mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-05 17:01:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
5184 commits 23 branches 109 tags 32 MiB
Commit graph

957 commits

Author SHA1 Message Date
Christian Boltz
a054855433
Fix typo (double /) in opencl-pocl abstraction 2018-08-05 17:03:34 +02:00
Christian Boltz
b4c848c81e Merge branch 'drg-mods-1' into 'master' 
Various profile/abstraction updates

See merge request apparmor/apparmor!153

Acked-by: intrigeri <intrigeri@debian.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
 2018-08-02 17:17:30 +00:00
intrigeri
ddb256076b Consistently point to the current (Launchpad) issue tracker. 2018-08-02 14:46:14 +00:00
intrigeri
2233818325 Merge branch 'drg-mods-3' into 'master' 
Updated README to direct users to the GitLab issue tracker.

See merge request apparmor/apparmor!155
 2018-08-02 04:20:59 +00:00
Daniel Richard G
cffaa7a035 Updated README with links to the GitLab AppArmor project. 2018-08-01 23:56:59 -04:00
Daniel Richard G
99e45b59d3 lsb_release: added permissions needed by openSUSE implementation. 2018-08-01 19:13:26 -04:00
Daniel Richard G
f73514052d New profile: lsb_release (no attachment path) 
This will allow removal of the lsb_release sub-profile from the
chromium, firefox and murmurd profiles, and consolidation of the rules
for /usr/bin/lsb_release in a single file.
 2018-08-01 19:13:18 -04:00
Daniel Richard G
67728c4f91 usr.sbin.sshd: need write access to Kerberos ticket cache. 2018-08-01 17:39:30 -04:00
Daniel Richard G
0de3d5e14b usr.sbin.lighttpd: minor updates, added Debian/Ubuntu integration. 
The integration changes are taken from the patch at
apparmor-2.12/debian/patches/debian/add-debian-integration-to-lighttpd.patch
and are necessary so that lighttpd doesn't serve everything as
application/octet-stream.
 2018-08-01 17:39:17 -04:00
Daniel Richard G
e43468c94a usr.sbin.in.fingerd: needs lock access on /run/utmp. 2018-08-01 17:37:11 -04:00
Daniel Richard G
c047abcaf3 sbin.rpc.statd: updated so that it actually works. 2018-08-01 17:36:54 -04:00
Daniel Richard G
ac1d0545f4 ldapclient abstraction: allow rw access to the nslcd socket. 
This addresses https://launchpad.net/bugs/1575438 and also the case of
applications accessing the socket directly (due to NSS config).
 2018-07-30 22:49:24 -04:00
intrigeri
f30544f185 Merge branch 'flatpak-exports' into 'master' 
abstractions/freedesktop.org: treat Flatpak exports the same way as bits shipped by the distro

See merge request apparmor/apparmor!71
 2018-07-29 23:39:41 +00:00
intrigeri
aa3022208f tunables/share: make variables value more readable by avoiding the use of too many alternations. 
Thanks to Christian Boltz for the suggestion and the patch!
 2018-07-29 01:31:39 +00:00
Dimitri John Ledkov
e99fa6c605 Patch usr.sbin.useradd to support usr-merge. 2018-07-27 17:05:00 +01:00
intrigeri
34dbe372c5 Rename @{usr_share} → @{system_share_dirs} and @{home_local_share} → @{user_share_dirs}. 
Thanks a lot to Simon McVittie for the much better names suggestion.
 2018-07-27 06:33:42 +00:00
intrigeri
51f2259c08 freedesktop.org abstraction: refactor (factorize) for consistency. 
This change makes the @{home_local_share} rules similar to the
@{usr_share} ones.
 2018-07-27 06:28:22 +00:00
intrigeri
aed447aca2 freedesktop.org abstraction: simplify by not attempting to guess the exhaustive list of files that can exist in {~/.local/share,/usr/share}/applications/. 
As Simon McVittie wrote, "if a specification or library creates extra caches, or
has .desktop files in a subdirectory, or anything like that, then I don't see
why we wouldn't want to allow reading those too".
 2018-07-27 06:26:57 +00:00
intrigeri
9d843b90fe kde abstraction: drop redundant rules for icons access. 
These rules are already in abstractions/freedesktop.org that's included
by the abstractions/kde.
 2018-07-27 06:22:29 +00:00
intrigeri
0ba94f5a04 freedesktop.org abstraction: treat Flatpak exports the same way as bits shipped by the distro. 
As Simon McVittie <smcv@collabora.com> wrote on
https://bugs.debian.org/865206 and on the AppArmor mailing list:

"Anything in /var/lib/flatpak/exports/share or
~/.local/share/flatpak/exports/share is essentially equivalent to
the corresponding path in /usr/{local/,}share, and is something
that has deliberately been "exported" to the rest of the system by a
Flatpak-confined app.

The only reason to prevent reading those directories would be if you do
not want the AppArmor-confined app to be able to enumerate the other
software you have installed on your system, as an anti-fingerprinting
mechanism.".

Bug-Debian: https://bugs.debian.org/865206
 2018-07-27 06:22:22 +00:00
intrigeri
160f1027e4 freedesktop.org abstraction: DRY by factorizing duplicated path components with variables. 
These alternations will need to grow quite a bit in order to support Flatpak
exports. Let's avoid repeating ourselves too much.
 2018-07-27 06:21:40 +00:00
Cameron Nemo
9ab45d811e profiles: support distributions which merge sbin into bin 
Closes #8
 2018-07-25 14:07:35 -07:00
intrigeri
59865e54c5 mesa abstraction: allow locking .cache/mesa_shader_cache/??/*. 
At least Totem needs it on current Debian sid.
 2018-07-24 07:21:51 +00:00
Simon Deziel
8684282a1b usr.bin.wireshark: allow saving pcaps with optional gzip compression 2018-07-17 17:26:34 -04:00
Simon Deziel
b077fccaef usr.bin.wireshark: allow creating QT compose cache 2018-07-17 17:15:15 -04:00
Simon Deziel
70a40566f5 usr.bin.wireshark: restrict hidden file creation under ~/.config/ 2018-07-17 17:14:17 -04:00
Simon Deziel
fa30238293 usr.bin.dumpcap: drop useless/redundant rules 2018-07-17 17:12:44 -04:00
Simon Deziel
e0ba7a4609 usr.bin.wireshark: fix access to configuration profiles 2018-07-17 17:02:28 -04:00
Simon Deziel
bf8222a361 usr.bin.wireshark: add a comment for QtProject.conf rules 2018-07-17 06:15:51 -04:00
Simon Deziel
0e38f51aad usr.bin.wireshark: mention that dri rules were backported from abstraction/dri-enumerate 2018-07-13 04:56:42 -04:00
Simon Deziel
5a8453fbe0 usr.bin.dumpcap: incorporate feedback from Talkless an cboltz 2018-07-12 05:13:55 -04:00
Simon Deziel
0c0a90be0b usr.bin.wireshark: refresh for 18.04 2018-07-11 12:29:36 -04:00
Simon Deziel
b765dab52e usr.bin.dumpcap: new profile 2018-07-11 12:29:12 -04:00
Christian Boltz
01f41fbff8
adjust abstractions/python for python 3.7 
Python 3.7 was released yesterday - and to make the abstraction
future-proof, also cover 3.8 and 3.9 in advance ;-)
 2018-06-28 13:34:08 +02:00
Vincas Dargis
a0c719df73 Add mesa abstraction 
Add mesa abstraction to allow writing to the Mesa-specific cache
locations and listing devices. Abstraction is needed for applications
utilizing OpenGL API with Mesa implementation available on the system.
 2018-06-23 17:07:05 +03:00
Christian Boltz
1185df3c65
fix path for apache2 stapling-cache 
... to match the default apache settings

See also the discussion on the mailinglist:
https://lists.ubuntu.com/archives/apparmor/2018-June/011688.html
 2018-06-17 16:16:22 +02:00
Jamie Strandboge
0c7c34c6f1 Merge branch 'vulkan' into 'master' 
Add Vulkan abstraction

See merge request apparmor/apparmor!126
 2018-05-22 21:45:31 +00:00
Vincas Dargis
47520931be Add Vulkan abstraction 
Add abstraction for Vulkan API specific file paths.
 2018-05-22 21:48:13 +03:00
Jamie Strandboge
c1431bc2de Merge branch 'nvidia-app-profiles' into 'master' 
Update nvidia for reading application profiles

See merge request apparmor/apparmor!125
 2018-05-22 18:24:19 +00:00
Vincas Dargis
f2e0fdc72b Update nvidia for reading application profiles 
Add file rule to allow reading application profiles for NVIDIA
Linux graphics driver.
 2018-05-22 20:43:56 +03:00
Vincas Dargis
8237d6e776 Add OpenCL abstractions 2018-05-13 20:14:15 +00:00
Christian Boltz
23b5f29b80
Update samba profiles 
- allow smbd to load new shared libraries
- allow winbindd to read and write new kerberos cache location

Based on a patch by "Samuel Cabrero" <scabrero@suse.com>

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1092099
 2018-05-09 21:00:30 +02:00
Jamie Strandboge
7bd3029f25 Merge branch 'update-fonts' into 'master' 
Update fonts for Debian and openSUSE

See merge request apparmor/apparmor!96
 2018-04-30 10:03:22 +00:00
Christian Boltz
3009b22aec Merge branch 'qt5' into 'master' 
Add qt5 abstraction

See merge request apparmor/apparmor!99

Acked-by: Christian Boltz <apparmor@cboltz.de>
 2018-04-18 22:18:30 +00:00
Vincas Dargis
b902d2505d Update fonts for Debian and openSUSE 
* Allow to read conf-avail dir itself.
* Add various openSUSE-specific font config directories.
 2018-04-18 19:16:29 +03:00
Vincas Dargis
6a85ffe00e Add qt5 abstraction 
Create abtractions/qt5 with common rules needed for Qt5-based
applications.
 2018-04-18 19:12:28 +03:00
Christian Boltz
64c196a487
Merge branch 'Talkless/apparmor-nvidia-update' 
See https://gitlab.com/apparmor/apparmor/merge_requests/92

Acked-by: John Johansen <john.johansen@canonical.com>
 2018-04-14 23:38:29 +02:00
Christian Boltz
a7ffae4396 mlmmj-send-profile: allow reading digesters.d/* 
Reported by Per Jessen by mail
 2018-04-14 21:25:09 +00:00
Christian Boltz
c4e607199c
dovecot/config: allow dac_read_search and reading ssl-parameters.dat 
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c12
 2018-04-14 22:53:40 +02:00
Christian Boltz
26a8b72225 allow dovecot/auth to write /run/dovecot/old-stats-user 
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c4
            (3rd bullet point)
 2018-04-13 13:55:05 +00:00