From the README in the toplevel source:
"[P11-KIT] Provides a way to load and enumerate PKCS#11 modules. Provides a
standard configuration setup for installing PKCS#11 modules in such a way that
they're discoverable."
File locatations are described in [1]. There is a global configuration file in
/etc/pkcs11/pkcs11.conf. Per module configuration happens in
/etc/pkcs11/<module name>. There is also user configuration in ~/.pkcs11, but
IMO this should not be allowed in the abstraction. Example configuration can be
seen in the upstream documentation[2].
This will likely need to be refined as more applications use p11-kit.
[1]http://p11-glue.freedesktop.org/doc/p11-kit/config-locations.html
[2]http://p11-glue.freedesktop.org/doc/p11-kit/config-example.html
Acked-by: Jamie Strandboge <jamie@canonical.com>
in python abstraction. This script is used by apport aware python applications
Bug-Ubuntu: https://launchpad.net/bugs/860856
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
and systems where /var/run moved to /run. Also allows read of
/etc/default/locale.
Bug-Ubuntu: https://launchpad.net/bugs/817956
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
abstractions/apache2-common. Additionally, add read permissions
for /**/.htaccess and /dev/urandom to apache2-common.
The patch is based on a profile abstraction from darix. I made some
things more strict (compared to darix' profile), and OTOH added some
things that are needed on my servers.
*** BACKWARDS-INCOMPATIBLE CHANGES ***
^HANDLING_UNTRUSTED_INPUT
- don't allow /.htaccess (.htaccess files in subdirectories are still allowed)
- don't allow *.htaccess files (the old /**.htaccess rule was too generous)
Original openSUSE changelog entry:
Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de
- Splitted ldap related things from nameservice into separate
profile and added some missing paths (bnc#662761)
- fix permissions for additional-log-sockets.conf (the comma in {var/,}
was at the wrong place, which broke the /var/run/ case)
- add read permissions for /sys/devices/system/cpu/online
(that was even new for Peter, but I trust him not to post faked
audit.log lines ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
Subject: apparmor-profiles: Add samba config files
References: bnc#679182 bnc#666450
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
- updated to match trunk
- added changed path to nmbd profile (/var/cache/samba has moved to
/var/lib/samba on (at least) openSUSE 11.4), bnc#679182#c8
For backward compability, it also allows /var/spool/samba.
- Note: The smbd profile already contains both locations.
by Christian Boltz <apparmor@cboltz.de>
updated according to the comments from Steve Beattie
by Christian Boltz <apparmor@cboltz.de>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- allow /var/spool/mail, not only the /var/mail symlink
- allow @{HOME}/Mail/
- allow capability fsetid, read access to /etc/lsb-release and
SuSE-release and k for /var/{lib,run}/dovecot in usr.bin.dovecot
References:
- dovecot: Added support for /var/spool/mail (bnc#691072)
- Updated dovecot profile (bnc#681267).
Patch taken from openSUSE:11.4:Update:Test, file apparmor-profiles-dovecot
updated to match trunk by Christian Boltz <apparmor@cboltz.de>
Change compared to the patch posted to the ML:
- link rule instead of adding l permissions for /var/lib/dovecot and
/var/run/dovecot (as proposed by John Johansen)
Acked-By: John Johansen <john.johansen@canonical.com> on IRC
to switch to a non-root user. unscd is installed as /usr/sbin/nscd
at least at openSUSE.
Original changelog entry from unscd package:
Mon Sep 7 17:30:36 CEST 2009 - pbaudis[at]suse.cz
- Provide the /etc/apparmor.d/usr.sbin.nscd file and make it allow
for change to the nobody user [bnc#535467]
Currently the nscd package from glibc and the unscd package both contain
a usr.sbin.nscd profile which needs to maintained/updated manually.
With this patch, the profile could be moved back to the
apparmor-profiles package.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
profiles.
It also adds a comment to the klogd profile that capability sys_admin is
only needed for backward compatibility with older kernels.
Acked-by: John Johansen <john.johansen@canonical.com>
