Debian sid's fonts-mathjax ships fonts in
/usr/share/javascript/mathjax/fonts, that are now used by default by
fontconfig-enabled software.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
At least on Debian, with recent versions of fontconfig-config
(>= 2.10), files in /etc/fonts/conf.d/ are symlinks pointing to
/usr/share/fontconfig/.
This was reported by Jakub Wilk <jwilk@debian.org> on Debian bug #714843.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
abstractions/ubuntu-browsers.d/ubuntu-integration.
Patch by Felix Geyer <debfx@ubuntu.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Using --subdomainfs without an argument triggers a segfault. This was due
to the long option missing the "has_arg" flag.
Signed-off-by: Kees Cook <kees@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Add aa_getpeercon_raw() to the man page and adjust aa_getpeercon()
prototype to include the new mode parameter.
Also, explain the significance of ERANGE for aa_getpeercon_raw() and fix
a misspelling in the meaning of ERANGE.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The parameter names are slightly different in the two functions. Rename
buffer to buf and rename size to len to make the two function prototypes
look similar.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
functions
The functions that return the confinement information of a peer socket
connection should parse and return the mode like the task-based
functions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The getpeercon functions need to parse the mode from the confinement
string. This patch creates a function that aa_getpeercon_raw() and
aa_getprocattr_raw() can both use.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Return the total size of the security context on success
as documented.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Protect against bugs in AppArmor's getsockopt() LSM hook from sending
aa_getpeercon() into an infinite loop.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
file is larger than the feature buffer used for cache version comparison.
Ideally this would be dynamically allocated but for 2.8 just bumping the
buffer size is the quick fix.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
1) make sure that the xpra socket exists before trying to attach to it
2) make sure that the client has attached before we start the application
The fix for '1' solves a problem when the system is under load and the
one for '2' fixes a problem with firefox starting too soon and not
having system themes applied.
Exercising the 1 week rule. Seth Arnold commented on the added sleeps and I
adjusted one based on his comments and replied to the list that the other is
needed and that this improves the sandbox/xpra code but that there are
limitations with driving xpra.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Author: Dmitrijs Ledkovs <dmitrij.ledkov@ubuntu.com>
Modifiy the libapparmor macro for python to use python-config if it
exists to determine what CPPFLAGS and LDFLAGS to use when building
the python swig libraries. Without this addition, python detection
fails on ubuntu 13.04. I've confirmed that with this patch applied,
the python libraries still build successfully on older releases as well
(as far back as ubuntu 11.10).
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Kees Cook <kees@ubuntu.com>
messages neglected to include the empty .err files in the testsute
directory, resulting in ERROR output. These files were included in the
patch submitted to the mail list. This commit adds them.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
= How it works =
There are basically two modes:
1. using an existing profile with --profile
2. dynamically generating a profile
For '1', aa-sandbox is just a wrapper around aa-exec.
For '2', aa-sandbox leverages easyprof and allows you to specify policy
in a limited way on the command line. It then loads the policy into the
kernel as a profile (ie, 'profile <foo> { ... }') so it doesn't get in
the way of existing profiles. It currently calls apparmor_parser via
sudo or pkexec. Once the profile is loaded, aa-exec the application
under the profile.
When -X is specified, the application is launched inside its own X
server using either xpra (the default, which uses Xvfb), xephyr and
xpra3d (xpra, but using Xorg with the xdummy[1] driver for now[2].
xpra3d doesn't currently perform well, but works ok with newer Gnome
applications that now require GLX). When using '-X', it:
- adds an explicit deny rule for ~/.Xauthority
- generates a dynamic Xauthority file for the session in
~/.Xauthority-sandbox<DISPLAYNUMBER>
- adds an allow rule for ~/.Xauthority-sandbox<DISPLAYNUMBER>
- adds checks for xhost being properly setup
- honors the --with-xauthority option which can be used with --profile
With the above, the :0.0 display should no longer be accessible. Eg:
$ ./aa-sandbox -t ~/sandbox-xterm -X /usr/bin/xterm
$ XAUTHORITY=~/.Xauthority DISPLAY=:0.0 xinput
No protocol specified
Unable to connect to X server
This requires a specifically configured xauth/xhost setup, which is less common
on modern distributions. The man page details how to get this setup.
= Trying it out =
Apply the patch, then:
$ cd ./utils
# cli
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates --read-path=/proc/ /usr/bin/uptime
# 2d only
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/gedit
# 2d alternate (xephyr)
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/gedit
# 3d
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/glxgears
# With an existing profile:
$ ./aa-sandbox --profile=/usr/bin/evolution -X --with-xserver=xpra3d /usr/bin/evolution
= The Patch =
The patch itself is pretty self contained:
utils/aa-easyprof:
- adjusted to import optparse
utils/easyprof/templates/sandbox*
- add two new templates to easyprof
utils/apparmor/easyprof.py:
- use 'profile <foo>' if '<foo>' is not an absolute path
- adjust parser handling so we can reuse it
utils/aa-sandbox:
- small script to drive utils/apparmor/sandbox.py
utils/apparmor/common.py:
- the start of our python library. aa-easyprof would eventually use
this (along with the various rewrites), but for now, only the
sandboxing uses it.
utils/apparmor/sandbox.py:
- the sandboxing code itself. Of particular note is the use of classing
to support different X servers
utils/aa-sandbox.pod:
- the corresponding man page
= Improvements =
* don't use sudo
* make pulseaudio in xpra opt-in (currently it is off)
* take advantage of upstream's 3D patches when they stabilize
* investigate how applications can work with the Unity global menu
* surely lots more
[1]http://xpra.org/Xdummy.html
[2]http://xpra.org/trac/ticket/147
abstractions/mysql contains
/var/lib/mysql/mysql.sock rw,
/usr/share/mysql/charsets/ r,
/usr/share/mysql/charsets/*.xml r,
but the files moved (at least on openSUSE) to
/usr/share/mysql-community-server/charsets/*.xml
/var/run/mysql/mysql.sock
This causes denials for all applications using MySQL on 12.2 and
Factory.
MariaDB has the *.xml files in
/usr/share/mariadb/charsets/*.xml
and also seems to use /var/run/mysql/ for the socket.
Since MariaDB is basically a drop-in replacement for MySQL, it makes
sense to allow access to it via abstractions/mysql.
References: https://bugzilla.novell.com/show_bug.cgi?id=798183
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The libimmunix library is a historical artifact and has generated a
deprecation warning when used to syslog for over 4 years. This patch
removes it entirely from the libapparmor tree.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
I was testing out a profile for pulseaudio and hit an issue where my
pulseaudio process was getting the firefox profile applied to it. This
is because in abstractions/ubuntu-browsers.d/multimedia the rule for
pulseaudio is /usr/bin/pulseaudio ixr; attached is a patch to change it
to Pixr, so as to use a global pulseaudio policy if it exists.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
time formats.
currently the only supported format is
<Month> ## hh:mm:ss
extend this to
<Month> ## hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-dd hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-ddThh:mm:ss(.ms)?((+|-)timezone)?
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
From: Simon Deziel <simon.deziel@gmail.com>
A fair number of the rules that apply to files in @{HOME} predate the
existence of the 'owner' qualifier. This patch adds the 'owner'
qualifier in several places.
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
