apparmor/profiles/apparmor.d/tunables/global

# ------------------------------------------------------------------
#
#    Copyright (C) 2006-2009 Novell/SUSE
#    Copyright (C) 2010-2014 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# All the tunables definitions that should be available to every profile
# should be included here

include <tunables/home>
include <tunables/multiarch>
include <tunables/proc>
include <tunables/alias>
include <tunables/kernelvars>
include <tunables/xdg-user-dirs>
include <tunables/share>
include <tunables/etc>
include <tunables/run>
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`# ------------------------------------------------------------------`
			`#`
add commented, but blank tunables/alias profiles/apparmor.d/tunables/global: include tunables/alias parser/apparmor.d.pod: add alias rules and home.d. clean up HOMEDIRS 2010-01-11 14:19:35 -06:00			`# Copyright (C) 2006-2009 Novell/SUSE`
= Background = The xdg-user-dirs specification[1] allows for translatable and movable common directories. While this may be beneficial for users who for example want to have ~/Pictures translated into their own language, this flexibility provides challenges for AppArmor. Untranslated xdg user directories are typically (see ~/.config/user-dirs.dirs): XDG_DESKTOP_DIR="$HOME/Desktop" XDG_DOWNLOAD_DIR="$HOME/Downloads" XDG_TEMPLATES_DIR="$HOME/Templates" XDG_PUBLICSHARE_DIR="$HOME/Public" XDG_DOCUMENTS_DIR="$HOME/Documents" XDG_MUSIC_DIR="$HOME/Music" XDG_PICTURES_DIR="$HOME/Pictures" XDG_VIDEOS_DIR="$HOME/Videos" On an Ubuntu system with the fr_CA locale installed, these become: XDG_DESKTOP_DIR="$HOME/Desktop" XDG_DOWNLOAD_DIR="$HOME/Téléchargements" XDG_TEMPLATES_DIR="$HOME/Templates" XDG_PUBLICSHARE_DIR="$HOME/Public" XDG_DOCUMENTS_DIR="$HOME/Documents" XDG_MUSIC_DIR="$HOME/Musique" XDG_PICTURES_DIR="$HOME/Images" XDG_VIDEOS_DIR="$HOME/Vidéos" While the kernel and AppArmor parser handle these translations fine, the profiles do not. As an upstream, we can vastly improve the situation by simply creating the xdg-user-dirs tunable using the default 'C' xdg-user-dirs values: $ cat /etc/apparmor.d/tunables/xdg-user-dirs @{XDG_DESKTOP_DIR}=Desktop @{XDG_DOWNLOAD_DIR}=Downloads @{XDG_TEMPLATES_DIR}=Templates @{XDG_PUBLICSHARE_DIR}=Public @{XDG_DOCUMENTS_DIR}=Documents @{XDG_MUSIC_DIR}=Music @{XDG_PICTURES_DIR}=Pictures @{XDG_VIDEOS_DIR}=Videos # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments # to the various XDG directories #include <tunables/xdg-user-dirs.d> and then create the /etc/apparmor.d/tunables/xdg-user-dirs.d directory. With that alone, we can start using rules like this in policy: owner @{HOME}/@{XDG_MUSIC_DIR}/** r, and users/admins can adjust /etc/apparmor.d/tunables/xdg-user-dirs or drop files into /etc/apparmor.d/tunables/xdg-user-dirs.d, providing a welcome convenience. This of course doesn't solve everything. Because users can modify their ~/.config/user-dirs.dirs file at will and have it point anywhere, so we can't examine those files and do anything automatic there (when we have user policy we can revisit this). This patch handles translations well though since use of translations for these directories happens outside of the user's control. Users who modify ~/.config/user-dirs.dirs can update policy like they need to now (ie, this patch doesn't change anything for them). [0] https://lists.ubuntu.com/archives/apparmor/2013-August/004183.html [1] http://freedesktop.org/wiki/Software/xdg-user-dirs/ This patch adds basic support for XDG user dirs: 1. Update profiles/apparmor.d/tunables/global to include xdg-user-dirs. 2. Create the xdg-user-dirs tunable using the default 'C' xdg-user-dirs values and includes tunables/xdg-user-dirs.d 3. Add profiles/apparmor.d/tunables/xdg-user-dirs.d/site.local with commented out examples on how to use the directory. Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-By: Christian Boltz <apparmor@cboltz.de> 2014-02-14 16:24:52 -06:00			`# Copyright (C) 2010-2014 Canonical Ltd.`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#`
			`# ------------------------------------------------------------------`

			`# All the tunables definitions that should be available to every profile`
			`# should be included here`

Change `#include` to `include` in abstractions and tunables 2020-06-09 23:28:41 +02:00			`include <tunables/home>`
			`include <tunables/multiarch>`
			`include <tunables/proc>`
			`include <tunables/alias>`
			`include <tunables/kernelvars>`
			`include <tunables/xdg-user-dirs>`
			`include <tunables/share>`
Introduce tunables/etc with @{etc_ro} and @{etc_rw} This helps to adjust profiles in a readable way for https://en.opensuse.org/openSUSE:Packaging_UsrEtc and similar initiatives. 2020-07-23 20:37:51 +02:00			`include <tunables/etc>`
Change `#include` to `include` in abstractions and tunables 2020-06-09 23:28:41 +02:00			`include <tunables/run>`