE_PIVOT_ROOT, RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT, @@ -54,6 +54,7 @@ import apparmor.rules as aarules from apparmor.rule.capability import CapabilityRuleset, CapabilityRule +from apparmor.rule.networkimport NetworkRuleset,NetworkRule from apparmor.rule import parse_modifiers from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast @@ -1450,8 +1451,6 @@ if stub_profile[hat][hat].get('include', False): aa[profile][hat]['include'] = stub_profile[hat][hat]['include'] -aa[profile][hat]['allow']['netdomain'] = hasher() - file_name = aa[profile][profile]['filename'] filelist[file_name]['profiles'][profile][hat] = True @@ -1958,11 +1957,12 @@ for family in sorted(log_dict[aamode][profile][hat]['netdomain'].keys()): # severity handling for net toggles goes here for sock_type in sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()): -if profile_known_network(aa[profile][hat], family, sock_type): +network_obj = NetworkRule(family, sock_type) +if is_known_rule(aa[profile][hat], 'network', network_obj): continue default_option = 1 options = [] -newincludes = match_net_includes(aa[profile][hat], family, sock_type) +newincludes = match_includes(aa[profile][hat], 'network', network_obj) q = aaui.PromptQuestion() if newincludes: options += list(map(lambda s: '#include %s' % s, sorted(set(newincludes @@ -2031,8 +2031,7 @@ aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) else: - aa[profile][hat]['allow']['netdomain']['audit'][family][sock_type] = audit_toggle - aa[profile][hat]['allow']['netdomain']['rule'][family][sock_type] = True + aa[profile][hat]['network'].add(NetworkRule(family, sock_type, audit=audit_toggle))
Re: [apparmor] [patch] Make sure aa-cleanprof de-duplicates capability rules
Hello, Am Montag, 13. April 2015 schrieb Steve Beattie: On Tue, Apr 14, 2015 at 12:50:26AM +0200, Christian Boltz wrote: Am Montag, 13. April 2015 schrieb Steve Beattie: On Sun, Apr 12, 2015 at 03:32:25AM +0200, Christian Boltz wrote: CleanProf.remove_duplicate_rules() didn't call $profile['capability'].delete_duplicates() because aa-cleanprof sets same_file=True. Fix this by calling delete_duplicates(None) so that it only checks the profile against itsself. [ 43-cleanprof-do-in-profile-run.diff ] === modified file 'utils/apparmor/cleanprofile.py' --- utils/apparmor/cleanprofile.py 2014-12-16 22:13:25 + +++ utils/apparmor/cleanprofile.py 2015-04-11 22:35:00 + @@ -67,6 +67,8 @@ #Clean the duplicates of caps in other profile if not self.same_file: deleted += self.other.aa[program][hat]['capability'].delete_duplicates(self. pro file.aa[program][hat]['capability']) +else: +deleted += self.other.aa[program][hat]['capability'].delete_duplicates(None ) This patch does not seem to do what you claim it does: Did you also apply 42-in-profile-deduplication.diff before testing? Without that, there's no in-profile deduplication (removing lines covered by includes should work without patch 42). I didn't initially (nothing in this patch description called out that it depended on that one. However, when I tried path 42 without patch 43 applied, the testing that I did showed that it deleted the in-profile duplicated capability, so I'm still not clear on why this patch is necessary. The strange thing is that it's clearly necessary for me - I just tested without it, and it didn't remove in-profile duplicates. Note that I'm testing with all my pending patches applied [1], however I think only patch 42 is related to cleanprof. My test profile: # cat usr.bin.echo /usr/bin/echo { audit capability chown, # drop (1) capability dac_override, # drop deny capability dac_override, capability dac_override, # drop audit capability chown, # drop (2) deny capability chown, # drop audit deny capability chown, capability, # drop audit capability, } Without patch 43, aa-cleanprof doesn't remove any of those rules. With patch 43, aa-cleanprof shrinks the profile to /usr/bin/echo { audit deny capability chown, deny capability dac_override, audit capability, } Regards, Christian Boltz [1] all pending patches means: 30-logparser-change-mask-only-for-path-events.diff 31-enable-testloops-for-nosetests.diff 33-fix-add-to-variable-and-add-tests.diff 35-fix-serialize_profile_from_old_profiles-variable-add.diff 36-fix-crash-in-serialize_profile_from_old_profiles.diff 39-aatest-maxdiff.diff 41-add-baserule-tests.diff 42-in-profile-deduplication.diff 43-cleanprof-do-in-profile-run.diff -- dank meiner Versionitis verwende ich längst die 10.1 ;-) Das Spielchen habe ich auch mitgemacht - von 6.0 bis 9.3. Nu reichts, man soll schließlich arbeiten mit dem Ding. Zum Arbeiten braucht es kein unsupportetes Supplementary! [Christian Boltz, Christian Lepper Marcus Meissner in suse-laptop] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] New LibreOffice Profile
Hello, Am Freitag, 10. April 2015 schrieb Bryan Quigley: but the excessive variable definition in the soffice.bin profile uncovered a bug in aa-complain ;-) Glad I could help :). ;-) Now you just need to push Steve (or someone else) to review my pending patches, so that the fix for those bugs (yes, plural [1] ;-) can go into bzr ;-) Another interesting discussion point. I'm not a fan of shipping profiles disabled or in complain mode, because it could give users a false sense of feeling protected. Agreed, I'm going to approach upstream and see what they say. I don't think it's out of the question to just make a seperate package libreoffice-apparmor that turns them on by default. Yes, that sounds like a good solution. + /home/*/.execooo* mrw, # probably tempfiles, * are 6 random chars That's actual been fixed in https://bugs.documentfoundation.org/show_bug.cgi?id=72755 Maybe you should allow it nevertheless to make the profile compatible with the LibreOffice versions people are using currently? BTW: Interestingly, oosplash keeps running all the time (and killing it kills LibreOffice). Should oosplash also have a profile? Tried making a simple one for it, mostly is fine, but I'm leaving the Java part alone. I tend to want a (child?) profile for the Java stuff, because Java isn't known as the most secure software out there ;-) My tests with your latest profiles look quite good, but I have some additions nevertheless ;-) soffice.bin: + /home/*/.execooo* mrw, # see above + /usr/lib64/libreoffice/program/__pycache__/ ra, # deny? + /usr/lib64/libreoffice/share/extensions/lightproof-en/pythonpath/__pycache__/ ra, # deny? + /usr/lib64/libreoffice/share/uno_packages/cache/stamp.sys ra, # deny? + /usr/share/locale-bundle/*/LC_MESSAGES/bash.mo r, oosplash: + /run/nscd/passwd r, # abstractions/nameservice? Or would that be too permissive? + /usr/lib64/libreoffice/ure/bin/javaldx Cx, # seems to be a different path on openSUSE- but gave me a nice child profile ;-) + /usr/share/libreoffice/program/intro.png r, + /usr/share/libreoffice/program/sofficerc r, + + profile /usr/lib64/libreoffice/ure/bin/javaldx flags=(complain) { +#include abstractions/base + +/home/*/.config/ r, + /home/*/.config/libreoffice/4-suse/user/config/javasettings_Linux_X86_64.xml r, # you'll probably need a different directory name for ubuntu ;-) (hint: 4-suse) and might also want to use a filename like javasettings_Linux_*.xml +/run/nscd/passwd r, +/usr/ r, # no idea why this and the next one is needed... +/usr/lib64/ r, +/usr/lib64/libreoffice/ure/bin/javaldx mr, + + } Regards, Christian Boltz [1] patches for bugs uncovered by the LibreOffice profiles: 33-fix-add-to-variable-and-add-tests.diff 35-fix-serialize_profile_from_old_profiles-variable-add.diff 36-fix-crash-in-serialize_profile_from_old_profiles.diff -- Wenn das Teil unter Windows CE oder Pocket PC 2000 läuft, ist Synce Dein Fall. Zu finden auf Sourceforge, wenn ich mich nicht irre, und ich irre mich nie wenn ich mich nicht irre.[Michael Karges in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor