in merging in the opensuse fixes to the dhclient profile. It does so
by merging them, using the profile for dhclient-script if it exists
and inheriting dhclient's profile if it does not.
Subject: Fix for sshd profile
References: bnc#457072
Without this patch, sshd won't work in enforce mode.
libselinux accesses /proc/filesystems to determine if it's enabled
bash won't execute
audit_control is probably from libselinux too
Updated by Christian Boltz <apparmor@cboltz.de>:
- add /proc/*/oom_adj and oom_score_adj rw
- add /var/log/btmp r
- add /var/log/lastlog k
- removed capability sys_ptrace - doesn't seem to be needed
- changed all login shells to rUx, not only bash
- removed /proc/filesystems (already part of abstractions/base)
Acked-By: John Johansen <john.johansen@canonical.com>
with the following note:
ACK because I don't see a choice right now but for the 3.0 release
(next year) I'll ask you to retest and add newer audit controls.
Changed /var/run/cups/** rw, to
/{,var/}run/cups/ rw,
/{,var/}run/cups/** rw,
as requested by Steve Beattie
With this change:
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: dnsmasq: Profile fixes
References: bnc#666090 bnc#678749
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Updated to match master by
Christian Boltz <apparmor@cboltz.de>
Updated for systemd (/{,var/},run/ instead of /var/run/) by
Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie
With this change:
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
(final confirmation on IRC in #apparmor)
updated to match master by
Christian Boltz <apparmor@cboltz.de>
updated to work with systemd (/{,var/}run/ instead of /var/run)
Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie
With this change:
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: dhcpd: Fix apparmor profile
References: bnc#692428
This patch adds the network rules needed, corrects the path to dhcpd.leases,
and adds the path for TSIG DNS keys.
Reported-by: Andrew Beames <suseforum@roocomputing.co.uk>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
updated to match trunk by
Christian Boltz <apparmor@cboltz.de>
updated to use
/var/lib/dhcp/{db/,}dhcpd.leases* rwl,
(instead of just /var/lib/dhcp/db/dhcpd.leases* rwl) to keep the profile
Ubuntu-compatible as requested by Steve Beattie.
With this change:
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: profiles: Add openssl abstraction
References: bnc#623886
Profiles that use openssl have been adding the openssl files piecemeal.
This patch creates a new openssl abstraction that can be inherited by
all profiles that use it.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Patch for
- profiles/apparmor.d/abstractions/ssl_certs
- profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork (second chunk)
updated by Christian Boltz <apparmor@cboltz.de>
(didn't apply to trunk)
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Copyright header in profiles/apparmor.d/abstractions/openssl added by
Christian Boltz <apparmor@cboltz.de>
Subject: profile: ntpd -N needs sys_nice
References: bnc#657054
ntpd -N allows the administrator to increase or decrease priority of the
ntp server. Since the profile doesn't allow it, the operation is denied.
This patch adds support for that operation.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Johansen, use 'ix' instead of 'Pix' for dbus-launch since if someone happens to
define a profile for dbus-launch and it is loosely confined, then users of this
abstraction could end up launching a program via dbus-launch in a less confined
manner than intended. This sort of thing should not be possible via an
abstraction (and people are always free to profile using Pix if they prefer).
Steve Langasek <steve.langasek@linaro.org>,
Steve Beattie <sbeattie@ubuntu.com>
Description: add multiarch support to abstractions
Bug-Ubuntu: https://bugs.launchpad.net/bugs/736870
This patch add multiarch support for common shared library locations, as
well as a tunables file and directory to ease adding addiotional
multiarch paths.
Bug: https://launchpad.net/bugs/736870
process does not generate local files for things in extras, and even if
it did, this one is named in a non-standard fashion (usr.bin.firefox vs.
usr.lib.firefox.firefox).
the extras directory as intended and fail the make if a parse failure
occurs. Also, set the default parser and logprof to be the intree ones;
the system ones can still be used by setting environment variables.
Finally, have the 'all' target generate the local files. Also, set the
parser base directory to the apparmor.d directory (rather than as an
added include, to avoid outside contamination from system profiles and
includes).
With these changes, make && make check should verify the profile set is
compilable and mostly consistent. (Alas, the current profiles are not
quite consistent).
Subject: apparmor: Fix incorrect /proc/*/sys usage in usr.sbin.ntpd
References: bnc#634801
/proc/sys/kernel exists, but /proc/*/sys/kernel doesn't. This patch
fixes the profile.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
allows write to the ~/Desktop directory, which could conceivably allow writing
of .desktop files which could be clicked on and executed by the user. This is
based on the firefox base profile as included in Ubuntu. Notable features:
- allows for using the browser to navigate through directories
- allows reads from @{HOME}/Public/**
- allows writes to @{HOME}/Downloads/**
The intent of this profile is to restrict code execution, writes to $HOME
and information leaks while allowing basic web browsing and reading of
system documentation. It does not allow for plugins, extensions or other
helpers (but these can be added via the local/ mechanism).
- allow net_admin capability for DHCP server
- allow net_raw and network inet raw for ICMP pings when used as a DHCP
server
- allow read and write access to libvirt pid files for dnsmasq
See the FAQ in the dnsmasq source for details. This fixes
https://launchpad.net/bugs/697239
use by more and more applications, including empathy and evolution. It
is listed on freedesktop.org. See:
http://www.abisource.com/projects/enchant/
This abstraction gives access to enchant itself, files in the user's home
directory for enchant and various dictionaries for:
- aspell
- ispell
- hunspell
- myspell
- hspell
- zemberek
- voikko
start to use it. Additionally, the 'rw' on the @{HOME}/.config/ibus/bus/
probably only needs 'create' and 'chmod', so that could be tightened up once
those are exposed in the tools. LP: #649497.
