mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 09:21:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
4779 commits 23 branches 109 tags 32 MiB
Commit graph

866 commits

Author SHA1 Message Date
John Johansen
085e2fc1a4 Merge branch 'kde-settings' into 'master' 
Update kde abstraction for common settings

See merge request apparmor/apparmor!162

Acked-by: John Johansen <john.johansen@canonical.com>
 2018-08-08 05:33:00 +00:00
John Johansen
e76181c4d9 Merge branch 'cboltz-ssl-dehydrated' into 'master' 
add dehydrated certificate location to ssl_* abstractions

See merge request apparmor/apparmor!161

Acked-by: John Johansen <john.johansen@canonical.com>
 2018-08-08 05:31:39 +00:00
Vincas Dargis
4fe8ae97c4 Add recent-documents-write abstraction 
Add abstraction for updating recent documents list.
 2018-08-07 23:27:23 +03:00
Vincas Dargis
867442e962 Update kde abstraction for common settings 
Add rules to allow reading common KDE-specific settings, used mostly by
native KDE file dialog.
 2018-08-07 20:20:08 +03:00
John Johansen
4200932d8f Merge branch 'binmerge' into 'master' 
profiles: support distributions which merge sbin into bin

Closes #8

See merge request apparmor/apparmor!149

Acked-by: John Johansen <john.johansen@canonical.com>
 2018-08-07 09:53:17 +00:00
John Johansen
bc4aa43d64 Merge branch 'cboltz-abstractions-opencl-pocl' into 'master' 
Fix typo (double /) in opencl-pocl abstraction

See merge request apparmor/apparmor!158

Acked-by: John Johansen <john.johansen@canonical.com>
 2018-08-07 09:16:56 +00:00
Christian Boltz
2e8b902248
add dehydrated certificate location to ssl_* abstractions 
I don't use dehydrated myself, therefore this is based on the comments
on https://build.opensuse.org/request/show/533380
 2018-08-06 23:15:06 +02:00
Christian Boltz
763a6787d8 Merge branch 'add-path-to-abstractions-python' into 'master' 
Allow /usr/local/lib/python3/dist-packages in abstractions/python

See merge request apparmor/apparmor!160

Acked-by: John Johansen <john.johansen@canonical.com>

Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
 2018-08-06 18:11:37 +00:00
segfault
6a10f07650 Allow /usr/local/lib/python3/dist-packages in abstractions/python 2018-08-06 19:53:16 +02:00
Christian Boltz
a054855433
Fix typo (double /) in opencl-pocl abstraction 2018-08-05 17:03:34 +02:00
Christian Boltz
b4c848c81e Merge branch 'drg-mods-1' into 'master' 
Various profile/abstraction updates

See merge request apparmor/apparmor!153

Acked-by: intrigeri <intrigeri@debian.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
 2018-08-02 17:17:30 +00:00
intrigeri
ddb256076b Consistently point to the current (Launchpad) issue tracker. 2018-08-02 14:46:14 +00:00
intrigeri
2233818325 Merge branch 'drg-mods-3' into 'master' 
Updated README to direct users to the GitLab issue tracker.

See merge request apparmor/apparmor!155
 2018-08-02 04:20:59 +00:00
Daniel Richard G
cffaa7a035 Updated README with links to the GitLab AppArmor project. 2018-08-01 23:56:59 -04:00
Daniel Richard G
99e45b59d3 lsb_release: added permissions needed by openSUSE implementation. 2018-08-01 19:13:26 -04:00
Daniel Richard G
f73514052d New profile: lsb_release (no attachment path) 
This will allow removal of the lsb_release sub-profile from the
chromium, firefox and murmurd profiles, and consolidation of the rules
for /usr/bin/lsb_release in a single file.
 2018-08-01 19:13:18 -04:00
Daniel Richard G
67728c4f91 usr.sbin.sshd: need write access to Kerberos ticket cache. 2018-08-01 17:39:30 -04:00
Daniel Richard G
0de3d5e14b usr.sbin.lighttpd: minor updates, added Debian/Ubuntu integration. 
The integration changes are taken from the patch at
apparmor-2.12/debian/patches/debian/add-debian-integration-to-lighttpd.patch
and are necessary so that lighttpd doesn't serve everything as
application/octet-stream.
 2018-08-01 17:39:17 -04:00
Daniel Richard G
e43468c94a usr.sbin.in.fingerd: needs lock access on /run/utmp. 2018-08-01 17:37:11 -04:00
Daniel Richard G
c047abcaf3 sbin.rpc.statd: updated so that it actually works. 2018-08-01 17:36:54 -04:00
Daniel Richard G
ac1d0545f4 ldapclient abstraction: allow rw access to the nslcd socket. 
This addresses https://launchpad.net/bugs/1575438 and also the case of
applications accessing the socket directly (due to NSS config).
 2018-07-30 22:49:24 -04:00
intrigeri
f30544f185 Merge branch 'flatpak-exports' into 'master' 
abstractions/freedesktop.org: treat Flatpak exports the same way as bits shipped by the distro

See merge request apparmor/apparmor!71
 2018-07-29 23:39:41 +00:00
intrigeri
aa3022208f tunables/share: make variables value more readable by avoiding the use of too many alternations. 
Thanks to Christian Boltz for the suggestion and the patch!
 2018-07-29 01:31:39 +00:00
Dimitri John Ledkov
e99fa6c605 Patch usr.sbin.useradd to support usr-merge. 2018-07-27 17:05:00 +01:00
intrigeri
34dbe372c5 Rename @{usr_share} → @{system_share_dirs} and @{home_local_share} → @{user_share_dirs}. 
Thanks a lot to Simon McVittie for the much better names suggestion.
 2018-07-27 06:33:42 +00:00
intrigeri
51f2259c08 freedesktop.org abstraction: refactor (factorize) for consistency. 
This change makes the @{home_local_share} rules similar to the
@{usr_share} ones.
 2018-07-27 06:28:22 +00:00
intrigeri
aed447aca2 freedesktop.org abstraction: simplify by not attempting to guess the exhaustive list of files that can exist in {~/.local/share,/usr/share}/applications/. 
As Simon McVittie wrote, "if a specification or library creates extra caches, or
has .desktop files in a subdirectory, or anything like that, then I don't see
why we wouldn't want to allow reading those too".
 2018-07-27 06:26:57 +00:00
intrigeri
9d843b90fe kde abstraction: drop redundant rules for icons access. 
These rules are already in abstractions/freedesktop.org that's included
by the abstractions/kde.
 2018-07-27 06:22:29 +00:00
intrigeri
0ba94f5a04 freedesktop.org abstraction: treat Flatpak exports the same way as bits shipped by the distro. 
As Simon McVittie <smcv@collabora.com> wrote on
https://bugs.debian.org/865206 and on the AppArmor mailing list:

"Anything in /var/lib/flatpak/exports/share or
~/.local/share/flatpak/exports/share is essentially equivalent to
the corresponding path in /usr/{local/,}share, and is something
that has deliberately been "exported" to the rest of the system by a
Flatpak-confined app.

The only reason to prevent reading those directories would be if you do
not want the AppArmor-confined app to be able to enumerate the other
software you have installed on your system, as an anti-fingerprinting
mechanism.".

Bug-Debian: https://bugs.debian.org/865206
 2018-07-27 06:22:22 +00:00
intrigeri
160f1027e4 freedesktop.org abstraction: DRY by factorizing duplicated path components with variables. 
These alternations will need to grow quite a bit in order to support Flatpak
exports. Let's avoid repeating ourselves too much.
 2018-07-27 06:21:40 +00:00
Cameron Nemo
9ab45d811e profiles: support distributions which merge sbin into bin 
Closes #8
 2018-07-25 14:07:35 -07:00
intrigeri
59865e54c5 mesa abstraction: allow locking .cache/mesa_shader_cache/??/*. 
At least Totem needs it on current Debian sid.
 2018-07-24 07:21:51 +00:00
Simon Deziel
8684282a1b usr.bin.wireshark: allow saving pcaps with optional gzip compression 2018-07-17 17:26:34 -04:00
Simon Deziel
b077fccaef usr.bin.wireshark: allow creating QT compose cache 2018-07-17 17:15:15 -04:00
Simon Deziel
70a40566f5 usr.bin.wireshark: restrict hidden file creation under ~/.config/ 2018-07-17 17:14:17 -04:00
Simon Deziel
fa30238293 usr.bin.dumpcap: drop useless/redundant rules 2018-07-17 17:12:44 -04:00
Simon Deziel
e0ba7a4609 usr.bin.wireshark: fix access to configuration profiles 2018-07-17 17:02:28 -04:00
Simon Deziel
bf8222a361 usr.bin.wireshark: add a comment for QtProject.conf rules 2018-07-17 06:15:51 -04:00
Simon Deziel
0e38f51aad usr.bin.wireshark: mention that dri rules were backported from abstraction/dri-enumerate 2018-07-13 04:56:42 -04:00
Simon Deziel
5a8453fbe0 usr.bin.dumpcap: incorporate feedback from Talkless an cboltz 2018-07-12 05:13:55 -04:00
Simon Deziel
0c0a90be0b usr.bin.wireshark: refresh for 18.04 2018-07-11 12:29:36 -04:00
Simon Deziel
b765dab52e usr.bin.dumpcap: new profile 2018-07-11 12:29:12 -04:00
Christian Boltz
01f41fbff8
adjust abstractions/python for python 3.7 
Python 3.7 was released yesterday - and to make the abstraction
future-proof, also cover 3.8 and 3.9 in advance ;-)
 2018-06-28 13:34:08 +02:00
Vincas Dargis
a0c719df73 Add mesa abstraction 
Add mesa abstraction to allow writing to the Mesa-specific cache
locations and listing devices. Abstraction is needed for applications
utilizing OpenGL API with Mesa implementation available on the system.
 2018-06-23 17:07:05 +03:00
Christian Boltz
1185df3c65
fix path for apache2 stapling-cache 
... to match the default apache settings

See also the discussion on the mailinglist:
https://lists.ubuntu.com/archives/apparmor/2018-June/011688.html
 2018-06-17 16:16:22 +02:00
Jamie Strandboge
0c7c34c6f1 Merge branch 'vulkan' into 'master' 
Add Vulkan abstraction

See merge request apparmor/apparmor!126
 2018-05-22 21:45:31 +00:00
Vincas Dargis
47520931be Add Vulkan abstraction 
Add abstraction for Vulkan API specific file paths.
 2018-05-22 21:48:13 +03:00
Jamie Strandboge
c1431bc2de Merge branch 'nvidia-app-profiles' into 'master' 
Update nvidia for reading application profiles

See merge request apparmor/apparmor!125
 2018-05-22 18:24:19 +00:00
Vincas Dargis
f2e0fdc72b Update nvidia for reading application profiles 
Add file rule to allow reading application profiles for NVIDIA
Linux graphics driver.
 2018-05-22 20:43:56 +03:00
Vincas Dargis
8237d6e776 Add OpenCL abstractions 2018-05-13 20:14:15 +00:00