- allow rw access to /var/cache/krb5rcache/*
- treat passdb.tdb.tmp as passdb.tdb
Patch from Lars Müller <lmuelle@suse.com>
References: https://bugzilla.novell.com/show_bug.cgi?id=870607
Acked-by: Steve Beattie <steve@nxnw.org>
\s is a new feature of GNU grep 2.6 (released on 2010-03-23) and
it does not work in older versions. By using [[:space:]] instead,
AppArmor can compile on systems with older versions of grep.
Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk>
Acked-by: Steve Beattie <steve@nxnw.org>
and its derivatives
Bug-Ubuntu: https://launchpad.net/bugs/1285653
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This is an updated version of the previous dnsmasq profile patch, again
from develop7 [at] develop7.info
Acked-by: John Johansen <john.johansen@canonical.com>
- some *.dat files live in a different directory nowadays (at least in
openSUSE)
- the openSUSE smb.conf includes the (autogenerated) dhcp.conf, so this
file also needs to be readable.
References: https://bugzilla.novell.com/show_bug.cgi?id=863226
Acked-by: Seth Arnold <seth.arnold@canonical.com>
the suggestion to use @{XDG_DOWNLOAD_DIR} in abstractions/user-download as
well as the existing entries.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
The xdg-user-dirs specification[1] allows for translatable and movable common
directories. While this may be beneficial for users who for example want to have
~/Pictures translated into their own language, this flexibility provides
challenges for AppArmor. Untranslated xdg user directories are typically (see
~/.config/user-dirs.dirs):
XDG_DESKTOP_DIR="$HOME/Desktop"
XDG_DOWNLOAD_DIR="$HOME/Downloads"
XDG_TEMPLATES_DIR="$HOME/Templates"
XDG_PUBLICSHARE_DIR="$HOME/Public"
XDG_DOCUMENTS_DIR="$HOME/Documents"
XDG_MUSIC_DIR="$HOME/Music"
XDG_PICTURES_DIR="$HOME/Pictures"
XDG_VIDEOS_DIR="$HOME/Videos"
On an Ubuntu system with the fr_CA locale installed, these become:
XDG_DESKTOP_DIR="$HOME/Desktop"
XDG_DOWNLOAD_DIR="$HOME/Téléchargements"
XDG_TEMPLATES_DIR="$HOME/Templates"
XDG_PUBLICSHARE_DIR="$HOME/Public"
XDG_DOCUMENTS_DIR="$HOME/Documents"
XDG_MUSIC_DIR="$HOME/Musique"
XDG_PICTURES_DIR="$HOME/Images"
XDG_VIDEOS_DIR="$HOME/Vidéos"
While the kernel and AppArmor parser handle these translations fine, the
profiles do not.
As an upstream, we can vastly improve the situation by simply creating the
xdg-user-dirs tunable using the default 'C' xdg-user-dirs values:
$ cat /etc/apparmor.d/tunables/xdg-user-dirs
@{XDG_DESKTOP_DIR}=Desktop
@{XDG_DOWNLOAD_DIR}=Downloads
@{XDG_TEMPLATES_DIR}=Templates
@{XDG_PUBLICSHARE_DIR}=Public
@{XDG_DOCUMENTS_DIR}=Documents
@{XDG_MUSIC_DIR}=Music
@{XDG_PICTURES_DIR}=Pictures
@{XDG_VIDEOS_DIR}=Videos
# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
# to the various XDG directories
#include <tunables/xdg-user-dirs.d>
and then create the /etc/apparmor.d/tunables/xdg-user-dirs.d directory. With
that alone, we can start using rules like this in policy:
owner @{HOME}/@{XDG_MUSIC_DIR}/** r,
and users/admins can adjust /etc/apparmor.d/tunables/xdg-user-dirs or drop files
into /etc/apparmor.d/tunables/xdg-user-dirs.d, providing a welcome convenience.
This of course doesn't solve everything. Because users can modify their
~/.config/user-dirs.dirs file at will and have it point anywhere, so we can't
examine those files and do anything automatic there (when we have user policy we
can revisit this). This patch handles translations well though since use of
translations for these directories happens outside of the user's control. Users
who modify ~/.config/user-dirs.dirs can update policy like they need to now (ie,
this patch doesn't change anything for them).
[0] https://lists.ubuntu.com/archives/apparmor/2013-August/004183.html
[1] http://freedesktop.org/wiki/Software/xdg-user-dirs/
This patch adds basic support for XDG user dirs:
1. Update profiles/apparmor.d/tunables/global to include xdg-user-dirs.
2. Create the xdg-user-dirs tunable using the default 'C' xdg-user-dirs values
and includes tunables/xdg-user-dirs.d
3. Add profiles/apparmor.d/tunables/xdg-user-dirs.d/site.local with commented
out examples on how to use the directory.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
Thai-specific functions like word-breaking, input and output methods and basic
character and string support. This is: https://launchpad.net/bugs/1278702
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Description: Allow applications run under sanitized_helper to connect to DBus
This was originally 0076_sanitized_helper_dbus_access.patch in the Ubuntu
apparmor packaging.
jdstrand: +1 (this is in the Ubuntu namespace, so feel free to commit)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1056418
From: Steve Beattie <steve.beattie@canonical.com>
Came from 0021-webapps_abstraction.patch in the Ubuntu apparmor packaging.
jdstrand: +1 (this is in the Ubuntu namespace, so feel free to commit)
Grant access to specific files in the /var/run/user/UID/pulse/ directory to
remove access to potentially dangerous and non-essential files such as the
debug (cli) socket provided by the module-cli-protocol-unix module.
Author: Tyler Hicks <tyhicks@canonical.com>
Bug-Ubuntu: https://launchpad.net/bugs/1211380
Acked-by: Steve Beattie <steve@nxnw.org>
Description: allow mmap of fglrx dri libraries
Bug-Ubuntu: https://launchpad.net/bugs/1200392
Acked-by: Steve Beattie <steve@nxnw.org>
Came from 0038-lp1200392.patch.
Description: update mod_apparmor man page for Apache 2.4 and add new
apparmor.d/usr.sbin.apache2 profile (based on the prefork profile)
Acked-by: Steve Beattie <steve@nxnw.org>
Differs from original 0036-libapache2-mod-apparmor-profile-2.4.patch
ubuntu patch -- I've deleted the "delete the apache 2.2 profile" part of
the patch. So apache 2.2's profile is also still supported.
Author: Micah Gersten <micah@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Modified by Seth Arnold; nvidia nvpau_wrapper.cfg permission was hoisted
up into an nvidia abstraction.
Author: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This was originally patch 0018-lp1056391.patch in the Ubuntu apparmor
packaging; Steve noticed the now-redundant line for /var/lib/sss/mc/passwd
so I removed that at the same time.
After testing the dovecot profiles on a new server, I noticed
/usr/lib/dovecot/dict and /usrlib/dovecot/lmtp need more nameservice-
related permissions.
Therefore include abstractions/nameservice instead of adding more and
more files.
Acked-by: John Johansen (on IRC)
abstractions/mysql.
This binary/profile seems to be the only one that needs to do this, so
add it to this profile (instead of abstractions/mysql) to avoid superfluous
permissions for other programs with abstractions/mysql
Acked-by: John Johansen <john.johansen@canonical.com>
after testing the dovecot profiles on a new server, I noticed
/usr/sbin/dovecot needs some more permissions:
- mysql access
- execution permissions for /usr/lib/dovecot/dict and lmtp
- write access to some postfix sockets, used to
- provide SMTP Auth via dovecot
- deliver mails to dovecot via LMTP
- and read access to /proc/filesystems
Acked-by: John Johansen <john.johansen@canonical.com>
The usr.sbin.dovecot profile needs several updates for dovecot 2.x,
including
- capability dac_override and kill
- Px for various binaries in /usr/lib/dovecot/
The patch also adds a nice copyright header (I hope I got the bzr log
right ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
dovecot 2.x comes with several new binaries in /usr/lib/dovecot.
This patch adds profiles for
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/ssl-params
References: https://bugzilla.novell.com/show_bug.cgi?id=851984
Acked-by: John Johansen <john.johansen@canonical.com>
Introduces tunables/dovecot (with @{DOVECOT_MAILSTORE}) and replace
the mail storage location in various dovecot-related profiles with
this variable.
Also add nice copyright headers (I hope I got the bzr log right ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
From: Felix Geyer <debfx@ubuntu.com>
AppArmor requires read and write permission to connect to
unix domain sockets but the nameservice abstraction only
grants write access to the avahi socket.
As a result mdns name resolution fails.
Acked-by: John Johansen <john.johansen@canonical.com>
(collected in the openSUSE package over the last months)
- add abstractions/samba to usr.sbin.winbindd profile
(and cleanup things that are included in the abstraction - the cleanup
part is not in the openSUSE package)
- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile
(bnc#851131)
- updates for samba 4.x and kerberos (bnc#846586#c12 and #c15,
bnc#845867, bnc#846054)
- drop always-outdated "Last Modified" comment
References: see the bnc# above (they are bug numbers at
bugzilla.novell.com)
Acked-by: John Johansen <john.johansen@canonical.com>
Create a new strict accessibility bus abstraction.
The strict abstraction only allows for calling the Hello, AddMatch,
RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods
that are exported by the D-Bus daemon.
The permissive abstraction reuses the strict abstraction and then allows
all communications on the accessibility bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Move some of the file rules from the existing permissive session bus
abstraction into a new strict session bus abstraction. Leave the
dbus-launch rule in the permissive profile since not all applications
will need it.
The strict abstraction only allows for calling the Hello, AddMatch,
RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods
that are exported by the D-Bus daemon.
The permissive abstraction reuses the strict abstraction and then allows
all communications on the session bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Move the file rule from the existing permissive system bus abstraction
into a new strict system bus abstraction.
The strict abstraction only allows for calling the Hello, AddMatch,
RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods
that are exported by the D-Bus daemon.
The permissive abstraction reuses the strict abstraction and then allows
all communications on the system bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The AppArmor kernel now checks for both read and write permissions when
a process calls connect() on a UNIX domain socket.
The patch updates four abstractions that were found to be needing
changes after the change in AF_UNIX kernel mediation.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The accessibility bus uses an abstract socket, so there hasn't been a
need for an accessibility bus abstraction in the past. Now that D-Bus
mediation is supported, an abstraction becomes a useful place to put
accessibility bus D-Bus rules.
This patch follows the lead of the dbus and dbus-session abstraction by
granting full access to the accessibility bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Before D-Bus mediation support was added to AppArmor, the dbus and
dbus-session abstractions granted full access to the system and session
buses, respectively.
In order to continue granting full access to those buses, bus-specific
D-Bus mediation rules need to be added to the abstractions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
update-ca-certificates (from ca-certificates-1_201310161709-1.1.noarch)
stores certs in this directory now.
References: https://bugzilla.novell.com/show_bug.cgi?id=852018
Acked-by: Seth Arnold <seth.arnold@canonical.com>
dnsmasq needs read access to more files in /var/lib/libvirt/dnsmasq/
(at least *.conf and *.addnhosts)
Since this directory contains only files that are intended for dnsmasq
(also confirmed by Jim Fehlig, the SUSE libvirt maintainer), the best
way is to just allow "/var/lib/libvirt/dnsmasq/* r,"
References: https://bugzilla.novell.com/show_bug.cgi?id=848215
+1'd for trunk and 2.8 by Jamie Strandboge <jamie@canonical.com>
$HOME/.config/fontconfig/conf.d/* and
$HOME/.config/fontconfig/fonts.conf
/etc/fonts/conf.d/50-user.conf:
<!--
Load per-user customization files where stored on XDG Base Directory
specification compliant places. it should be usually:
$HOME/.config/fontconfig/conf.d
$HOME/.config/fontconfig/fonts.conf
-->
<include ignore_missing="yes" prefix="xdg">fontconfig/conf.d</include>
<include ignore_missing="yes" prefix="xdg">fontconfig/fonts.conf</include>
abstractions/fonts should allow read access to those files:
From: Felix Geyer debfx@ubuntu.com
Acked-by: John Johansen <john.johansen@canonical.com>
From: Kshitij Gupta <kgupta8592@gmail.com>
This patch removes:-
2 rules covered by abstractions in smbd profile:
- /var/log/samba/cores/smbd/ rw and /var/log/samba/cores/smbd/** rw
are in abstractions/samba covered by /var/log/samba/cores/** rw
1 superfluous rule:
- /var/lib/samba/printers/** rw is covered by /var/lib/samba/** rwk
Acked-by: Steve Beattie <steve@nxnw.org>
An abstraction to grant the ability to query dconf settings. It does
not grant the ability to update or add settings, due to our current
inability to restrict where within the dconf hierarchy updates
can occur.
From: intrigeri <intrigeri@boum.org>
Acked-by: Steve Beattie <steve@nxnw.org>
From: Kshitij Gupta <kgupta8592@gmail.com>
This patch removes rules covered by abstractions in nscd profile:
- the network rules are in abstractions/nameservice
- @{PROC}/filesystems is in abstractions/base
- /{,var/}run/avahi-daemon/socket is in abstractions/nameservice
- /tmp/.winbindd/pipe and /var/lib/samba/winbindd_privileged/pipe are
in abstractions/winbind via abstractions/nameservice
Acked-by: Steve Beattie <steve@nxnw.org>
covered by abstractions:
- the network rules are in abstractions/nameservice
- /etc/gai.conf is also in abstractions/nameservice
- @{PROC}/sys/kernel/ngroups_max is in abstractions/base
Acked-by: Steve Beattie <steve@nxnw.org>
Patch-Author: Stefan Seyfried <seife+obs@b1-systems.com>
After this change in ntp:
* Mo Aug 19 2013 crrodriguez@opensuse.org
- Build with -DOPENSSL_LOAD_CONF , ntp must respect and use
the system's openssl configuration.
we need to read openssl.cnf or starting of ntpd will fail silently(!)
Patch v2 by Christian Boltz: use abstractions/openssl instead of
allowing /etc/ssl/openssl.cnf directly
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
