Merge changes from trunk -- almost entirely additions to abstractions, a

perl multiarch change to logprof.conf and new perl severity entries.

  intrigeri@boum.org 2014-09-10 Cherry-pick r2671 from master.
    intrigeri@boum.org 2014-09-10 Cherry-pick r2387 from master.
    intrigeri@boum.org 2014-09-10 Cherry-pick r2610 from master.
    intrigeri@boum.org 2014-09-10 Cherry-pick r2506 from master.
    intrigeri@boum.org 2014-09-10 Cherry-pick r2592 from master.
    intrigeri@boum.org 2014-09-10 Cherry-pick r2353 from master.
    intrigeri@boum.org 2014-09-10 Cherry-pick r2294 from master.
    intrigeri@boum.org 2014-09-10 Cherry-pick r2593 from master.
    intrigeri@boum.org 2014-09-10 Cherry-pick r2590 from master.
    intrigeri@boum.org 2014-09-10 Cherry-pick r2522 from master.
    intrigeri@boum.org 2014-09-10 Cherry-pick r2369 from master.
    intrigeri@boum.org 2014-09-10 Cherry-pick r2246 from master.

profiles/apparmor.d/abstractions/audio

@@ -68,3 +68,6 @@ owner /tmp/pulse-*/* rw,
 # openal
 /etc/openal/alsoft.conf r,
 owner @{HOME}/.alsoftrc r,
+
+# wildmidi
+/etc/wildmidi/wildmidi.cfg r,

profiles/apparmor.d/abstractions/freedesktop.org

@@ -30,6 +30,7 @@
   owner @{HOME}/.recently-used.xbel*    rw,
   owner @{HOME}/.local/share/recently-used.xbel* rw,
   owner @{HOME}/.config/user-dirs.dirs  r,
+  owner @{HOME}/.local/share/applications/               r,
   owner @{HOME}/.local/share/applications/*.desktop      r,
   owner @{HOME}/.local/share/applications/defaults.list  r,
   owner @{HOME}/.local/share/applications/mimeapps.list  r,

profiles/apparmor.d/abstractions/gnome

@@ -21,6 +21,7 @@
   /etc/gtk/*                      r,
   /usr/lib{,32,64}/gtk/**         mr,
   /usr/lib/@{multiarch}/gtk/**    mr,
+  /usr/share/themes/              r,
   /usr/share/themes/**            r,
 
   # for gnome 1 applications
@@ -82,4 +83,5 @@
 
   # mime-types
   /etc/gnome/defaults.list r,
+  /usr/share/gnome/applications/ r,
   /usr/share/gnome/applications/mimeinfo.cache r,

profiles/apparmor.d/abstractions/kde

@@ -22,6 +22,7 @@
 /etc/kderc r,
 /etc/kde3/* r,
 /etc/kde4rc r,
+/etc/xdg/Trolltech.conf r,
 
 @{HOME}/.DCOPserver_* r,
 @{HOME}/.ICEauthority r,

profiles/apparmor.d/abstractions/mysql

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-   /var/lib/mysql/mysql.sock rw,
+   /var/lib/mysql{,d}/mysql{,d}.sock rw,
-   /{var/,}run/mysql/mysql.sock rw,
+   /{var/,}run/mysql{,d}/mysql{,d}.sock rw,
    /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
    /usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,

profiles/apparmor.d/abstractions/nameservice

@@ -21,6 +21,11 @@
   /etc/passwd             r,
   /etc/protocols          r,
 
+  # When using libnss-extrausers, the passwd and group files are merged from
+  # an alternate path
+  /var/lib/extrausers/group  r,
+  /var/lib/extrausers/passwd r,
+
   /etc/resolv.conf        r,
   # on systems using resolvconf, /etc/resolv.conf is a symlink to
   # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
@@ -50,7 +55,7 @@
   /etc/default/nss               r,
 
   # avahi-daemon is used for mdns4 resolution
-  /{,var/}run/avahi-daemon/socket w,
+  /{,var/}run/avahi-daemon/socket rw,
 
   # nis
   #include <abstractions/nis>

profiles/apparmor.d/abstractions/openssl

@@ -10,4 +10,5 @@
 
   /etc/ssl/openssl.cnf r,
   /usr/share/ssl/openssl.cnf r,
+  @{PROC}/sys/crypto/fips_enabled r,
 

profiles/apparmor.d/abstractions/perl

@@ -13,8 +13,10 @@
   /usr/bin/perl                  rmix,
   /usr/bin/perl[0-9].[0-9].[0-9] rmix,
 
-  /usr/lib{,32,64}/perl5/**         r,
+  /usr/lib{,32,64}/perl5/**                    r,
-  /usr/lib{,32,64}/perl{,5}/**.so*  mr,
+  /usr/lib{,32,64}/perl{,5}/**.so*             mr,
+  /usr/lib/@{multiarch}/perl{,5}/**            r,
+  /usr/lib/@{multiarch}/perl{,5}/[0-9]*/**.so* mr,
 
   /usr/share/perl/**             r,
   /usr/share/perl5/**            r,

profiles/apparmor.d/abstractions/python

@@ -10,28 +10,28 @@
 #
 # ------------------------------------------------------------------
 
-  /usr/lib{,32,64}/python2.[4567]/**.{pyc,so}           mr,
+  /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so}           mr,
-  /usr/lib{,32,64}/python2.[4567]/**.{egg,py,pth}       r,
+  /usr/lib{,32,64}/python{2,3}.[34567]/**.{egg,py,pth}       r,
-  /usr/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r,
+  /usr/lib{,32,64}/python{2,3}.[34567]/{site,dist}-packages/ r,
+  /usr/lib{,32,64}/python3.[234]/lib-dynload/*.so            mr,
 
-  /usr/local/lib{,32,64}/python2.[4567]/**.{pyc,so}           mr,
+  /usr/local/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so}           mr,
-  /usr/local/lib{,32,64}/python2.[4567]/**.{egg,py,pth}       r,
+  /usr/local/lib{,32,64}/python{2,3}.[34567]/**.{egg,py,pth}       r,
-  /usr/local/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r,
+  /usr/local/lib{,32,64}/python{2,3}.[34567]/{site,dist}-packages/ r,
+  /usr/local/lib{,32,64}/python3.[234]/lib-dynload/*.so            mr,
 
   # Site-wide configuration
-  /etc/python2.[4567]/** r,
+  /etc/python{2,3}.[34567]/** r,
 
   # shared python paths
   /usr/share/{pyshared,pycentral,python-support}/**      r,
   /{var,usr}/lib/{pyshared,pycentral,python-support}/**  r,
   /usr/lib/{pyshared,pycentral,python-support}/**.so     mr,
   /var/lib/{pyshared,pycentral,python-support}/**.pyc    mr,
+  /usr/lib/python3/dist-packages/**.so                   mr,
 
   # wx paths
   /usr/lib/wx/python/*.pth r,
 
   # python build configuration and headers
   /usr/include/python{2,3}.[0-7]*/pyconfig.h r,
-
-  # python setup script used by apport
-  /etc/python{2,3}.[0-7]*/sitecustomize.py r,

utils/logprof.conf

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2004-2006 Novell/SUSE
+#    Copyright (C) 2014 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -105,6 +106,7 @@
 
   # if they use any perl modules, grant access to all
   ^/usr/lib/perl5/.+$               = /usr/lib/perl5/**
+  ^/usr/lib/[^\/]+/perl5?/.+$       = /usr/lib/@{multiarch}/perl{,5}/**
 
   # locale foo
   ^/usr/lib/locale/.+$              = /usr/lib/locale/**

utils/severity.db

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2014 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -231,6 +232,8 @@
 /usr/lib/lib*so*	3 8 4
 /usr/lib/iptables/*	2 8 2
 /usr/lib/perl5/**	4 10 6
+/usr/lib/*/perl/**	4 10 6
+/usr/lib/*/perl5/**	4 10 6
 /usr/lib/gconv/*	4 7 4
 /usr/lib/locale/**	4 8 0
 /usr/lib/jvm/**		5 7 5