As Simon McVittie wrote, "if a specification or library creates extra caches, or
has .desktop files in a subdirectory, or anything like that, then I don't see
why we wouldn't want to allow reading those too".
As Simon McVittie <smcv@collabora.com> wrote on
https://bugs.debian.org/865206 and on the AppArmor mailing list:
"Anything in /var/lib/flatpak/exports/share or
~/.local/share/flatpak/exports/share is essentially equivalent to
the corresponding path in /usr/{local/,}share, and is something
that has deliberately been "exported" to the rest of the system by a
Flatpak-confined app.
The only reason to prevent reading those directories would be if you do
not want the AppArmor-confined app to be able to enumerate the other
software you have installed on your system, as an anti-fingerprinting
mechanism.".
Bug-Debian: https://bugs.debian.org/865206
'case OPTION_OFILE' missed the 'break', which means if did fallthrough
to the default case.
Adding the 'break' means no longer executing another PERROR, and no
longer executing the 'exit(1)' in the default branch.
References: coverity #55994
Add kernel patches that will NEVER be sent upstream. These provide abi
compatibility with the v2.x network and af_unix rules.
The 4.17 network mediation pull request deliberately broke abi
compatibility with the v2.x rules, and these are provided so that
distros who shipped the v2.x compatible patches can provide new
kernels on older releases that require v2.x network support.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Note that NO_FLAGS was an inverse option, therefore
- NO_FLAGS was changed to FLAGS (also in sync_profile() which is the
only caller that sets FLAGS)
- the default for include_flags (if FLAGS is not set) is True
Add mesa abstraction to allow writing to the Mesa-specific cache
locations and listing devices. Abstraction is needed for applications
utilizing OpenGL API with Mesa implementation available on the system.
parse_profile_start(): Error out on nested child profiles
See merge request apparmor/apparmor!136
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
use serialize_profile() for the new profile in (V)iew Changes
See merge request apparmor/apparmor!131
Acked-by: John Johansen <john.johansen@canonical.com>
The tools can't handle nested child profiles yet. Instead of failing
in funny[tm] ways (parse_profile_start() only returned the first two
segments of the profile name) better error out with a clear message.
The initial apparmor.service assumed the profile cache is in
/var/lib/apparmor/ which was an openSUSE-specific path that was chosen
for historical reasons, but was far from perfect.
In the meantime, the profile cache moved to /var/cache/apparmor/ and the
read-only/packaged version was added in /usr/share/apparmor/cache/
This commit adjusts apparmor.service to use these paths.
These tests verify that
- _is_equal_aare() really raises an exception when it sees an invalid
combination of other_value and other_all
- BaseRuleset.__repr__() works as expected
As a side effect, this commit pushes the test coverage of
apparmor/rule/__init__.py to 100% ;-)
... which is unused since the last commit.
Also delete several functions that were only used by this function:
- write_change_profile()
- write_rlimits()
- write_capabilities()
- write_netdomain()
- write_dbus()
- write_signal()
- write_ptrace()
- write_file()
Finally, no longer import some functions from profile_storage:
- write_links
- write_mount
- write_pivot_root
- write_unix
BTW: Deleting these 460 lines improves test coverage of aa.py from
38% to 44%, and total test coverage from 63% to 66% :-)
- rename prof_data parameter to ref
- drop empty allow, prefix and tail, and their usage in the format
string
- inline sep into the format string
- replace usage of fn with the actual function name (var_transform)
