mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
4444 commits 23 branches 109 tags 32 MiB
Commit graph

721 commits

Author SHA1 Message Date
Jamie Strandboge
0c7c34c6f1 Merge branch 'vulkan' into 'master' 
Add Vulkan abstraction

See merge request apparmor/apparmor!126
 2018-05-22 21:45:31 +00:00
Vincas Dargis
47520931be Add Vulkan abstraction 
Add abstraction for Vulkan API specific file paths.
 2018-05-22 21:48:13 +03:00
Jamie Strandboge
c1431bc2de Merge branch 'nvidia-app-profiles' into 'master' 
Update nvidia for reading application profiles

See merge request apparmor/apparmor!125
 2018-05-22 18:24:19 +00:00
Vincas Dargis
f2e0fdc72b Update nvidia for reading application profiles 
Add file rule to allow reading application profiles for NVIDIA
Linux graphics driver.
 2018-05-22 20:43:56 +03:00
Vincas Dargis
8237d6e776 Add OpenCL abstractions 2018-05-13 20:14:15 +00:00
Christian Boltz
23b5f29b80
Update samba profiles 
- allow smbd to load new shared libraries
- allow winbindd to read and write new kerberos cache location

Based on a patch by "Samuel Cabrero" <scabrero@suse.com>

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1092099
 2018-05-09 21:00:30 +02:00
Jamie Strandboge
7bd3029f25 Merge branch 'update-fonts' into 'master' 
Update fonts for Debian and openSUSE

See merge request apparmor/apparmor!96
 2018-04-30 10:03:22 +00:00
Christian Boltz
3009b22aec Merge branch 'qt5' into 'master' 
Add qt5 abstraction

See merge request apparmor/apparmor!99

Acked-by: Christian Boltz <apparmor@cboltz.de>
 2018-04-18 22:18:30 +00:00
Vincas Dargis
b902d2505d Update fonts for Debian and openSUSE 
* Allow to read conf-avail dir itself.
* Add various openSUSE-specific font config directories.
 2018-04-18 19:16:29 +03:00
Vincas Dargis
6a85ffe00e Add qt5 abstraction 
Create abtractions/qt5 with common rules needed for Qt5-based
applications.
 2018-04-18 19:12:28 +03:00
Christian Boltz
64c196a487
Merge branch 'Talkless/apparmor-nvidia-update' 
See https://gitlab.com/apparmor/apparmor/merge_requests/92

Acked-by: John Johansen <john.johansen@canonical.com>
 2018-04-14 23:38:29 +02:00
Christian Boltz
a7ffae4396 mlmmj-send-profile: allow reading digesters.d/* 
Reported by Per Jessen by mail
 2018-04-14 21:25:09 +00:00
Christian Boltz
c4e607199c
dovecot/config: allow dac_read_search and reading ssl-parameters.dat 
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c12
 2018-04-14 22:53:40 +02:00
Christian Boltz
26a8b72225 allow dovecot/auth to write /run/dovecot/old-stats-user 
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c4
            (3rd bullet point)
 2018-04-13 13:55:05 +00:00
Christian Boltz
36bdd6ea70 add dovecot/stats profile, and allow dovecot to run it 
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1088161
 2018-04-13 13:55:05 +00:00
Vincas Dargis
0d0a196077 Allow nvidia abstraction to read memory block size 
Fix DENIED message detected with NVIDIA 390.48 drivers.
 2018-04-12 20:36:56 +03:00
Vincas Dargis
0c2690d819 Fix ubuntu-browsers for 64bit openSUSE 
On 64 bit openSUSE system, Chromium and Firefox browsers are installed in
/usr/lib64/ directory.
 2018-04-01 16:48:13 +03:00
Christian Boltz
208933829f Fix $(PWD) when using "make -C profiles" 
By default, it stays at the "calling directory" instead of the directory
of the Makefile, which breaks "make -C profiles check".
Explicitely set it in the Makefile to get the right directory.
 2018-03-18 18:09:04 +00:00
intrigeri
22e94633c3 dnsmasq profile: allow chown capability. 
dnsmasq on Debian sid now chown's its PID file.

Bug-Debian: https://bugs.debian.org/889806
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2018-03-05 23:51:23 -08:00
Christian Boltz
8ef7b59454
mlmmj-sub: fix moderated subscription 
/var/spool/mlmmj/*/moderation/subscribe* rw, is needed for lists with
moderated subscription

References: http://bugzilla.opensuse.org/show_bug.cgi?id=1082230
 2018-02-22 22:57:51 +01:00
Vincas Dargis
11e7dab95e Allow to create .nv directory 
Update nvidia abstraction to allow creating NVIDIA-specific user directories in
case it is missing (due to fresh $HOME or if manually removed for any reason).
 2018-02-16 16:54:32 +02:00
Christian Boltz
e88af93322 Merge branch 'update-base-abstraction' into 'master' 
Update base abstraction for ld.so.conf and friends.

See merge request apparmor/apparmor!62

Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..master
 2018-02-15 20:14:38 +00:00
Vincas Dargis
b0456adbd8 Add dri-enumerate abstraction 
Create new dri-enumerate abstraction with rules needed for some GUI applications
allowing to get GPU device information.
 2018-02-04 16:01:27 +02:00
Vincas Dargis
8dd517f6dd Move DRI-specific rules into it's own abstraction 
Add new dri-common abstraction to contain basic DRI-specific rules.

This refactoring is based on a decision to have set of dri-* abstractions for
fine grained control on case-by-case basis. While dri-common is included in X
abstraction by default, additional DRI-related abstractions can be introduced
(such as for enumerating graphics devices) while keeping them logically together
with same dri- prefix.
 2018-02-04 14:21:16 +02:00
Vincas Dargis
6d22c871bf Update base abstraction for ld.so.conf and friends. 
Fix denies for latest Thunderbird and Firefox on Debian Sid due to
missing access to /etc/ld.so.conf and /etc/ld.so.conf.d/*.
 2018-01-26 19:55:31 +02:00
Christian Boltz
85f8cace12 Merge branch 'cboltz-ntpd' into 'master' 
allow access to ntp clockstats

See merge request apparmor/apparmor!54
 2018-01-23 23:02:16 +00:00
Rene Engelhard
8fc3dcb312 abstractions/gnupg: allow pubring.kbx 2018-01-20 23:54:08 +01:00
John Johansen
62dbd29656 Merge branch 'dovecot-lda-protocols' into 'master' 
Allow dovecot-lda to read anything under /usr/share/dovecot/protocols.d/

See merge request apparmor/apparmor!57

Acked-by: John Johansen <john.johansen@canonical.com>
 2018-01-20 08:18:07 +00:00
intrigeri
1b51dac4c9 Allow dovecot-lda to read anything under /usr/share/dovecot/protocols.d/. 
On current Debian sid it needs to read
/usr/share/dovecot/protocols.d/imapd.protocol, which is not surprising given it
already needed read access to /usr/share/dovecot/protocols.d/.
 2018-01-20 06:25:25 +00:00
Christian Boltz
1541175c36
dovecot/lmtp: allow dac_read_search 
Fixes https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887591
 2018-01-18 18:15:43 +01:00
Christian Boltz
1b58f226ce
allow access to ntp clockstats 
References: http://bugzilla.opensuse.org/show_bug.cgi?id=1076247
 2018-01-16 21:15:41 +01:00
John Johansen
e55583ff27 profile: fix syslog-ng startup for some configurations 
buglink: https://bugs.launchpad.net/bugs/1739909

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2017-12-24 00:13:58 -08:00
John Johansen
a3693f56f3 Merge branch 'cboltz-netstat' into 'master' 
netstat: allow capability sys_ptrace,

See merge request apparmor/apparmor!46
 2017-12-22 20:50:11 +00:00
Christian Boltz
81ca52d948
netstat: allow capability sys_ptrace, 
Denying it means netstat -p (actually tested with -tulpen) can't find
out the program name.

sys_ptrace is "only" needed for tracing processes that run under a
different uid.

Also add  ptrace (read),  for systems that support ptrace rules.
 2017-12-22 21:43:54 +01:00
John Johansen
f8b208ee80 Merge branch 'cboltz-dovecot' into 'master' 
Update /usr/lib/dovecot/* profiles

See merge request apparmor/apparmor!42

Acked-by: John Johansen <john.johansen@canonical.com>
 2017-12-22 19:20:07 +00:00
John Johansen
bcfb735b9a Merge branch 'cboltz-xauth' into 'master' 
abstractions/X: add another location for .Xauthority

See merge request apparmor/apparmor!39

Acked-by: John Johansen <john.johansen@canonical.com>
 2017-12-22 19:00:36 +00:00
Christian Boltz
06928db1ce
Update /usr/lib/dovecot/* profiles 
- dict needs abstractions/openssl (seen with dovecot 2.2.31 since
  using openssl 1.1)
- imap needs to write tempfiles (seen with dovecot 2.2.31)
- managesieve-login needs access to the login-master-notify socket
  (seen with dovecot 2.2.33)
- pop3-login needs access to the anvil socket (reported by pfak on
  IRC some months ago)
 2017-12-18 17:00:35 +01:00
Christian Boltz
6713f9d94a Merge branch 'fix-pulse-config' into 'master' 
Fix local pulseaudio config file access

See merge request apparmor/apparmor!38


Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..trunk
 2017-12-17 16:19:42 +00:00
Christian Boltz
bb96e38a90
abstractions/X: add another location for .Xauthority 
With the latest sddm, .Xauthority is now located at
  @{HOME}/.local/share/sddm/.Xauthority
 2017-12-17 15:38:26 +01:00
Vincas Dargis
f73627cbb5 Fix local pulseaudio config file access 
Add rules to allow reading .conf files from $HOME/.config/pulse
and $HOME/.config/pulse/client.conf.d directories.
 2017-12-17 15:56:21 +02:00
Vincas Dargis
9f24650ef9 Fix signal sending for usr.sbin.dovecot 
Add signal rules to allow dovecot master daemon to send signals
to various child daemons (for reloading/restarting).
 2017-12-15 18:17:48 +02:00
John Johansen
a5e5185e15 Merge branch 'cboltz-useradd' into 'master' 
useradd profile: allow audit_write and running pam_tally2

See merge request apparmor/apparmor!24

Acked-by: John Johansen <john.johansen@canonical.com>
 2017-12-12 22:38:24 +00:00
Vincas Dargis
7546413b43 Update abstraction for new Thunderbird executable path 
* Add -bin suffix to reach new Thunderbird executable.
 2017-12-07 16:41:10 +00:00
Jamie Strandboge
c4a5e1d554 abstractions/fonts: also allow owner read on ~/.local/share/fonts 
The fonts abstraction had owner rules for ~/.fonts, but the current
standard location[1][2] in XDG_DATA_HOME was missing.

[1]https://cgit.freedesktop.org/fontconfig/commit/?id=8c255fb1
[2]https://lists.freedesktop.org/archives/fontconfig/2014-July/005270.html
 2017-12-05 15:49:55 -06:00
Christian Boltz
13b1c7a5f6
useradd profile: allow audit_write and running pam_tally2 
Both seen on openSUSE Leap 42.2
 2017-12-04 11:06:09 +01:00
Steve Beattie
ca983811fb dovecot: allow capability dac_read_search 
Merge branch 'cboltz-dovecot-caps' into 'master'

See merge request 
https://gitlab.com/apparmor/apparmor/merge_requests/16
 2017-12-01 20:40:29 +00:00
Steve Beattie
2aabf0c0f0 Update Java abstraction for version 8 and 9 
Merge branch 'update-java' into 'master'

I have discovered denies on Debian Sid by Thunderbird being unable to load IcedTead plugin upon profile creation (can be reproduced by deleteing/moving `$HOME/.thunderbird` directory).

Additionally, profile was tested with (modified) `usr.lib.firefox.firefox` and made it run some random IcedTea applet successfully [0].

There are still denies for `/usr/bin/logger`, but I left this for later patches.

Please note that path to Java 9 binary is different that to previous versions.

Relevant DENIED messages:

```
type=AVC msg=audit(1511099962.556:810): apparmor="DENIED" operation="file_mmap" profile="thunderbird" name="/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so" pid=5186 comm="thunderbird" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
type=SYSCALL msg=audit(1511099962.556:810): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=296bc8 a2=5 a3=802 items=0 ppid=1541 pid=5186 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="thunderbird" exe="/usr/lib/thunderbird/thunderbird" key=(null)
type=PROCTITLE msg=audit(1511099962.556:810): proctitle="/usr/lib/thunderbird/thunderbird"
```

```
type=AVC msg=audit(1511100105.471:1018): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-debug-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100105.471:1018): arch=c000003e syscall=2 success=no exit=-13 a0=7f3638000cb0 a1=0 a2=1b6 a3=7f36ae502620 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100105.471:1018): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

```
type=AVC msg=audit(1511100105.471:1019): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100105.471:1019): arch=c000003e syscall=2 success=no exit=-13 a0=7f36a822bdc0 a1=0 a2=1b6 a3=10002ae08 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100105.471:1019): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

```
type=AVC msg=audit(1511100221.153:1132): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-JY8Sat/6405-icedteanp-appletviewer-to-plugin" pid=6414 comm="java" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100221.153:1132): arch=c000003e syscall=2 success=no exit=-13 a0=7f20e025e280 a1=241 a2=1b6 a3=10002ae08 items=0 ppid=6405 pid=6414 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100221.153:1132): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

[0] https://centra.tecnico.ulisboa.pt/~amaro/Spline3D.html

See merge request https://gitlab.com/apparmor/apparmor/merge_requests/13/
 2017-11-29 23:41:42 +00:00
Christian Boltz
4ef505a6e7
dovecot: allow capability dac_read_search 
This is needed for /var/spool/postfix/private/ (postfix:root 700)

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c9
 2017-11-28 18:47:26 +01:00
Christian Boltz
6f6b3c57fb
allow dac_read_search and dac_override for dovecot/auth 
This is needed for:
- /var/spool/postfix/private/ (postfix:root 700) -> dac_read_search
- /run/dovecot/auth-worker (dovecot:root 600) -> dac_override

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1069470
 2017-11-26 16:38:06 +01:00
Vincas Dargis
d662c2be72 Update Java abstraction for version 8 and up 
* Alter paths to allow Java version 8 and up.
* Add file rules to fix IcedTea browser plugin.
* Refactor to keep path consistensy against parent and child profile,
reduce repetitive rules.
 2017-11-25 16:04:24 +02:00