Backported merge of various fixes from trunk in preparation of the 2.8.1

release. In this merge are the following trunk commits: 2050 - parser - network rules debugging statements 2057 - update ubuntu-browsers.d/java for IcedTea 7 2058 - let sanitized-helper also allow access to /usr/local 2059 - ubuntu-integration does not work properly with exo-open 2062 - support alternate ping install location in /usr 2064 - parser - update apparmor_parser man page 2065 - parser - correct apparmor_parser -N command privilege 2066 - parser - *just* the updated caching test message from this commit 2065.1.1 - profiles update fonts abstraction for new fontconfig paths 2065.1.{3,4} - profiles - Gnome applications are now quite interested in reading /usr/share/poppler/cMap/** 2069 - profiles - update extras README with mail list info 2074 - tests - fix clone test on arm 2076 - parser tests - fix test driver for exec() failure 2079 - libapparmor - add pkgconfig support 2083 - parser tests - fix fine grained timestamp detection in caching tests 2090 - nvidia abstractions cleanups 2092 - update skype profile 2093 - add XCompose to abstractions/X 2096 - dnsmasq network-manager integration
2025-03-04 08:24:42 +01:00 · 2013-01-04 10:11:00 -08:00 · 2013-01-04 10:11:00 -08:00 · e6614df4a5
commit e6614df4a5
parent 78cd88c56d 701537325e
21 changed files with 339 additions and 88 deletions
--- a/libraries/libapparmor/configure.in
+++ b/libraries/libapparmor/configure.in
@ -10,6 +10,7 @@ AM_INIT_AUTOMAKE(libapparmor1, apparmor_version)
 AM_PROG_LEX
 AC_PROG_YACC
 AC_PROG_SED
 PKG_PROG_PKG_CONFIG
 AC_PATH_PROG([SWIG], [swig])
--- a/libraries/libapparmor/src/Makefile.am
+++ b/libraries/libapparmor/src/Makefile.am
@ -22,6 +22,7 @@ AA_LIB_CURRENT = 1
 AA_LIB_REVISION = 2
 AA_LIB_AGE = 0
 SUFFIXES = .pc.in .pc
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
@ -52,9 +53,18 @@ libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA
 libimmunix_la_SOURCES = kernel_interface.c libimmunix_warning.c
 libimmunix_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -Wl,--version-script=$(top_srcdir)/src/libapparmor.map -Wl,-soname=libimmunix.so.1
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libapparmor.pc
 CLEANFILES = libapparmor.pc
 %.pc: %.pc.in $(top_builddir)/config.status
 	$(AM_V_GEN)cd "$(top_builddir)" && \
 	$(SHELL) ./config.status --file="src/$@"
 tst_aalogmisc_SOURCES = tst_aalogmisc.c
 tst_aalogmisc_LDADD = .libs/libapparmor.a
 check_PROGRAMS = tst_aalogmisc
 TESTS = $(check_PROGRAMS)
-EXTRA_DIST = grammar.y scanner.l libapparmor.map
+EXTRA_DIST = grammar.y scanner.l libapparmor.map libapparmor.pc
--- a/libraries/libapparmor/src/libapparmor.pc.in
+++ b/libraries/libapparmor/src/libapparmor.pc.in
@ -0,0 +1,10 @@
 prefix=@prefix@
 exec_prefix=@exec_prefix@
 libdir=@libdir@
 includedir=@includedir@
 Name: libapparmor
 Description: AppArmor library for for utility functions
 Version: @VERSION@
 Cflags: -I${includedir}
 Libs: -L${libdir} -lapparmor
--- a/parser/apparmor_parser.pod
+++ b/parser/apparmor_parser.pod
@ -28,22 +28,99 @@ apparmor_parser - loads AppArmor profiles into the kernel
 =head1 SYNOPSIS
-B<apparmor_parser [-adrR] [--add] [--debug]  [--replace] [--remove]
+B<apparmor_parser [options] E<lt>commandE<gt> [profile]...>
-                  [--preprocess] [--Include n] [--base n] [ --Complain ]>
+
 B<apparmor_parser [options] E<lt>commandE<gt>>
 B<apparmor_parser [-hv] [--help] [--version]>
 =head1 DESCRIPTION
-B<apparmor_parser> is used to import new apparmor.d(5) profiles
+B<apparmor_parser> is used as a general tool to compile, and manage AppArmor
-into the Linux kernel. The profiles restrict the operations available
+policy, including loading new apparmor.d(5) profiles into the Linux kernel.
-to processes by executable name.
+
 AppArmor profiles restrict the operations available to processes.
 The profiles are loaded into the Linux kernel by the B<apparmor_parser>
-program, which takes its input from standard input. The input supplied to
+program, which by default takes its input from standard input. The input
-B<apparmor_parser> should be in the format described in apparmor.d(5).
+supplied to B<apparmor_parser> should be in the format described in
 apparmor.d(5).
-=head1 OPTIONS
+=head1 COMMANDS
 The command set is broken into four subcategories.
 =over 4
 =item unprivileged commands
 Commands that don't require any privilege and don't operate on profiles.
 =item unprivileged profile commands
 Commands that operate on a profile either specified on the command line or
 read from stdin if no profile was specified.
 =item privileged commands
 Commands that require the MAC_ADMIN capability within the affected AppArmor
 namespace to load policy into the kernel or filesystem write permissions to
 update the affected privileged files (cache etc).
 =item privileged profile commands
 Commands that require privilege and operate on profiles.
 =back
 =head1 Unprivileged commands
 =over 4
 =item -V, --version
 Print the version number and exit.
 =item -h, --help
 Give a quick reference guide.
 =back
 =head1 Unprivileged profile commands
 =over 4
 =item -N, --names
 Produce a list of policies from a given set of profiles (implies -K).
 =item -p, --preprocess
 Apply preprocessing to the input profile(s) by flattening includes into
 the output profile and dump to stdout.
 =item -S, --stdout
 Writes a binary (cached) profile to stdout (implies -K and -T).
 =item -o file, --ofile file
 Writes a binary (cached) profile to the specified file (implies -K and -T)
 =back
 =head1 Privileged commands
 =over 4
 =item --purge-cache
 Unconditionally clear out cached profiles.
 =back
 =head1 Privileged profile commands
 =over 4
@ -67,25 +144,22 @@ Note that it still requires a complete AppArmor definition as described
 in apparmor.d(5) even though the contents of the definition aren't
 used.
-=item -C, --Complain
+=back
-For the profile to load in complain mode.
+=head1 OPTIONS
 =over 4
 =item -B, --binary
-Load a binary (cached) profile, as produced with the -S option.
+Treat the profile files specified on the command line (or stdin if none
 specified) as binary cache files, produced with the -S or -o options,
 and load to the kernel as specified by -a, -r, and -R (implies -K
 and -T).
-=item -N, --names
+=item -C, --Complain
-Produce a list of policies from a given set of profiles (implies -K).
+Force the profile to load in complain mode.
 =item -S, --stdout
 Writes a binary (cached) profile to stdout (implies -K and -T).
 =item -o file, --ofile file
 Writes a binary (cached) profile to the specified file (implies -K and -T)
 =item -b n, --base n
@ -138,6 +212,11 @@ by default. In cases where abstractions have been changed, and the parser
 is running with "--replace", it may make sense to also use
 "--skip-read-cache" with the "--write-cache" option.
 =item --skip-bad-cache
 Skip updating the cache if it contains cached profiles in a bad or
 inconsistent state
 =item -L, --cache-loc
 Set the location of the cache directory.  If not specified the cache location
@ -149,6 +228,9 @@ Perform all actions except the actual loading of a profile into the kernel.
 This is useful for testing profile generation, caching, etc, without making
 changes to the running kernel profiles.
 This also removes the need for privilege to execute the commands that
 manage policy in the kernel
 =item -q, --quiet
 Do not report on the profiles as they are loaded, and not show warnings.
@ -157,15 +239,6 @@ Do not report on the profiles as they are loaded, and not show warnings.
 Report on the profiles as they are loaded, and show warnings.
 =item -V, --version
 Print the version number and exit.
 =item -p, --preprocess
 Dump the input profile to stdout out applying preprocessing flattening
 includes into the output profile.
 =item -d, --debug
 Given once, only checks the profiles to ensure syntactic correctness.
@ -198,10 +271,6 @@ of time to complete.
 Use --help=optimize to see a full list of which optimization flags are
 supported.
 =item -h, --help
 Give a quick reference guide.
 =back
 =head1 CONFIG FILE
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@ -456,8 +456,10 @@ static int process_arg(int c, char *optarg)
 		skip_cache = 1;
 		break;
 	case 'N':
 		count++;
 		names_only = 1;
 		skip_cache = 1;
 		kernel_load = 0;
 		break;
 	case 'S':
 		count++;
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@ -184,7 +184,13 @@ struct network_tuple {
 /* used by af_name.h to auto generate table entries for "name", AF_NAME
 * pair */
-#define AA_GEN_NET_ENT(name, AF) {name, AF, "stream", SOCK_STREAM, "", 0xffffff}, {name, AF, "dgram", SOCK_DGRAM, "", 0xffffff}, {name, AF, "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, {name, AF, "rdm", SOCK_RDM, "", 0xffffff}, {name, AF, "raw", SOCK_RAW, "", 0xffffff}, {name, AF, "packet", SOCK_PACKET, "", 0xffffff},
+#define AA_GEN_NET_ENT(name, AF) \
 	{name, AF, "stream",    SOCK_STREAM,    "", 0xffffff}, \
 	{name, AF, "dgram",     SOCK_DGRAM,     "", 0xffffff}, \
 	{name, AF, "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, \
 	{name, AF, "rdm",       SOCK_RDM,       "", 0xffffff}, \
 	{name, AF, "raw",       SOCK_RAW,       "", 0xffffff}, \
 	{name, AF, "packet",    SOCK_PACKET,    "", 0xffffff},
 /*FIXME: missing {name, AF, "dccp", SOCK_DCCP, "", 0xfffffff}, */
 static struct network_tuple network_mappings[] = {
@ -936,6 +942,99 @@ void debug_capabilities(struct codomain *cod)
 		__debug_capabilities(cod->quiet_caps, "Quiet Caps");
 }
 const char *sock_types[] = {
 	[0] = "none",
 	[SOCK_STREAM] = "stream",
 	[SOCK_DGRAM] = "dgram",
 	[SOCK_RAW] = "raw",
 	[SOCK_RDM] = "rdm",
 	[SOCK_SEQPACKET] = "seqpacket",
 	[SOCK_PACKET] = "packet",
 	/*
 	 * See comment above
 	[SOCK_DCCP] = "dccp",
 	*/
 };
 #define ALL_TYPES 0x43e
 #undef AA_GEN_NET_ENT
 #define AA_GEN_NET_ENT(name, AF) [AF] = name,
 static const char *network_families[] = {
 #include "af_names.h"
 };
 void __debug_network(unsigned int *array, const char *name)
 {
 	unsigned int count = sizeof(sock_types)/sizeof(sock_types[0]);
 	unsigned int mask = ~((1 << count) -1);
 	unsigned int i, j;
 	int none = 1;
 	size_t af_max = get_af_max();
 	for (i = AF_UNSPEC; i < af_max; i++)
 		if (array[i]) {
 			none = 0;
 			break;
 		}
 	if (none)
 		return;
 	printf("%s: ", name);
 	/* This can only be set by an unqualified network rule */
 	if (array[AF_UNSPEC]) {
 		printf("<all>\n");
 		return;
 	}
 	for (i = 0; i < af_max; i++) {
 		if (array[i]) {
 			const char *fam = network_families[i];
 			if (fam)
 				printf("%s ", fam);
 			else
 				printf("#%u ", i);
 			/* All types/protocols */
 			if (array[i] == 0xffffffff || array[i] == ALL_TYPES)
 				continue;
 			printf("{ ");
 			for (j = 0; j < count; j++) {
 				const char *type;
 				if (array[i] & (1 << j)) {
 					type = sock_types[j];
 					if (type)
 						printf("%s ", type);
 					else
 						printf("#%u ", j);
 				}
 			}
 			if (array[i] & mask)
 				printf("#%x ", array[i] & mask);
 			printf("} ");
 		}
 	}
 	printf("\n");
 }
 void debug_network(struct codomain *cod)
 {
 	if (cod->network_allowed)
 		__debug_network(cod->network_allowed, "Network");
 	if (cod->audit_network)
 		__debug_network(cod->audit_network, "Audit Net");
 	if (cod->deny_network)
 		__debug_network(cod->deny_network, "Deny Net");
 	if (cod->quiet_network)
 		__debug_network(cod->quiet_network, "Quiet Net");
 }
 void debug_cod_list(struct codomain *cod)
 {
 	if (cod->namespace)
@ -953,6 +1052,8 @@ void debug_cod_list(struct codomain *cod)
 	debug_capabilities(cod);
 	debug_network(cod);
 	if (cod->entries)
 		debug_cod_entries(cod->entries);
--- a/parser/tst/caching.sh
+++ b/parser/tst/caching.sh
@ -22,15 +22,17 @@ cp caching.profile $basedir/$profile
 # Detect and slow down cache test when filesystem can't represent nanosecond delays.
 timeout=0.1
-touch $basedir/test1
+_count=10
-sleep $timeout
+for ((i = 0; i < ${_count} ; i++)) ; do
-touch $basedir/test2
+	touch $basedir/test${i}
-TIMES=$(stat $basedir/test1 $basedir/test2 -c %z | cut -d" " -f2 | cut -d. -f2 | sort -u | wc -l)
+	sleep $timeout
-if [ $TIMES -ne 2 ]; then
+done
 TIMES=$(stat $basedir/test* -c %z | cut -d" " -f2 | cut -d: -f3 | sort -u | wc -l)
 if [ $TIMES -ne ${_count} ]; then
    echo "WARNING: $basedir lacks nanosecond timestamp resolution, falling back to slower test"
    timeout=1
 fi
-rm -f $basedir/test1 $basedir/test2
+rm -f $basedir/test*
 echo -n "Profiles are not cached by default: "
 ../apparmor_parser $ARGS -q -r $basedir/$profile
@ -122,7 +124,7 @@ echo -n "monkey" > $basedir/cache/.features
 echo -n "monkey" > $basedir/cache/$profile
 echo -n "monkey" > $basedir/cache/monkey
 echo -n "Cache purge remove profiles unconditionally: "
-../apparmor_parser $ARGS -v --purge-cache -r $basedir/$profile || { echo "Cache clear setup FAIL"; exit 1; }
+../apparmor_parser $ARGS -v --purge-cache -r $basedir/$profile || { echo "Cache purge setup FAIL"; exit 1; }
 [ -f $basedir/cache/.features ] && { echo "FAIL"; exit 1; }
 [ -f $basedir/cache/$profile ] && { echo "FAIL"; exit 1; }
 [ -f $basedir/cache/monkey ] && { echo "FAIL"; exit 1; }
--- a/parser/tst/simple.pl
+++ b/parser/tst/simple.pl
@ -68,6 +68,16 @@ sub test_profile {
  my $result = 0;
  my $child;
  $child = open(PARSER, "|-");
  if ($child == 0) {
    # child
    open(STDOUT, ">/dev/null") or die "Failed to redirect STDOUT";
    open(STDERR, ">/dev/null") or die "Failed to redirect STDERR";
    exec("$config{'parser'}", "-S", "-I", "$config{'includedir'}") or die "Bail out! couldn't open parser";
    # noreturn
  }
  # parent
  eval {
    local $SIG{ALRM} = sub {
      $result = 1;
@ -77,19 +87,9 @@ sub test_profile {
    alarm $config{'timeout'};
    $child = open(PARSER, "|-");
    if ($child == 0) {
      # child
      open(STDOUT, ">/dev/null") or die "Failed to redirect STDOUT";
      open(STDERR, ">/dev/null") or die "Failed to redirect STDERR";
      exec("$config{'parser'}", "-S", "-I", "$config{'includedir'}") or die "Bail out! couldn't open parser";
      # noreturn
    }
    # parent
    open(PROFILE, $profile) or die "Bail out! couldn't open profile $profile";
    while (<PROFILE>) {
-      if (/^#=DESCRIPTION\s*(.*)/) {
+      if (/^#=DESCRIPTION\s*(.*)/i) {
        $description = $1;
      } elsif (/^#=EXRESULT\s*(\w+)/) {
        if ($1 eq "PASS") {
--- a/profiles/apparmor.d/abstractions/X
+++ b/profiles/apparmor.d/abstractions/X
@ -39,6 +39,9 @@
  /etc/drirc                      r,
  owner @{HOME}/.drirc            r,
  # Xcompose
  owner @{HOME}/.XCompose         r,
  # mouse themes
  /etc/X11/cursors/               r,
  /etc/X11/cursors/**             r,
--- a/profiles/apparmor.d/abstractions/fonts
+++ b/profiles/apparmor.d/abstractions/fonts
@ -37,8 +37,8 @@
  @{HOME}/.fonts/                       r,
  @{HOME}/.fonts/**                     r,
  @{HOME}/.fonts.cache-2               mr,
-  @{HOME}/.fontconfig/                  r,
+  @{HOME}/.{,cache/}fontconfig/         r,
-  @{HOME}/.fontconfig/**              mrl,
+  @{HOME}/.{,cache/}fontconfig/**     mrl,
  @{HOME}/.fonts.conf.d/                r,
  @{HOME}/.fonts.conf.d/**              r,
--- a/profiles/apparmor.d/abstractions/gnome
+++ b/profiles/apparmor.d/abstractions/gnome
@ -83,3 +83,6 @@
  # mime-types
  /etc/gnome/defaults.list r,
  /usr/share/gnome/applications/mimeinfo.cache r,
  # poppler CMap tables
  /usr/share/poppler/cMap/** r,
--- a/profiles/apparmor.d/abstractions/nvidia
+++ b/profiles/apparmor.d/abstractions/nvidia
@ -4,9 +4,12 @@
  # configuration queries
  capability ipc_lock,
  # libvdpau config file for nvidia workarounds
  /etc/vdpau_wrapper.cfg r,
  # device files
  /dev/nvidia0    rw,
  /dev/nvidiactl  rw,
-  /proc/interrupts r,
+  @{PROC}/interrupts r,
-  /proc/sys/vm/max_map_count r,
+  @{PROC}/sys/vm/max_map_count r,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
@ -4,9 +4,11 @@
  owner @{HOME}/.java/deployment/deployment.properties k,
  /etc/java-*/ r,
  /etc/java-*/** r,
-  /usr/lib/jvm/java-6-openjdk*/jre/lib/*/IcedTeaPlugin.so mr,
+  /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/*/IcedTeaPlugin.so mr,
  /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
  /usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
  /usr/lib/jvm/java-7-openjdk/jre/bin/java cx -> browser_openjdk,
  /usr/lib/jvm/java-7-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
  /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
  /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
  /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
@ -44,8 +46,8 @@
    /var/lib/dbus/machine-id r,
    /usr/bin/env ix,
-    /usr/lib/jvm/java-6-openjdk*/jre/bin/java ix,
+    /usr/lib/jvm/java-{6,7}-openjdk*/jre/bin/java ix,
-    /usr/lib/jvm/java-6-openjdk*/jre/lib/i386/client/classes.jsa m,
+    /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
    # Why would java need this?
    deny /usr/bin/gconftool-2 x,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
@ -50,10 +50,8 @@
  /opt/google/talkplugin/GoogleTalkPlugin ixr,
  owner @{HOME}/.config/google-googletalkplugin/** rw,
-  # If we allow the above, nvidia based systems will also need these
+  # If we allow the above, nvidia based systems will also need this
-  /dev/nvidactl rw,
+  #include <abstractions/nvidia>
  /dev/nvidia0 rw,
  @{PROC}/interrupts r,
  # Virus scanners
  /usr/bin/clamscan Cx -> sanitized_helper,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
@ -29,3 +29,6 @@
  # Exo-aware applications
  /usr/bin/exo-open ixr,
  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
  /etc/xdg/xfce4/helpers.rc r,
--- a/profiles/apparmor.d/abstractions/ubuntu-helpers
+++ b/profiles/apparmor.d/abstractions/ubuntu-helpers
@ -43,10 +43,11 @@ profile sanitized_helper {
  /bin/* Pixr,
  /sbin/* Pixr,
  /usr/bin/* Pixr,
  /usr/local/bin/* Pixr,
  /usr/sbin/* Pixr,
-  # Allow exec of libexec applications in /usr/lib*
+  # Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
-  /usr/lib*/{,**/}* Pixr,
+  /usr/{,local/}lib*/{,**/}* Pixr,
  # Allow exec of software-center scripts. We may need to allow wider
  # permissions for /usr/share, but for now just do this. (LP: #972367)
@ -65,7 +66,7 @@ profile sanitized_helper {
  # Full access
  / r,
  /** rwkl,
-  /{,usr/}lib{,32,64}/{,**/}*.so{,.*} m,
+  /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
  # Dangerous files
  audit deny owner /**/* m,              # compiled libraries
--- a/profiles/apparmor.d/bin.ping
+++ b/profiles/apparmor.d/bin.ping
@ -10,7 +10,7 @@
 # ------------------------------------------------------------------
 #include <tunables/global>
-/bin/ping {
+/{usr/,}bin/ping {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@ -53,6 +53,7 @@
  # NetworkManager integration
  /{,var/}run/nm-dns-dnsmasq.conf r,
  /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.dnsmasq>
--- a/profiles/apparmor/profiles/extras/README
+++ b/profiles/apparmor/profiles/extras/README
@ -39,7 +39,7 @@ working as you expect.
 Feedback on these unsupported profiles is welcomed; any
 contributions for this directory should be clearly licensed
 -- we recommend using the GPL. Please mail suggestions or
-modifications to the apparmor-general@forge.novell.com mail list:
+modifications to the apparmor@lists.ubuntu.com mail list:
-http://forge.novell.com/mailman/listinfo/apparmor-general
+https://lists.ubuntu.com/mailman/listinfo/apparmor
 Thanks
--- a/profiles/apparmor/profiles/extras/usr.bin.skype
+++ b/profiles/apparmor/profiles/extras/usr.bin.skype
@ -1,40 +1,80 @@
-# Last Modified: Mon Oct 26 13:29:13 2009
+# Additional profiling based on work by:
-# REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53
+# - Андрей Калинин, LP: #226624
-# Additional profiling based on work by Андрей Калинин, LP: #226624
+# - Jamie Strandboge and Ivan Frederiks, LP: #933440
 #include <tunables/global>
 /usr/bin/skype flags=(complain) {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
  #include <abstractions/ibus>
  #include <abstractions/kde>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/ssl_certs>
  #include <abstractions/user-tmp>
  #include <abstractions/X>
-  # are these needed?
+  @{PROC}/sys/kernel/{ostype,osrelease} r,
-  /proc/*/cmdline r,
+  @{PROC}/[0-9]*/net/arp r,
  owner @{PROC}/[0-9]*/auxv r,
  owner @{PROC}/[0-9]*/cmdline r,
  owner @{PROC}/[0-9]*/fd/ r,
  owner @{PROC}/[0-9]*/task/ r,
  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  /sys/devices/**/power_supply/**/online r,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r,
  /dev/ r,
  owner /{dev,run}/shm/pulse-shm* m,
  /dev/snd/* m,
  /dev/video* mrw,
  /var/cache/libx11/compose/* r,
  # should this be in a separate KDE abstraction?
-  @{HOME}/.kde/share/config/kioslaverc r,
+  owner @{HOME}/.kde{,4}/share/config/kioslaverc r,
  /usr/bin/skype mr,
  /etc/xdg/sni-qt.conf rk,
  /etc/xdg/Trolltech.conf rk,
  /usr/share/skype/** kr,
  /usr/share/skype/**/*.qm mr,
  /usr/share/skype/sounds/*.wav kr,
  /usr/lib/@{multiarch}/pango/** mr,
-  @{HOME}/.Skype/   rw,
+  # For opening links in the browser (still requires explicit access to execute
-  @{HOME}/.Skype/** krw,
+  # the browser)
-  @{HOME}/.config/* kr,
+  /usr/bin/xdg-open ixr,
-  @{HOME}/.mozilla/ r,
+  owner @{HOME}/.Skype/   rw,
-  @{HOME}/.mozilla/*/ r,
+  owner @{HOME}/.Skype/** krw,
-  @{HOME}/.mozilla/*/*/ r,
+  owner @{HOME}/.config/               r,
-  @{HOME}/.mozilla/*/*/bookmarkbackups/ r,
+  owner @{HOME}/.config/*/             r,
-  @{HOME}/.mozilla/*/*/chrome/ r,
+  owner @{HOME}/.config/Skype/Skype.conf rw,
-  @{HOME}/.mozilla/*/*/extensions/ r,
+  owner @{HOME}/.config/Trolltech.conf kr,
-  @{HOME}/.mozilla/*/*/prefs.js r,
+
  # Skype traverses the .mozilla directory and needs access to prefs.js
  owner @{HOME}/.mozilla/ r,
  owner @{HOME}/.mozilla/**/ r,
  owner @{HOME}/.mozilla/*/*/prefs.js r,
  # Skype also looks around in these directories
  /{,usr/,usr/local/}lib/ r,
  # Recent skype builds have an executable stack, so it tries to mmap certain
  # files. Let's deny them for now.
  deny /etc/passwd m,
  deny /etc/group m,
  deny /usr/share/fonts/** m,
  # Silence a few non-needed writes
  deny /var/cache/fontconfig/ w,
  deny owner @{HOME}/.fontconfig/ w,
  deny owner @{HOME}/.fontconfig/*.cache-*.TMP* w,
 }
--- a/tests/regression/apparmor/clone.c
+++ b/tests/regression/apparmor/clone.c
@ -23,6 +23,8 @@
 #include <sched.h>
 #include <linux/unistd.h>
 #define STACK_SIZE 0x8000
 struct option long_options[] =
 {
 	{"newns", 0, 0, 'n'},  /* create a new namespace */
@ -59,7 +61,7 @@ int main(int argc, char *argv[])
 	int waitstatus;
 	int c;
 	char buf[BUFSIZ];
-	int stack_size = PAGE_SIZE << 4;
+	int stack_size = STACK_SIZE;
 	void *child_stack = malloc(stack_size);
 	int clone_flags = SIGCHLD;