openSUSE uses "php7" (not just "php") in several paths, so also allow that.
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
This should solve the "overlapping rules with conflicting 'x'
modifiers" problem (introduced with r3594) entirely.
The other options I could think of were:
* ix → Pix, adjust all profiles that do 'ix' accordingly, and leave
alone those that do Pix already; downsides: requires updating quite
a few profiles all around the place, and breaks a mere "file," rule;
* ix → Pix, adjust all profiles that do 'ix' accordingly, and change
the "file," rule semantics to imply Pix; downside: very intrusive,
and likely to break random existing policy in ways that are hard
to predict;
* stick to ix, and adjust all profiles that do anything else with
overlapping rules, to do ix instead; downside: in some cases this means
removing the 'P' modifier, which can cause regressions in how we confine
stuff.
I've looked up in the bzr history to understand why execution rights
would be needed, and… the answer predates the move to bzr.
Looking into the SVN history, if it's even available anywhere, is
a bit too much for me, so I've tested this change and the few
applications I've tried did not complain. Of course, more testing will
be needed.
Having consistent x modifiers in this abstraction is needed
to allow profiles including abstractions/base to apply x rules
overlapping with several of the rules from the base abstraction.
E.g. one may need to have rules applying to /**, for example because
a mere "file," conflicts with the ix→Pix change I did in r3596.
On servers with not too much memory ("only" 16 GB), dovecot logins fail:
Nov 25 21:35:15 server dovecot[28737]: master: Fatal: setrlimit(RLIMIT_DATA, 268435456): Permission denied
Nov 25 21:35:15 server dovecot[28731]: master: Error: service(auth): command startup failed, throttling for 2 secs
Nov 25 21:35:15 server dovecot[28737]: auth: Fatal: master: service(auth): child 25976 returned error 89 (Fatal failure)
audit.log messages are:
... apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" capability=24 capname="sys_resource"
... apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" rlimit=data value=268435456
After allowing capability sys_resource, dovecot can increase the limit
and works again.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
The latest glibc (including nscd) in openSUSE Tumbleweed comes with
glibc-2.3.3-nscd-db-path.diff: Move persistent nscd databases to
/var/lib/nscd
This needs updates (adding /var/lib/nscd/) to abstractions/nameservice
and the nscd profile.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
nmbd, winbindd (and most probably also smbd - but it has a more
permissive profile that already allows this) need rw access to
/var/cache/samba/lck/* on Debian 8.6.
Reported by FLD on IRC.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
A while ago, support for "network unspec" was added. However, nobody
updated the ntpd profile (at least not the profile in upstream bzr)
which was the main reason for adding "unspec".
References: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1546455
(the original bugreport about "unspec")
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1009964
(about the ntpd profile)
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
Newer kernels need m permissions for the binary the profile covers,
so add it before someone hits this problem in the wild ;-)
Also add a note that the mlmmj-recieve profile is probably superfluous
because upstream renamed the misspelled binary.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
This patch updates the mlmmj profiles in the extras directory to the
profiles that are used on lists.opensuse.org now. Besides adding lots
of trailing slashes for directories, several permissions were added.
Also, usr.bin.mlmmj-receive gets added - it seems upstream renamed
mlmmj-recieve to fix a typo.
These profiles were provided by Per Jessen.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1000201
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Besides dnsmasq.leases, dnsmasq.pid needs to be written. Also read
access for some files is needed (currently dnsmasq.raw and
dnsmasq.hosts - using dnsmasq.* makes this more future-proof when
more files get added)
References: https://bugs.launchpad.net/apparmor/+bug/1634199 (again)
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/1403468
These files are needed for disk-based buffering (added in syslog-ng 3.8).
This was reported to me by Peter Czanik, one of the syslog-ng developers.
Note: I'm not sure about adding @{CHROOT_BASE} to this rule, so for now
I prefer not to do it - adding it later is easy, but finding out if it
could be removed is hard ;-)
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
- dovecot/auth: allow to read stats-user
- dovecot/config: allow to read /usr/share/dovecot/**
- dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and
/usr/share/dovecot/**
These things were reported by Félix Sipma in Debian Bug#835826
(with some help from sarnold on IRC)
References: https://bugs.debian.org/835826
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Also allow reading ~/.dovecot.svbin (that's the default filename in the
dovecot config) in dovecot/lmtp profile.
(*.svbin files can probably also appear inside @{DOVECOT_MAILSTORE}, but
that's already covered by the existing rules.)
References: https://bugs.debian.org/835826 (again)
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
In 2011 (r1803), the traceroute profile was changed to also match
/usr/bin/traceroute.db:
/usr/{sbin/traceroute,bin/traceroute.db} {
However, permissions for /usr/bin/traceroute.db were never added.
This patch fixes this.
While on it, also change the /usr/sbin/traceroute permissions from
rmix to the less confusing mrix.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
This is the least invasive solution to the problem I'm trying to solve
right now (Evince not starting in GNOME on Wayland, and probably
similar issues for other GNOME applications I suppose).
At some point, we will probably want to source the wayland abstraction
from other desktop environments' abstractions, or simply from the
X one. Let's come back to it once people using these other desktop
environments on Wayland with AppArmor enabled tell us what policy
change is needed to make it work for them.
In Debian, gnome-session (3.20.1-2)'s changelog reads:
If /etc/gnome/defaults.list was modified by the system administrator,
the file is moved to /etc/xdg/gnome-mimeapps.list during the upgrade.
So we want to at least support /etc/xdg/gnome-mimeapps.list. And while
we're at it, let's support *-mimeapps.list instead of just gnome-mimeapps.list,
in case other desktop environments or derivatives need such customizations.
This is needed to delete kerberos ccache files, for details see
https://bugzilla.opensuse.org/show_bug.cgi?id=990006#c5
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9.
https://launchpad.net/bugs/1604872
dbus-user-session uses the file based Unix socket in $XDG_RUNTIME_DIR/bus.
Extend the dbus-session-strict abstraction to also allow that.
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This is needed for winbindd (since samba 4.4.x), but smbd could also need it.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=990006
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Date: Tue, 21 Jun 2016 18:18:45 +0100
Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf
Follow the same logic we already did for NetworkManager,
resolvconf and systemd-resolved. The wonderful thing about
standards is that there are so many to choose from.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
An abstraction to allow mozc clients to connect to the mozc-server.
Signed-off-by: Jamie Strandboge <jamie@ubuntu.com>
[tyhicks: Wrote commit message]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Create a set of strict and non-strict abstractions, much like the
existing dbus abstractions, for connecting to the fcitx bus.
Signed-off-by: Jamie Strandboge <jamie@ubuntu.com>
[tyhicks: Wrote commit message]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The latest iputils merged ping and ping6 into a single binary that does
both IPv4 and IPv6 pings (by default, it really does both).
This means we need to allow network inet6 raw in the ping profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=980596
(contains more details and example output)
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Wed, 4 May 2016 13:48:36 +0100
Subject: dbus-session-strict: allow access to the user bus socket
If dbus is configured with --enable-user-bus (for example in the
dbus-user-session package in Debian and its derivatives), and the user
session is started with systemd, then the "dbus-daemon --session" will be
started by "systemd --user" and listen on $XDG_RUNTIME_DIR/bus. Similarly,
on systems where dbus-daemon has been replaced with kdbus, the
bridge/proxy used to provide compatibility with the traditional D-Bus
protocol listens on that same socket.
In practice, $XDG_RUNTIME_DIR is /run/user/$uid on all systemd systems,
where $uid represents the numeric uid. I have not used /{var/,}run here,
because systemd does not support configurations where /var/run and /run
are distinct; in practice, /var/run is a symbolic link.
Based on a patch by Sjoerd Simons, which originally used the historical
path /run/user/*/dbus/user_bus_socket. That path was popularized by the
user-session-units git repository, but has never been used in a released
version of dbus and should be considered unsupported.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Matthew Dawson explained why:
> sshd doesn't actually require the net_admin capability. libpam-systemd tries
> to use it if available to set the send/receive buffers size, but will fall
> back to a non-privileged version if it fails.
https://lists.ubuntu.com/archives/apparmor/2016-April/009586.html
