Make @{sys} available by default
See merge request apparmor/apparmor!228
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 772a8702e0)
aa065287 Make @{sys} available by default
--log-facility option needs to have permission to open files.
Use '*' to allow using more files (for using more dnsmasq instances).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
(cherry picked from commit 025c7dc6a1)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Add missing paths to usr.sbin.nmbd, usr.sbin.smbd and abstractions/samba
See merge request apparmor/apparmor!210
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit f76a718f28)
80e98f2d Update usr.sbin.nmbd & usr.sbin.smbd
Qt GUI applications that uses "platforminputcontexts"-class of plugins
might need reading and/or writing compose cache. Add read-only rule in
qt5 abstraction and create new writing dedicated for compose cache
writing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/159
(cherry picked from commit 67816c42cf)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Qt-based applications stores QFileDialog (latest browsed directory) and
other shared user settings inside ~/.config/QtProject.conf. Currently
available qt abstraction only allows to read it (by design), so this
patch introduces abstraction that grants permissions for writing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/159
(cherry picked from commit 69c4cabb93)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add @{uid} and @{uids} variables to allow migrating profiles in advance
while awaiting path mediation implementation, based on current user id,
in kernel side.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/208
(cherry picked from commit cba10db7e7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
gio-launch-desktop helper tries to execute /usr/bin/thunderbird wrapper
script, not the /usr/lib/thunderbird... directly.
Add rule allowing to execute /usr/bin/thunderbird.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/204
(cherry picked from commit cee9527fa8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
* Add -bin suffix to reach new Thunderbird executable.
(cherry picked from commit 7546413b43)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Also add /usr/share/dnsmasq/, DNSSEC trust anchors are kept there.
(cherry picked from commit 5bc7a9fbd6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Allow /usr/local/lib/python3/dist-packages in abstractions/python
See merge request apparmor/apparmor!160
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 763a6787d8)
6a10f076 Allow /usr/local/lib/python3/dist-packages in abstractions/python
Python 3.7 was released yesterday - and to make the abstraction
future-proof, also cover 3.8 and 3.9 in advance ;-)
(cherry picked from commit 01f41fbff8)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/139
Dovecot profile updates
See merge request apparmor/apparmor!90
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 6b78daf25b)
36bdd6ea add dovecot/stats profile, and allow dovecot to run it
26a8b722 allow dovecot/auth to write /run/dovecot/old-stats-user
Fix $(PWD) when using "make -C profiles"
See merge request apparmor/apparmor!80
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 14096cb3a7)
20893382 Fix $(PWD) when using "make -C profiles"
Allow to create .nv directory
See merge request apparmor/apparmor!69
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..master
(cherry picked from commit 21b0d14ea4)
11e7dab9 Allow to create .nv directory
Update base abstraction for ld.so.conf and friends.
See merge request apparmor/apparmor!62
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..master
(cherry picked from commit e88af93322)
6d22c871 Update base abstraction for ld.so.conf and friends.
abstractions/X: add another location for .Xauthority
See merge request apparmor/apparmor!39
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit bcfb735b9a)
bb96e38a abstractions/X: add another location for .Xauthority
Fix local pulseaudio config file access
See merge request apparmor/apparmor!38
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..trunk
(cherry picked from commit 6713f9d94a)
f73627cb Fix local pulseaudio config file access
Fix signal sending for usr.sbin.dovecot
See merge request apparmor/apparmor!36
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..trunk
(cherry picked from commit 6db30f8faf)
9f24650e Fix signal sending for usr.sbin.dovecot
allow dac_read_search and dac_override for dovecot/auth
See merge request apparmor/apparmor!14
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
(cherry picked from commit 42bd81df01)
6f6b3c57 allow dac_read_search and dac_override for dovecot/auth
Allow to read pulseaudio config subdirectories
See merge request apparmor/apparmor!12
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9, 2.10, 2.11 and trunk
(cherry picked from commit 4b8b08562a)
9658471d Allow to read pulseaudio config subdirectories
Merge from trunk commit 3726
The files are "head-related transfer function" data sets, used by
OpenAL for better spatialization of sounds when headphones are detected.
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874665
[Merge from trunk revision 3722]
On 64bit systems, /proc/sys/kernel/pid_max can be set to PID_MAX_LIMIT,
(2^22), which results in seven digit pids. Adjust the @{PID} variable in
tunables/global to accept this.
Acked-by: intrigeri <intrigeri@boum.org>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/apparmor/+bug/1717714
/etc/netconfig is required by the tirpc library which nscd and several
other programs use.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
