From: Kshitij Gupta <kgupta8592@gmail.com>
This patch removes rules covered by abstractions in nscd profile:
- the network rules are in abstractions/nameservice
- @{PROC}/filesystems is in abstractions/base
- /{,var/}run/avahi-daemon/socket is in abstractions/nameservice
- /tmp/.winbindd/pipe and /var/lib/samba/winbindd_privileged/pipe are
in abstractions/winbind via abstractions/nameservice
Acked-by: Steve Beattie <steve@nxnw.org>
covered by abstractions:
- the network rules are in abstractions/nameservice
- /etc/gai.conf is also in abstractions/nameservice
- @{PROC}/sys/kernel/ngroups_max is in abstractions/base
Acked-by: Steve Beattie <steve@nxnw.org>
Patch-Author: Stefan Seyfried <seife+obs@b1-systems.com>
After this change in ntp:
* Mo Aug 19 2013 crrodriguez@opensuse.org
- Build with -DOPENSSL_LOAD_CONF , ntp must respect and use
the system's openssl configuration.
we need to read openssl.cnf or starting of ntpd will fail silently(!)
Patch v2 by Christian Boltz: use abstractions/openssl instead of
allowing /etc/ssl/openssl.cnf directly
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
When dnsmasq is started with the --enable-dbus option, it uses the
system bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Debian sid's fonts-mathjax ships fonts in
/usr/share/javascript/mathjax/fonts, that are now used by default by
fontconfig-enabled software.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
At least on Debian, with recent versions of fontconfig-config
(>= 2.10), files in /etc/fonts/conf.d/ are symlinks pointing to
/usr/share/fontconfig/.
This was reported by Jakub Wilk <jwilk@debian.org> on Debian bug #714843.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
abstractions/ubuntu-browsers.d/ubuntu-integration.
Patch by Felix Geyer <debfx@ubuntu.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
abstractions/mysql contains
/var/lib/mysql/mysql.sock rw,
/usr/share/mysql/charsets/ r,
/usr/share/mysql/charsets/*.xml r,
but the files moved (at least on openSUSE) to
/usr/share/mysql-community-server/charsets/*.xml
/var/run/mysql/mysql.sock
This causes denials for all applications using MySQL on 12.2 and
Factory.
MariaDB has the *.xml files in
/usr/share/mariadb/charsets/*.xml
and also seems to use /var/run/mysql/ for the socket.
Since MariaDB is basically a drop-in replacement for MySQL, it makes
sense to allow access to it via abstractions/mysql.
References: https://bugzilla.novell.com/show_bug.cgi?id=798183
Acked-by: Seth Arnold <seth.arnold@canonical.com>
I was testing out a profile for pulseaudio and hit an issue where my
pulseaudio process was getting the firefox profile applied to it. This
is because in abstractions/ubuntu-browsers.d/multimedia the rule for
pulseaudio is /usr/bin/pulseaudio ixr; attached is a patch to change it
to Pixr, so as to use a global pulseaudio policy if it exists.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
From: Simon Deziel <simon.deziel@gmail.com>
A fair number of the rules that apply to files in @{HOME} predate the
existence of the 'owner' qualifier. This patch adds the 'owner'
qualifier in several places.
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
This patch adds the kernelvars tunable to the global set that is usually
included by default in apparmor policies. It then converts the rules
that are intended to match /proc/pid to use this tunable.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
This patch finishes the conversion from /proc to the @{PROC}
tunable within profiles and abstractions. It also adjusts some of
the /proc/*/something usages to @{PROC}/[0-9]*/something to restrict
things to just the /proc/pid directories. (A followup patch will
convert these to use @{pid} from the kernelvars tunable.)
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
In testing the skype profile, I found access to my @{HOME}/.XCompose
was being rejected. This patch updates the X abstraction to take a
user's defined XCompose key shortcuts into account.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
The apparmor_api abstractions make the mistake of including tunables
directly, which is a no-no since the variable definitions in tunables
need to occur in the preamble of a profile, not embedded within it.
This patch removes those includes, and replaces them documentation of
tunables are necessary, as some of the expected ones are not part of
tunables/global.
It also adjust the kernelvars tunable's definition of the @{pid}
regex, as the current parser does not support nesting of {} groupings,
which breaks any profile that attempts to use the tunable.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
This patch modifies the nvidia abstraction to add the livdpau wrapper
config file for nvidia workarounds. It also converts the /proc/
rules to use the @{PROC} tunable. And finally, it converts the
ubuntu-browsers.d/multimedia abstraction to use the nvidia abstraction.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
I added this profile to the openSUSE apparmor-profiles package in Feb 2012.
Until now I didn't receive any bugreports so I'd say it's complete ;-)
References: https://bugzilla.novell.com/show_bug.cgi?id=748499
Acked-By: jdstrand (on IRC)
/usr/share/poppler/cMap/**. These files are included in the poppler-data
package on Ubuntu, and their 'r' denials create quite a bit of noise.
Apparently they are needed to display PDF documents containing CJK
characters with libpoppler. I added it to the gnome abstraction because
several applications not linked against poppler are consulting this
data.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Description: ubuntu-integration does not work properly with exo-open
Bug-Ubuntu: https://launchpad.net/bugs/987578
Acked-By: Jamie Strandboge <jamie@canonical.com>
the chromium and chrome sandboxes are setuid root, they only link in limited
libraries so glibc's secure execution should be enough to not require the
santized_helper (ie, LD_PRELOAD will only use standard system paths (man
ld.so)). Also allow some paths in /opt for Chrome.
Ubuntu-Bug: https://launchpad.net/bugs/964510
Acked-By: Jamie Strandboge <jamie@canonical.com>
sanitized_helper. For now this only allows software-center scripts in
/usr/share, but we may need to increase what is allowed in /usr/share if more
things are denied when they shouldn't be.
Ubuntu-Bug: https://launchpad.net/bugs/972367
Acked-By: Jamie Strandboge <jamie@canonical.com>
