parser/libapparmor_re/expr-tree.cc | 7 4 3 - 0 !
1 file changed, 4 insertions( ), 3 deletions(-)

 parser: limit the number of passes expr tree simplification does

parser/rc.apparmor.functions | 42 8 34 - 0 !
1 file changed, 8 insertions( ), 34 deletions(-)

 rc.apparmor.functions: drop module loading support

The apparmor kernel "module" has not been a loadable module for more
than a decade, it must be built into the kernel and due configuration
requirements it will never go back to being a loadable module.

Remove the long unfunctioning load_module support from the init script.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/257
Signed-off-by: John Johansen <[email protected]>

changehat/mod_apparmor/mod_apparmor.pod | 2 1 1 - 0 !
parser/Makefile | 6 1 5 - 0 !
parser/apparmor.pod | 2 1 1 - 0 !
parser/apparmor_parser.pod | 4 2 2 - 0 !
parser/parser_include.c | 68 5 63 - 0 !
parser/rc.apparmor.functions | 98 3 95 - 0 !
parser/subdomain.conf | 53 0 53 - 0 !
parser/subdomain.conf.pod | 104 0 104 - 0 !
tests/stress/apparmor/Makefile | 24 24 0 - 0 !
tests/stress/apparmor/change_hat.c | 51 51 0 - 0 !
tests/stress/apparmor/change_hat.profile.pre | 24 24 0 - 0 !
tests/stress/apparmor/child.c | 35 35 0 - 0 !
tests/stress/apparmor/child.profile.pre | 12 12 0 - 0 !
tests/stress/apparmor/kill.sh | 19 19 0 - 0 !
tests/stress/apparmor/open.c | 34 34 0 - 0 !
tests/stress/apparmor/open.profile.pre | 15 15 0 - 0 !
tests/stress/apparmor/s-2.4.20.sh | 18 18 0 - 0 !
tests/stress/apparmor/s.sh | 18 18 0 - 0 !
tests/stress/apparmor/sh.profile.pre | 24 24 0 - 0 !
tests/stress/apparmor/stress.sh | 20 20 0 - 0 !
tests/stress/apparmor/stress.sh-2.4.20 | 18 18 0 - 0 !
tests/stress/apparmor/uservars.inc | 42 42 0 - 0 !
tests/stress/subdomain/Makefile | 24 0 24 - 0 !
tests/stress/subdomain/change_hat.c | 51 0 51 - 0 !
tests/stress/subdomain/change_hat.profile.pre | 24 0 24 - 0 !
tests/stress/subdomain/child.c | 35 0 35 - 0 !
tests/stress/subdomain/child.profile.pre | 12 0 12 - 0 !
tests/stress/subdomain/kill.sh | 20 0 20 - 0 !
tests/stress/subdomain/open.c | 34 0 34 - 0 !
tests/stress/subdomain/open.profile.pre | 15 0 15 - 0 !
tests/stress/subdomain/s-2.4.20.sh | 19 0 19 - 0 !
tests/stress/subdomain/s.sh | 19 0 19 - 0 !
tests/stress/subdomain/sh.profile.pre | 24 0 24 - 0 !
tests/stress/subdomain/stress.sh | 21 0 21 - 0 !
tests/stress/subdomain/stress.sh-2.4.20 | 19 0 19 - 0 !
tests/stress/subdomain/uservars.inc | 42 0 42 - 0 !
utils/apparmor/config.py | 2 1 1 - 0 !
37 files changed, 368 insertions( ), 684 deletions(-)

 remove subdomainfs support

It has been over 10 years since transition from subdomainfs to
using securityfs. Lets drop this deprecated code.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/258
Signed-off-by: John Johansen <[email protected]>

parser/rc.apparmor.functions | 2 0 2 - 0 !
1 file changed, 2 deletions(-)

 remove traces of aa-eventd

aa-eventd and its initscripts have been moved to deprecated/ in 2014 and
didn't get any serious updates for several more years, so it's most
probably useless and/or broken nowadays.

This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE
variables in rc.apparmor.functions anymore.

parser/rc.apparmor.functions | 2 0 2 - 0 !
1 file changed, 2 deletions(-)

 drop apparmor_enable_aaeventd

This is another trace of aa-eventd which is deprecated since years.

parser/rc.apparmor.functions | 217 125 92 - 0 !
1 file changed, 125 insertions( ), 92 deletions(-)

 make rc.apparmor.functions suitable for debian and ubuntu

profiles/apparmor.d/tunables/share | 6 3 3 - 0 !
1 file changed, 3 insertions( ), 3 deletions(-)

 make tunables/share play well with aliases.
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

This reverts commit aa3022208f539978f137c918ede01c80cacd8567.

Space-separated list of values don't play well with aliases.
For example, in Tails, despite this alias rule:

  alias / -> /lib/live/mount/rootfs/*.squashfs/,

 the Tor Browser profile denies access to
/lib/live/mount/rootfs/filesystem.squashfs/usr/share/mime/mime.cache, which
should be equivalent to /usr/share/mime/mime.cache. That's fixed by using
alternations instead; too bad they're less readable.

Possibly related:
https://bugs.launchpad.net/apparmor/ bug/888077
https://bugs.launchpad.net/apparmor/ bug/1703692
https://bugs.launchpad.net/apparmor/ bug/1703692

Cherry-picked from master branch: a91d199ab1da3004cf3744d7087a32c91097a16e.

profiles/apparmor.d/abstractions/mesa | 1 1 0 - 0 !
1 file changed, 1 insertion( )

 mesa: allow reading drirc.d

profiles/apparmor.d/abstractions/dri-common | 1 1 0 - 0 !
profiles/apparmor.d/abstractions/mesa | 1 0 1 - 0 !
2 files changed, 1 insertion( ), 1 deletion(-)

 move drirc.d access to dri-common abstraction

Commit b5be5964609b4e0927af7c9e4f0276e50ccdc3e3 added ability to read
/usr/share/drirc.d/ directory to mesa abstraction.

This seems to be a mistake, as it was noted that not all GUI
applications, that need access to drirc.d, also need whole mesa-related
rules (including writing caches).

profiles/apparmor.d/abstractions/ssl_certs | 7 4 3 - 0 !
profiles/apparmor.d/abstractions/ssl_keys | 2 1 1 - 0 !
2 files changed, 5 insertions( ), 4 deletions(-)

 support dehydrated default path in debian

profiles/apparmor.d/abstractions/fonts | 4 3 1 - 0 !
1 file changed, 3 insertions( ), 1 deletion(-)

 update font paths

profiles/apparmor.d/usr.sbin.dnsmasq | 2 2 0 - 0 !
1 file changed, 2 insertions( )

 dnsmasq: allow peer=libvirtd to support named profile

profiles/apparmor.d/abstractions/audio | 1 1 0 - 0 !
1 file changed, 1 insertion( )

 audio: fix alsa settings access

profiles/apparmor.d/abstractions/audio | 1 1 0 - 0 !
1 file changed, 1 insertion( )

 audio abstraction: grant read access to the system-wide asound.conf.

Bug-Debian: https://bugs.debian.org/920669

profiles/apparmor.d/abstractions/audio | 4 4 0 - 0 !
1 file changed, 4 insertions( )

 audio abstraction: grant read access to the libao configuration
 files.

Bug-Debian: https://bugs.debian.org/920670

profiles/apparmor.d/abstractions/kde | 8 8 0 - 0 !
1 file changed, 8 insertions( )

 update kde abstraction for common settings

Add rules to allow reading common KDE-specific settings, used mostly by
native KDE file dialog.

profiles/apparmor.d/abstractions/kde | 2 2 0 - 0 !
1 file changed, 2 insertions( )

 kde: fix global settings access for kubuntu and opensuse

On Kubuntu, these denies are being produced:
```
type=AVC msg=audit(1549301888.419:91): apparmor="DENIED" operation="open"
profile="qtox"
name="/usr/share/kubuntu-default-settings/kf5-settings/kdeglobals" pid=1603
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1549301964.008:126): apparmor="DENIED" operation="open"
profile="qtox" name="/usr/share/kubuntu-default-settings/kf5-settings/breezerc"
pid=1822 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1549302031.194:155): apparmor="DENIED" operation="open"
profile="qtox"
name="/usr/share/kubuntu-default-settings/kf5-settings/baloofilerc" pid=1899
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

Meanwhile, on openSUSE:
```
type=AVC msg=audit(1549302286.921:205): apparmor="DENIED" operation="open" profile="qtox" name="/etc/xdg/kdeglobals" pid=12781 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

Add read only rules for allowing access to global KDE settings.

profiles/apparmor.d/abstractions/vulkan | 1 1 0 - 0 !
1 file changed, 1 insertion( )

 vulkan: allow reading /etc/vulkan/icd.d/

See merge request apparmor/apparmor!329

tests/regression/apparmor/mkprofile.pl | 4 2 2 - 0 !
tests/regression/apparmor/ptrace.sh | 21 12 9 - 0 !
tests/regression/apparmor/ptrace_v5.inc | 118 59 59 - 0 !
tests/regression/apparmor/ptrace_v6.inc | 488 244 244 - 0 !
utils/test/fake_ldd | 2 1 1 - 0 !
utils/test/test-aa.py | 10 5 5 - 0 !
6 files changed, 323 insertions( ), 320 deletions(-)

 usr merge fixups

Debian and Ubuntu have releases coming out with usr-merge in place. For
these systems, /bin and /sbin are symlinks to their respective /usr
directories. This breaks a few tests in the python utils and in the
regression tests. This patch series fixes them, mostly by performing
realpath() calls when necessary. For the ptrace regression test,
it copies the called /bin/true binary into the created temporary
directory and executes it from there. (Good for other reasons, too.)

(cherry picked from commit b4ab8476e4721b922d2de193b9203bba0c192bf9)
Signed-off-by: Steve Beattie <[email protected]>

parser/parser.h | 14 12 2 - 0 !
parser/parser_main.c | 57 42 15 - 0 !
2 files changed, 54 insertions( ), 17 deletions(-)

 parser: fix parser failing to handle errors when setting up work

The parser is not correctly handling some error conditions when
dealing with work units. Failure to spawn work, access files, etc
should be returned where appropriate, and be able to abort processing
if abort_on_error is set.

In addition some errors are leading to a direct exit without checking
for abort_on_error.

BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921866
BugLink: http://bugs.launchpad.net/bugs/1815294

Signed-off-by: John Johansen <[email protected]>

profiles/apparmor.d/tunables/share | 2 1 1 - 0 !
1 file changed, 1 insertion( ), 1 deletion(-)

 tunables/share: fix buggy syntax that broke the ~/.local/share part
 of the @{user_share_dirs} tunable

Fixes regression introduced in a91d199ab1da3004cf3744d7087a32c91097a16e.

Bug: https://bugs.launchpad.net/apparmor/ bug/1816470
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920833, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921888

libraries/libapparmor/src/private.c | 2 1 1 - 0 !
1 file changed, 1 insertion( ), 1 deletion(-)

 library: fix segfault in overlaydirat_for_each

(cherry picked from commit abbca9435f4ca427f73176e2dd2500819e491662)
Signed-off-by: John Johansen <[email protected]>

libraries/libapparmor/src/private.c | 2 1 1 - 0 !
1 file changed, 1 insertion( ), 1 deletion(-)

 libapparmor: fix segfault when loading policy cache files

qsort()'s _size_ parameter is used to indicate the size of the elements
in the _base_ array parameter. Adjust the third argument to qsort() to
indicate that we're dealing with an array of struct dirent pointers
rather than an array of struct dirent.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit 8b218718204062efa2dd093d95d2b05e0d722f92)
Signed-off-by: Tyler Hicks <[email protected]>
Signed-off-by: John Johansen <[email protected]>

profiles/apparmor.d/abstractions/base | 10 4 6 - 0 !
1 file changed, 4 insertions( ), 6 deletions(-)

 base abstraction: allow mr on *.so* in common library paths.
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

For example, VirtualBox guests have /usr/lib/VBoxOGL.so.

Without this changes, in a VirtualBox VM with VBoxVGA graphics,
at least one Qt5 application (OnionShare) won't start and display:

  ImportError: libGL.so.1: failed to map segment from shared object

 and the system logs have:

  apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.

So let's not assume all libraries have a name that starts with "lib".

PR: https://gitlab.com/apparmor/apparmor/merge_requests/345
(cherry picked from commit 5cbb7df95ef241725b327bccfb5aa21f8be14695)
Signed-off-by: John Johansen <[email protected]>

utils/test/test-aa.py | 4 2 2 - 0 !
1 file changed, 2 insertions( ), 2 deletions(-)

 adjust tests to match base abstraction update.

Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.

(cherry picked from commit 0170e98f9c7342a614bbda5ce9e64a1444f47413)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/358
Signed-off-by: John Johansen <[email protected]>

profiles/apparmor/profiles/extras/usr.sbin.lighttpd | 10 10 0 - 0 !
1 file changed, 10 insertions( )

 add entries for lighttpd to work in a debian/ubuntu install

libraries/libapparmor/swig/python/Makefile.am | 2 1 1 - 0 !
utils/Makefile | 2 1 1 - 0 !
2 files changed, 2 insertions( ), 2 deletions(-)

 always install python modules in the proper location when creating

deb files

profiles/apparmor.d/abstractions/base | 1 1 0 - 0 !
profiles/apparmor.d/abstractions/ubuntu-browsers.d/java | 2 2 0 - 0 !
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox | 1 1 0 - 0 !
3 files changed, 4 insertions( )

 allow reading time configuration from /etc/writable,
 as we have it on the phone.

profiles/apparmor.d/abstractions/ibus | 4 4 0 - 0 !
1 file changed, 4 insertions( )

 allow access to the ubuntu-specific path for ibus-daemon

im-config, in Ubuntu, was modified to start the ibus-daemon with the
"--address 'unix:tmpdir=/tmp/ibus'" command line option. It previously
used a UNIX domain socket path that was indistinguishable from the
session bus daemon's path. This patch adjusts the ibus abstraction so
that access to the new path can be granted to confined ibus-daemon
client applications.
Bug-Ubuntu: https://launchpad.net/bugs/1580463

common/Make.rules | 2 1 1 - 0 !
1 file changed, 1 insertion( ), 1 deletion(-)

 allow parser to build even when not on linux.

parser/rc.apparmor.functions | 2 1 1 - 0 !
1 file changed, 1 insertion( ), 1 deletion(-)

 enable writing cache.

parser/apparmor.systemd | 14 14 0 - 0 !
1 file changed, 14 insertions( )

 make the systemd unit a no-op in containers with no internal policy.

profiles/apparmor.d/usr.sbin.dnsmasq | 6 3 3 - 0 !
1 file changed, 3 insertions( ), 3 deletions(-)

 dnsmasq: revert own profile name and libvirt's.

The libvirtd profile expects the dnsmasq one to be called /usr/sbin/dnsmasq,
let's revert to this for now. Symmetrically, the libvirtd profile is called

profiles/apparmor.d/usr.sbin.smbd | 4 4 0 - 0 !
1 file changed, 4 insertions( )

 smbd: include snippet generated at runtime

parser/parser.conf | 4 4 0 - 0 !
1 file changed, 4 insertions( )

 pin the apparmor feature set to the one shipped by the apparmor
 package

Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
policy in a relaxed manner.
Bug-Debian: https://bugs.debian.org/879584 

utils/notify.conf | 2 1 1 - 0 !
1 file changed, 1 insertion( ), 1 deletion(-)

 aa-notify: point to debian documentation

parser/apparmor.d.pod | 12 12 0 - 0 !
1 file changed, 12 insertions( )

 document which apparmor features are not supported on debian

Bug-Debian: https://bugs.debian.org/807369