Merge branch 'base-abstraction-allow-all-libraries' into 'master'

base abstraction: allow mr on *.so* in common library paths. For example, VirtualBox guests have /usr/lib/VBoxOGL.so. Without this changes, in a VirtualBox VM with VBoxVGA graphics, at least one Qt5 application (OnionShare) won't start and display: ImportError: libGL.so.1: failed to map segment from shared object … and the system logs have: apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled. So let's not assume all libraries have a name that starts with "lib". Bug-Tails: https://redmine.tails.boum.org/code/issues/16414 Candidate for master and 2.13. PR: https://gitlab.com/apparmor/apparmor/merge_requests/345 Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 16:35:02 +01:00 · 2019-03-24 07:04:14 +00:00 · 2019-03-24 07:04:14 +00:00 · 9ba051c6ed
commit 9ba051c6ed
parent 5014f4a99c 5cbb7df95e
1 changed files with 4 additions and 6 deletions
--- a/profiles/apparmor.d/abstractions/base
+++ b/profiles/apparmor.d/abstractions/base
@ -64,13 +64,11 @@

  # we might as well allow everything to use common libraries
  /{usr/,}lib{,32,64}/**                r,
-  /{usr/,}lib{,32,64}/lib*.so*          mr,
-  /{usr/,}lib{,32,64}/**/lib*.so*       mr,
+  /{usr/,}lib{,32,64}/**.so*       mr,
  /{usr/,}lib/@{multiarch}/**            r,
-  /{usr/,}lib/@{multiarch}/lib*.so*      mr,
-  /{usr/,}lib/@{multiarch}/**/lib*.so*   mr,
-  /{usr/,}lib/tls/i686/{cmov,nosegneg}/lib*.so*    mr,
-  /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so*    mr,
+  /{usr/,}lib/@{multiarch}/**.so*   mr,
+  /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so*    mr,
+  /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so*    mr,

  # /dev/null is pretty harmless and frequently used
  /dev/null                      rw,