From fc03b984bdb38c2911a395cf19abc80eadbc5269 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:21:31 -0700 Subject: [PATCH 01/12] Cherry-pick r2246 from master. --- profiles/apparmor.d/abstractions/python | 3 +++ 1 file changed, 3 insertions(+) diff --git a/profiles/apparmor.d/abstractions/python b/profiles/apparmor.d/abstractions/python index feb93bcb6..f84512563 100644 --- a/profiles/apparmor.d/abstractions/python +++ b/profiles/apparmor.d/abstractions/python @@ -13,10 +13,12 @@ /usr/lib{,32,64}/python2.[4567]/**.{pyc,so} mr, /usr/lib{,32,64}/python2.[4567]/**.{egg,py,pth} r, /usr/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r, + /usr/lib{,32,64}/python3.3/lib-dynload/*.so mr, /usr/local/lib{,32,64}/python2.[4567]/**.{pyc,so} mr, /usr/local/lib{,32,64}/python2.[4567]/**.{egg,py,pth} r, /usr/local/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r, + /usr/local/lib{,32,64}/python3.3/lib-dynload/*.so mr, # Site-wide configuration /etc/python2.[4567]/** r, @@ -26,6 +28,7 @@ /{var,usr}/lib/{pyshared,pycentral,python-support}/** r, /usr/lib/{pyshared,pycentral,python-support}/**.so mr, /var/lib/{pyshared,pycentral,python-support}/**.pyc mr, + /usr/lib/python3/dist-packages/**.so mr, # wx paths /usr/lib/wx/python/*.pth r, From 793013c3ce95f4e398a9d2df2cc5297178695949 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:21:54 -0700 Subject: [PATCH 02/12] Cherry-pick r2369 from master. --- profiles/apparmor.d/abstractions/python | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/profiles/apparmor.d/abstractions/python b/profiles/apparmor.d/abstractions/python index f84512563..6454c529c 100644 --- a/profiles/apparmor.d/abstractions/python +++ b/profiles/apparmor.d/abstractions/python @@ -13,12 +13,12 @@ /usr/lib{,32,64}/python2.[4567]/**.{pyc,so} mr, /usr/lib{,32,64}/python2.[4567]/**.{egg,py,pth} r, /usr/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r, - /usr/lib{,32,64}/python3.3/lib-dynload/*.so mr, + /usr/lib{,32,64}/python3.[234]/lib-dynload/*.so mr, /usr/local/lib{,32,64}/python2.[4567]/**.{pyc,so} mr, /usr/local/lib{,32,64}/python2.[4567]/**.{egg,py,pth} r, /usr/local/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r, - /usr/local/lib{,32,64}/python3.3/lib-dynload/*.so mr, + /usr/local/lib{,32,64}/python3.[234]/lib-dynload/*.so mr, # Site-wide configuration /etc/python2.[4567]/** r, From 97f6d4f52e577b327d34a6b782d8fb165146dbf6 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:24:07 -0700 Subject: [PATCH 03/12] Cherry-pick r2522 from master. --- profiles/apparmor.d/abstractions/python | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/profiles/apparmor.d/abstractions/python b/profiles/apparmor.d/abstractions/python index 6454c529c..b528f989f 100644 --- a/profiles/apparmor.d/abstractions/python +++ b/profiles/apparmor.d/abstractions/python @@ -10,18 +10,18 @@ # # ------------------------------------------------------------------ - /usr/lib{,32,64}/python2.[4567]/**.{pyc,so} mr, - /usr/lib{,32,64}/python2.[4567]/**.{egg,py,pth} r, - /usr/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r, - /usr/lib{,32,64}/python3.[234]/lib-dynload/*.so mr, + /usr/lib{,32,64}/python{2.[4-7],3.[0-4]}/**.{pyc,so} mr, + /usr/lib{,32,64}/python{2.[4-7],3.[0-4]}/**.{egg,py,pth} r, + /usr/lib{,32,64}/python{2.[4-7],3.[0-4]}/{site,dist}-packages/ r, + /usr/lib{,32,64}/python3.[0-4]/lib-dynload/*.so mr, - /usr/local/lib{,32,64}/python2.[4567]/**.{pyc,so} mr, - /usr/local/lib{,32,64}/python2.[4567]/**.{egg,py,pth} r, - /usr/local/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r, - /usr/local/lib{,32,64}/python3.[234]/lib-dynload/*.so mr, + /usr/local/lib{,32,64}/python{2.[4-7],3.[0-4]}/**.{pyc,so} mr, + /usr/local/lib{,32,64}/python{2.[4-7],3.[0-4]}/**.{egg,py,pth} r, + /usr/local/lib{,32,64}/python{2.[4-7],3.[0-4]}/{site,dist}-packages/ r, + /usr/local/lib{,32,64}/python3.[0-4]/lib-dynload/*.so mr, # Site-wide configuration - /etc/python2.[4567]/** r, + /etc/python{2.[4-7],3.[0-4]}/** r, # shared python paths /usr/share/{pyshared,pycentral,python-support}/** r, @@ -34,7 +34,4 @@ /usr/lib/wx/python/*.pth r, # python build configuration and headers - /usr/include/python{2,3}.[0-7]*/pyconfig.h r, - - # python setup script used by apport - /etc/python{2,3}.[0-7]*/sitecustomize.py r, + /usr/include/python{2.[4-7],3.[0-4]}*/pyconfig.h r, From a591cf73b173088df0d0159b5e9449c8d430bfbd Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:32:03 -0700 Subject: [PATCH 04/12] Cherry-pick r2590 from master. --- profiles/apparmor.d/abstractions/perl | 6 ++++-- utils/logprof.conf | 2 ++ utils/severity.db | 3 +++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/profiles/apparmor.d/abstractions/perl b/profiles/apparmor.d/abstractions/perl index d429e726f..3838935d9 100644 --- a/profiles/apparmor.d/abstractions/perl +++ b/profiles/apparmor.d/abstractions/perl @@ -13,8 +13,10 @@ /usr/bin/perl rmix, /usr/bin/perl[0-9].[0-9].[0-9] rmix, - /usr/lib{,32,64}/perl5/** r, - /usr/lib{,32,64}/perl{,5}/**.so* mr, + /usr/lib{,32,64}/perl5/** r, + /usr/lib{,32,64}/perl{,5}/**.so* mr, + /usr/lib/@{multiarch}/perl/** r, + /usr/lib/@{multiarch}/perl{,5}/[0-9]*/**.so* mr, /usr/share/perl/** r, /usr/share/perl5/** r, diff --git a/utils/logprof.conf b/utils/logprof.conf index e073eb70a..47ad56303 100644 --- a/utils/logprof.conf +++ b/utils/logprof.conf @@ -1,6 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2004-2006 Novell/SUSE +# Copyright (C) 2014 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -105,6 +106,7 @@ # if they use any perl modules, grant access to all ^/usr/lib/perl5/.+$ = /usr/lib/perl5/** + ^/usr/lib/[^\/]+/perl5?/.+$ = /usr/lib/@{multiarch}/perl{,5}/** # locale foo ^/usr/lib/locale/.+$ = /usr/lib/locale/** diff --git a/utils/severity.db b/utils/severity.db index 7fd62f445..3c0284004 100644 --- a/utils/severity.db +++ b/utils/severity.db @@ -1,6 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2014 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -231,6 +232,8 @@ /usr/lib/lib*so* 3 8 4 /usr/lib/iptables/* 2 8 2 /usr/lib/perl5/** 4 10 6 +/usr/lib/*/perl/** 4 10 6 +/usr/lib/*/perl5/** 4 10 6 /usr/lib/gconv/* 4 7 4 /usr/lib/locale/** 4 8 0 /usr/lib/jvm/** 5 7 5 From e579d939cef309675fd6fe065009c2366f922389 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:32:57 -0700 Subject: [PATCH 05/12] Cherry-pick r2593 from master. --- profiles/apparmor.d/abstractions/perl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/apparmor.d/abstractions/perl b/profiles/apparmor.d/abstractions/perl index 3838935d9..e53200609 100644 --- a/profiles/apparmor.d/abstractions/perl +++ b/profiles/apparmor.d/abstractions/perl @@ -15,7 +15,7 @@ /usr/lib{,32,64}/perl5/** r, /usr/lib{,32,64}/perl{,5}/**.so* mr, - /usr/lib/@{multiarch}/perl/** r, + /usr/lib/@{multiarch}/perl{,5}/** r, /usr/lib/@{multiarch}/perl{,5}/[0-9]*/**.so* mr, /usr/share/perl/** r, From 3b1b013fc88bba5ea35c5ed63ecc10caaa7f4251 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:33:36 -0700 Subject: [PATCH 06/12] Cherry-pick r2294 from master. --- profiles/apparmor.d/abstractions/openssl | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/apparmor.d/abstractions/openssl b/profiles/apparmor.d/abstractions/openssl index 0b8a8b5af..697da7aeb 100644 --- a/profiles/apparmor.d/abstractions/openssl +++ b/profiles/apparmor.d/abstractions/openssl @@ -10,4 +10,5 @@ /etc/ssl/openssl.cnf r, /usr/share/ssl/openssl.cnf r, + @{PROC}/sys/crypto/fips_enabled r, From 7566f992dd83d97be8540d28d5ad0a4837a73fb0 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:34:21 -0700 Subject: [PATCH 07/12] Cherry-pick r2353 from master. --- profiles/apparmor.d/abstractions/nameservice | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice index 8fc611af3..c06568ccc 100644 --- a/profiles/apparmor.d/abstractions/nameservice +++ b/profiles/apparmor.d/abstractions/nameservice @@ -50,7 +50,7 @@ /etc/default/nss r, # avahi-daemon is used for mdns4 resolution - /{,var/}run/avahi-daemon/socket w, + /{,var/}run/avahi-daemon/socket rw, # nis #include From 53fce179d9886d5bd57b2f55149e5cb7813af0eb Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:37:02 -0700 Subject: [PATCH 08/12] Cherry-pick r2592 from master. --- profiles/apparmor.d/abstractions/nameservice | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice index c06568ccc..b7b19d64f 100644 --- a/profiles/apparmor.d/abstractions/nameservice +++ b/profiles/apparmor.d/abstractions/nameservice @@ -21,6 +21,11 @@ /etc/passwd r, /etc/protocols r, + # When using libnss-extrausers, the passwd and group files are merged from + # an alternate path + /var/lib/extrausers/group r, + /var/lib/extrausers/passwd r, + /etc/resolv.conf r, # on systems using resolvconf, /etc/resolv.conf is a symlink to # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in From 95368e8fd066b35ec690a2d683b14b0b243b1652 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:37:27 -0700 Subject: [PATCH 09/12] Cherry-pick r2506 from master. --- profiles/apparmor.d/abstractions/mysql | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/profiles/apparmor.d/abstractions/mysql b/profiles/apparmor.d/abstractions/mysql index 96c913fcb..fed759bb0 100644 --- a/profiles/apparmor.d/abstractions/mysql +++ b/profiles/apparmor.d/abstractions/mysql @@ -9,7 +9,7 @@ # # ------------------------------------------------------------------ - /var/lib/mysql/mysql.sock rw, - /{var/,}run/mysql/mysql.sock rw, + /var/lib/mysql{,d}/mysql{,d}.sock rw, + /{var/,}run/mysql{,d}/mysql{,d}.sock rw, /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r, /usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r, From 2ace7d9dfa6eeec04b7580b89f9f437070677266 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:37:53 -0700 Subject: [PATCH 10/12] Cherry-pick r2610 from master. --- profiles/apparmor.d/abstractions/kde | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/apparmor.d/abstractions/kde b/profiles/apparmor.d/abstractions/kde index 00119b350..d98751f53 100644 --- a/profiles/apparmor.d/abstractions/kde +++ b/profiles/apparmor.d/abstractions/kde @@ -22,6 +22,7 @@ /etc/kderc r, /etc/kde3/* r, /etc/kde4rc r, +/etc/xdg/Trolltech.conf r, @{HOME}/.DCOPserver_* r, @{HOME}/.ICEauthority r, From 90bcee0f236c1175d3d7b3f454e8db130a43b10a Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:40:14 -0700 Subject: [PATCH 11/12] Cherry-pick r2387 from master. --- .../apparmor.d/abstractions/freedesktop.org | 1 + profiles/apparmor.d/abstractions/gnome | 2 ++ profiles/apparmor.d/abstractions/python | 20 +++++++++---------- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/profiles/apparmor.d/abstractions/freedesktop.org b/profiles/apparmor.d/abstractions/freedesktop.org index 4533f11d4..ae5b78e5f 100644 --- a/profiles/apparmor.d/abstractions/freedesktop.org +++ b/profiles/apparmor.d/abstractions/freedesktop.org @@ -30,6 +30,7 @@ owner @{HOME}/.recently-used.xbel* rw, owner @{HOME}/.local/share/recently-used.xbel* rw, owner @{HOME}/.config/user-dirs.dirs r, + owner @{HOME}/.local/share/applications/ r, owner @{HOME}/.local/share/applications/*.desktop r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeapps.list r, diff --git a/profiles/apparmor.d/abstractions/gnome b/profiles/apparmor.d/abstractions/gnome index 995d9c13b..3e2087e03 100644 --- a/profiles/apparmor.d/abstractions/gnome +++ b/profiles/apparmor.d/abstractions/gnome @@ -21,6 +21,7 @@ /etc/gtk/* r, /usr/lib{,32,64}/gtk/** mr, /usr/lib/@{multiarch}/gtk/** mr, + /usr/share/themes/ r, /usr/share/themes/** r, # for gnome 1 applications @@ -82,4 +83,5 @@ # mime-types /etc/gnome/defaults.list r, + /usr/share/gnome/applications/ r, /usr/share/gnome/applications/mimeinfo.cache r, diff --git a/profiles/apparmor.d/abstractions/python b/profiles/apparmor.d/abstractions/python index b528f989f..f47899551 100644 --- a/profiles/apparmor.d/abstractions/python +++ b/profiles/apparmor.d/abstractions/python @@ -10,18 +10,18 @@ # # ------------------------------------------------------------------ - /usr/lib{,32,64}/python{2.[4-7],3.[0-4]}/**.{pyc,so} mr, - /usr/lib{,32,64}/python{2.[4-7],3.[0-4]}/**.{egg,py,pth} r, - /usr/lib{,32,64}/python{2.[4-7],3.[0-4]}/{site,dist}-packages/ r, - /usr/lib{,32,64}/python3.[0-4]/lib-dynload/*.so mr, + /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mr, + /usr/lib{,32,64}/python{2,3}.[34567]/**.{egg,py,pth} r, + /usr/lib{,32,64}/python{2,3}.[34567]/{site,dist}-packages/ r, + /usr/lib{,32,64}/python3.[234]/lib-dynload/*.so mr, - /usr/local/lib{,32,64}/python{2.[4-7],3.[0-4]}/**.{pyc,so} mr, - /usr/local/lib{,32,64}/python{2.[4-7],3.[0-4]}/**.{egg,py,pth} r, - /usr/local/lib{,32,64}/python{2.[4-7],3.[0-4]}/{site,dist}-packages/ r, - /usr/local/lib{,32,64}/python3.[0-4]/lib-dynload/*.so mr, + /usr/local/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mr, + /usr/local/lib{,32,64}/python{2,3}.[34567]/**.{egg,py,pth} r, + /usr/local/lib{,32,64}/python{2,3}.[34567]/{site,dist}-packages/ r, + /usr/local/lib{,32,64}/python3.[234]/lib-dynload/*.so mr, # Site-wide configuration - /etc/python{2.[4-7],3.[0-4]}/** r, + /etc/python{2,3}.[34567]/** r, # shared python paths /usr/share/{pyshared,pycentral,python-support}/** r, @@ -34,4 +34,4 @@ /usr/lib/wx/python/*.pth r, # python build configuration and headers - /usr/include/python{2.[4-7],3.[0-4]}*/pyconfig.h r, + /usr/include/python{2,3}.[0-7]*/pyconfig.h r, From 770746a32025e7819b498debababb0e864f3170a Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 10 Sep 2014 17:41:44 -0700 Subject: [PATCH 12/12] Cherry-pick r2671 from master. --- profiles/apparmor.d/abstractions/audio | 3 +++ 1 file changed, 3 insertions(+) diff --git a/profiles/apparmor.d/abstractions/audio b/profiles/apparmor.d/abstractions/audio index f0c1923ca..e0e8342c2 100644 --- a/profiles/apparmor.d/abstractions/audio +++ b/profiles/apparmor.d/abstractions/audio @@ -68,3 +68,6 @@ owner /tmp/pulse-*/* rw, # openal /etc/openal/alsoft.conf r, owner @{HOME}/.alsoftrc r, + +# wildmidi +/etc/wildmidi/wildmidi.cfg r,