mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 09:21:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
4477 commits 23 branches 109 tags 32 MiB
Commit graph

727 commits

Author SHA1 Message Date
Simon Deziel
5a8453fbe0 usr.bin.dumpcap: incorporate feedback from Talkless an cboltz 2018-07-12 05:13:55 -04:00
Simon Deziel
0c0a90be0b usr.bin.wireshark: refresh for 18.04 2018-07-11 12:29:36 -04:00
Simon Deziel
b765dab52e usr.bin.dumpcap: new profile 2018-07-11 12:29:12 -04:00
Christian Boltz
01f41fbff8
adjust abstractions/python for python 3.7 
Python 3.7 was released yesterday - and to make the abstraction
future-proof, also cover 3.8 and 3.9 in advance ;-)
 2018-06-28 13:34:08 +02:00
Vincas Dargis
a0c719df73 Add mesa abstraction 
Add mesa abstraction to allow writing to the Mesa-specific cache
locations and listing devices. Abstraction is needed for applications
utilizing OpenGL API with Mesa implementation available on the system.
 2018-06-23 17:07:05 +03:00
Christian Boltz
1185df3c65
fix path for apache2 stapling-cache 
... to match the default apache settings

See also the discussion on the mailinglist:
https://lists.ubuntu.com/archives/apparmor/2018-June/011688.html
 2018-06-17 16:16:22 +02:00
Jamie Strandboge
0c7c34c6f1 Merge branch 'vulkan' into 'master' 
Add Vulkan abstraction

See merge request apparmor/apparmor!126
 2018-05-22 21:45:31 +00:00
Vincas Dargis
47520931be Add Vulkan abstraction 
Add abstraction for Vulkan API specific file paths.
 2018-05-22 21:48:13 +03:00
Jamie Strandboge
c1431bc2de Merge branch 'nvidia-app-profiles' into 'master' 
Update nvidia for reading application profiles

See merge request apparmor/apparmor!125
 2018-05-22 18:24:19 +00:00
Vincas Dargis
f2e0fdc72b Update nvidia for reading application profiles 
Add file rule to allow reading application profiles for NVIDIA
Linux graphics driver.
 2018-05-22 20:43:56 +03:00
Vincas Dargis
8237d6e776 Add OpenCL abstractions 2018-05-13 20:14:15 +00:00
Christian Boltz
23b5f29b80
Update samba profiles 
- allow smbd to load new shared libraries
- allow winbindd to read and write new kerberos cache location

Based on a patch by "Samuel Cabrero" <scabrero@suse.com>

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1092099
 2018-05-09 21:00:30 +02:00
Jamie Strandboge
7bd3029f25 Merge branch 'update-fonts' into 'master' 
Update fonts for Debian and openSUSE

See merge request apparmor/apparmor!96
 2018-04-30 10:03:22 +00:00
Christian Boltz
3009b22aec Merge branch 'qt5' into 'master' 
Add qt5 abstraction

See merge request apparmor/apparmor!99

Acked-by: Christian Boltz <apparmor@cboltz.de>
 2018-04-18 22:18:30 +00:00
Vincas Dargis
b902d2505d Update fonts for Debian and openSUSE 
* Allow to read conf-avail dir itself.
* Add various openSUSE-specific font config directories.
 2018-04-18 19:16:29 +03:00
Vincas Dargis
6a85ffe00e Add qt5 abstraction 
Create abtractions/qt5 with common rules needed for Qt5-based
applications.
 2018-04-18 19:12:28 +03:00
Christian Boltz
64c196a487
Merge branch 'Talkless/apparmor-nvidia-update' 
See https://gitlab.com/apparmor/apparmor/merge_requests/92

Acked-by: John Johansen <john.johansen@canonical.com>
 2018-04-14 23:38:29 +02:00
Christian Boltz
a7ffae4396 mlmmj-send-profile: allow reading digesters.d/* 
Reported by Per Jessen by mail
 2018-04-14 21:25:09 +00:00
Christian Boltz
c4e607199c
dovecot/config: allow dac_read_search and reading ssl-parameters.dat 
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c12
 2018-04-14 22:53:40 +02:00
Christian Boltz
26a8b72225 allow dovecot/auth to write /run/dovecot/old-stats-user 
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c4
            (3rd bullet point)
 2018-04-13 13:55:05 +00:00
Christian Boltz
36bdd6ea70 add dovecot/stats profile, and allow dovecot to run it 
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1088161
 2018-04-13 13:55:05 +00:00
Vincas Dargis
0d0a196077 Allow nvidia abstraction to read memory block size 
Fix DENIED message detected with NVIDIA 390.48 drivers.
 2018-04-12 20:36:56 +03:00
Vincas Dargis
0c2690d819 Fix ubuntu-browsers for 64bit openSUSE 
On 64 bit openSUSE system, Chromium and Firefox browsers are installed in
/usr/lib64/ directory.
 2018-04-01 16:48:13 +03:00
Christian Boltz
208933829f Fix $(PWD) when using "make -C profiles" 
By default, it stays at the "calling directory" instead of the directory
of the Makefile, which breaks "make -C profiles check".
Explicitely set it in the Makefile to get the right directory.
 2018-03-18 18:09:04 +00:00
intrigeri
22e94633c3 dnsmasq profile: allow chown capability. 
dnsmasq on Debian sid now chown's its PID file.

Bug-Debian: https://bugs.debian.org/889806
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2018-03-05 23:51:23 -08:00
Christian Boltz
8ef7b59454
mlmmj-sub: fix moderated subscription 
/var/spool/mlmmj/*/moderation/subscribe* rw, is needed for lists with
moderated subscription

References: http://bugzilla.opensuse.org/show_bug.cgi?id=1082230
 2018-02-22 22:57:51 +01:00
Vincas Dargis
11e7dab95e Allow to create .nv directory 
Update nvidia abstraction to allow creating NVIDIA-specific user directories in
case it is missing (due to fresh $HOME or if manually removed for any reason).
 2018-02-16 16:54:32 +02:00
Christian Boltz
e88af93322 Merge branch 'update-base-abstraction' into 'master' 
Update base abstraction for ld.so.conf and friends.

See merge request apparmor/apparmor!62

Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..master
 2018-02-15 20:14:38 +00:00
Vincas Dargis
b0456adbd8 Add dri-enumerate abstraction 
Create new dri-enumerate abstraction with rules needed for some GUI applications
allowing to get GPU device information.
 2018-02-04 16:01:27 +02:00
Vincas Dargis
8dd517f6dd Move DRI-specific rules into it's own abstraction 
Add new dri-common abstraction to contain basic DRI-specific rules.

This refactoring is based on a decision to have set of dri-* abstractions for
fine grained control on case-by-case basis. While dri-common is included in X
abstraction by default, additional DRI-related abstractions can be introduced
(such as for enumerating graphics devices) while keeping them logically together
with same dri- prefix.
 2018-02-04 14:21:16 +02:00
Vincas Dargis
6d22c871bf Update base abstraction for ld.so.conf and friends. 
Fix denies for latest Thunderbird and Firefox on Debian Sid due to
missing access to /etc/ld.so.conf and /etc/ld.so.conf.d/*.
 2018-01-26 19:55:31 +02:00
Christian Boltz
85f8cace12 Merge branch 'cboltz-ntpd' into 'master' 
allow access to ntp clockstats

See merge request apparmor/apparmor!54
 2018-01-23 23:02:16 +00:00
Rene Engelhard
8fc3dcb312 abstractions/gnupg: allow pubring.kbx 2018-01-20 23:54:08 +01:00
John Johansen
62dbd29656 Merge branch 'dovecot-lda-protocols' into 'master' 
Allow dovecot-lda to read anything under /usr/share/dovecot/protocols.d/

See merge request apparmor/apparmor!57

Acked-by: John Johansen <john.johansen@canonical.com>
 2018-01-20 08:18:07 +00:00
intrigeri
1b51dac4c9 Allow dovecot-lda to read anything under /usr/share/dovecot/protocols.d/. 
On current Debian sid it needs to read
/usr/share/dovecot/protocols.d/imapd.protocol, which is not surprising given it
already needed read access to /usr/share/dovecot/protocols.d/.
 2018-01-20 06:25:25 +00:00
Christian Boltz
1541175c36
dovecot/lmtp: allow dac_read_search 
Fixes https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887591
 2018-01-18 18:15:43 +01:00
Christian Boltz
1b58f226ce
allow access to ntp clockstats 
References: http://bugzilla.opensuse.org/show_bug.cgi?id=1076247
 2018-01-16 21:15:41 +01:00
John Johansen
e55583ff27 profile: fix syslog-ng startup for some configurations 
buglink: https://bugs.launchpad.net/bugs/1739909

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2017-12-24 00:13:58 -08:00
John Johansen
a3693f56f3 Merge branch 'cboltz-netstat' into 'master' 
netstat: allow capability sys_ptrace,

See merge request apparmor/apparmor!46
 2017-12-22 20:50:11 +00:00
Christian Boltz
81ca52d948
netstat: allow capability sys_ptrace, 
Denying it means netstat -p (actually tested with -tulpen) can't find
out the program name.

sys_ptrace is "only" needed for tracing processes that run under a
different uid.

Also add  ptrace (read),  for systems that support ptrace rules.
 2017-12-22 21:43:54 +01:00
John Johansen
f8b208ee80 Merge branch 'cboltz-dovecot' into 'master' 
Update /usr/lib/dovecot/* profiles

See merge request apparmor/apparmor!42

Acked-by: John Johansen <john.johansen@canonical.com>
 2017-12-22 19:20:07 +00:00
John Johansen
bcfb735b9a Merge branch 'cboltz-xauth' into 'master' 
abstractions/X: add another location for .Xauthority

See merge request apparmor/apparmor!39

Acked-by: John Johansen <john.johansen@canonical.com>
 2017-12-22 19:00:36 +00:00
Christian Boltz
06928db1ce
Update /usr/lib/dovecot/* profiles 
- dict needs abstractions/openssl (seen with dovecot 2.2.31 since
  using openssl 1.1)
- imap needs to write tempfiles (seen with dovecot 2.2.31)
- managesieve-login needs access to the login-master-notify socket
  (seen with dovecot 2.2.33)
- pop3-login needs access to the anvil socket (reported by pfak on
  IRC some months ago)
 2017-12-18 17:00:35 +01:00
Christian Boltz
6713f9d94a Merge branch 'fix-pulse-config' into 'master' 
Fix local pulseaudio config file access

See merge request apparmor/apparmor!38


Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..trunk
 2017-12-17 16:19:42 +00:00
Christian Boltz
bb96e38a90
abstractions/X: add another location for .Xauthority 
With the latest sddm, .Xauthority is now located at
  @{HOME}/.local/share/sddm/.Xauthority
 2017-12-17 15:38:26 +01:00
Vincas Dargis
f73627cbb5 Fix local pulseaudio config file access 
Add rules to allow reading .conf files from $HOME/.config/pulse
and $HOME/.config/pulse/client.conf.d directories.
 2017-12-17 15:56:21 +02:00
Vincas Dargis
9f24650ef9 Fix signal sending for usr.sbin.dovecot 
Add signal rules to allow dovecot master daemon to send signals
to various child daemons (for reloading/restarting).
 2017-12-15 18:17:48 +02:00
John Johansen
a5e5185e15 Merge branch 'cboltz-useradd' into 'master' 
useradd profile: allow audit_write and running pam_tally2

See merge request apparmor/apparmor!24

Acked-by: John Johansen <john.johansen@canonical.com>
 2017-12-12 22:38:24 +00:00
Vincas Dargis
7546413b43 Update abstraction for new Thunderbird executable path 
* Add -bin suffix to reach new Thunderbird executable.
 2017-12-07 16:41:10 +00:00
Jamie Strandboge
c4a5e1d554 abstractions/fonts: also allow owner read on ~/.local/share/fonts 
The fonts abstraction had owner rules for ~/.fonts, but the current
standard location[1][2] in XDG_DATA_HOME was missing.

[1]https://cgit.freedesktop.org/fontconfig/commit/?id=8c255fb1
[2]https://lists.freedesktop.org/archives/fontconfig/2014-July/005270.html
 2017-12-05 15:49:55 -06:00