Ubuntu 14.04's chromium-browser has changed paths in a way that prevents
evince from opening clicked links in chromium-browser windows.
This patch adds a new path for the chrome-sandbox executable to the
sanitized_helper profile, so chromium will get its own tailored profile if
necessary.
The reporter who said this patch helped included some further DENIED lines
for signals that indicates this is probably not sufficient but did make
the links work as expected.
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1282314
Signed-off-by: Seth Arnold <seth.arnold@canonical.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
and its derivatives
Bug-Ubuntu: https://launchpad.net/bugs/1285653
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
- some *.dat files live in a different directory nowadays (at least in
openSUSE)
- the openSUSE smb.conf includes the (autogenerated) dhcp.conf, so this
file also needs to be readable.
References: https://bugzilla.novell.com/show_bug.cgi?id=863226
Acked-by: Seth Arnold <seth.arnold@canonical.com>
the suggestion to use @{XDG_DOWNLOAD_DIR} in abstractions/user-download as
well as the existing entries.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
Thai-specific functions like word-breaking, input and output methods and basic
character and string support. This is: https://launchpad.net/bugs/1278702
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Description: Allow applications run under sanitized_helper to connect to DBus
This was originally 0076_sanitized_helper_dbus_access.patch in the Ubuntu
apparmor packaging.
jdstrand: +1 (this is in the Ubuntu namespace, so feel free to commit)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1056418
From: Steve Beattie <steve.beattie@canonical.com>
Came from 0021-webapps_abstraction.patch in the Ubuntu apparmor packaging.
jdstrand: +1 (this is in the Ubuntu namespace, so feel free to commit)
Grant access to specific files in the /var/run/user/UID/pulse/ directory to
remove access to potentially dangerous and non-essential files such as the
debug (cli) socket provided by the module-cli-protocol-unix module.
Author: Tyler Hicks <tyhicks@canonical.com>
Bug-Ubuntu: https://launchpad.net/bugs/1211380
Acked-by: Steve Beattie <steve@nxnw.org>
Description: allow mmap of fglrx dri libraries
Bug-Ubuntu: https://launchpad.net/bugs/1200392
Acked-by: Steve Beattie <steve@nxnw.org>
Came from 0038-lp1200392.patch.
Author: Micah Gersten <micah@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Modified by Seth Arnold; nvidia nvpau_wrapper.cfg permission was hoisted
up into an nvidia abstraction.
Author: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This was originally patch 0018-lp1056391.patch in the Ubuntu apparmor
packaging; Steve noticed the now-redundant line for /var/lib/sss/mc/passwd
so I removed that at the same time.
From: Felix Geyer <debfx@ubuntu.com>
AppArmor requires read and write permission to connect to
unix domain sockets but the nameservice abstraction only
grants write access to the avahi socket.
As a result mdns name resolution fails.
Acked-by: John Johansen <john.johansen@canonical.com>
Create a new strict accessibility bus abstraction.
The strict abstraction only allows for calling the Hello, AddMatch,
RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods
that are exported by the D-Bus daemon.
The permissive abstraction reuses the strict abstraction and then allows
all communications on the accessibility bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Move some of the file rules from the existing permissive session bus
abstraction into a new strict session bus abstraction. Leave the
dbus-launch rule in the permissive profile since not all applications
will need it.
The strict abstraction only allows for calling the Hello, AddMatch,
RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods
that are exported by the D-Bus daemon.
The permissive abstraction reuses the strict abstraction and then allows
all communications on the session bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Move the file rule from the existing permissive system bus abstraction
into a new strict system bus abstraction.
The strict abstraction only allows for calling the Hello, AddMatch,
RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods
that are exported by the D-Bus daemon.
The permissive abstraction reuses the strict abstraction and then allows
all communications on the system bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The AppArmor kernel now checks for both read and write permissions when
a process calls connect() on a UNIX domain socket.
The patch updates four abstractions that were found to be needing
changes after the change in AF_UNIX kernel mediation.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The accessibility bus uses an abstract socket, so there hasn't been a
need for an accessibility bus abstraction in the past. Now that D-Bus
mediation is supported, an abstraction becomes a useful place to put
accessibility bus D-Bus rules.
This patch follows the lead of the dbus and dbus-session abstraction by
granting full access to the accessibility bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Before D-Bus mediation support was added to AppArmor, the dbus and
dbus-session abstractions granted full access to the system and session
buses, respectively.
In order to continue granting full access to those buses, bus-specific
D-Bus mediation rules need to be added to the abstractions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
update-ca-certificates (from ca-certificates-1_201310161709-1.1.noarch)
stores certs in this directory now.
References: https://bugzilla.novell.com/show_bug.cgi?id=852018
Acked-by: Seth Arnold <seth.arnold@canonical.com>
$HOME/.config/fontconfig/conf.d/* and
$HOME/.config/fontconfig/fonts.conf
/etc/fonts/conf.d/50-user.conf:
<!--
Load per-user customization files where stored on XDG Base Directory
specification compliant places. it should be usually:
$HOME/.config/fontconfig/conf.d
$HOME/.config/fontconfig/fonts.conf
-->
<include ignore_missing="yes" prefix="xdg">fontconfig/conf.d</include>
<include ignore_missing="yes" prefix="xdg">fontconfig/fonts.conf</include>
abstractions/fonts should allow read access to those files:
From: Felix Geyer debfx@ubuntu.com
Acked-by: John Johansen <john.johansen@canonical.com>
An abstraction to grant the ability to query dconf settings. It does
not grant the ability to update or add settings, due to our current
inability to restrict where within the dconf hierarchy updates
can occur.
From: intrigeri <intrigeri@boum.org>
Acked-by: Steve Beattie <steve@nxnw.org>
Debian sid's fonts-mathjax ships fonts in
/usr/share/javascript/mathjax/fonts, that are now used by default by
fontconfig-enabled software.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
At least on Debian, with recent versions of fontconfig-config
(>= 2.10), files in /etc/fonts/conf.d/ are symlinks pointing to
/usr/share/fontconfig/.
This was reported by Jakub Wilk <jwilk@debian.org> on Debian bug #714843.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
abstractions/ubuntu-browsers.d/ubuntu-integration.
Patch by Felix Geyer <debfx@ubuntu.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
abstractions/mysql contains
/var/lib/mysql/mysql.sock rw,
/usr/share/mysql/charsets/ r,
/usr/share/mysql/charsets/*.xml r,
but the files moved (at least on openSUSE) to
/usr/share/mysql-community-server/charsets/*.xml
/var/run/mysql/mysql.sock
This causes denials for all applications using MySQL on 12.2 and
Factory.
MariaDB has the *.xml files in
/usr/share/mariadb/charsets/*.xml
and also seems to use /var/run/mysql/ for the socket.
Since MariaDB is basically a drop-in replacement for MySQL, it makes
sense to allow access to it via abstractions/mysql.
References: https://bugzilla.novell.com/show_bug.cgi?id=798183
Acked-by: Seth Arnold <seth.arnold@canonical.com>
I was testing out a profile for pulseaudio and hit an issue where my
pulseaudio process was getting the firefox profile applied to it. This
is because in abstractions/ubuntu-browsers.d/multimedia the rule for
pulseaudio is /usr/bin/pulseaudio ixr; attached is a patch to change it
to Pixr, so as to use a global pulseaudio policy if it exists.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
From: Simon Deziel <simon.deziel@gmail.com>
A fair number of the rules that apply to files in @{HOME} predate the
existence of the 'owner' qualifier. This patch adds the 'owner'
qualifier in several places.
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
