mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
7221 commits 23 branches 109 tags 32 MiB
Commit graph

1316 commits

Author SHA1 Message Date
Jamie Strandboge
6c7492af89 dd LibreOffice to ubuntu-browsers.d/productivity abstraction 2011-02-15 15:54:48 -06:00
Steve Beattie
5a56604f99 From: Jeff Mahoney <jeffm@suse.com> 
Subject: apparmor: Fix incorrect /proc/*/sys usage in usr.sbin.ntpd
References: bnc#634801

 /proc/sys/kernel exists, but /proc/*/sys/kernel doesn't. This patch
 fixes the profile.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
 2011-02-15 10:54:30 -08:00
Jamie Strandboge
0807a74490 The example firefox profile in extras has been pretty out of date. Also, it 
allows write to the ~/Desktop directory, which could conceivably allow writing
of .desktop files which could be clicked on and executed by the user. This is
based on the firefox base profile as included in Ubuntu. Notable features:
- allows for using the browser to navigate through directories
- allows reads from @{HOME}/Public/**
- allows writes to @{HOME}/Downloads/**

The intent of this profile is to restrict code execution, writes to $HOME
and information leaks while allowing basic web browsing and reading of
system documentation. It does not allow for plugins, extensions or other
helpers (but these can be added via the local/ mechanism).
 2011-01-12 11:51:22 -06:00
Jamie Strandboge
b12d93a739 Attached is an updated dnsmasq profile that fixes the following: 
- allow net_admin capability for DHCP server
- allow net_raw and network inet raw for ICMP pings when used as a DHCP
server
- allow read and write access to libvirt pid files for dnsmasq

See the FAQ in the dnsmasq source for details. This fixes
https://launchpad.net/bugs/697239
 2011-01-12 11:47:04 -06:00
Jamie Strandboge
f7c6a848bb abstractions/private-files: don't allow wl to autostart directories 
abstractions/private-files-strict: don't allow access to:
- chromium
- thunderbird
- evolution
- kmail
- kwallet
 2011-01-07 10:44:47 -06:00
Jamie Strandboge
d03c2e681f abstractions/freedesktop.org updates: 
- require owner match for files in @{HOME}
- add new path for @{HOME}/.local/share/recently-used.xbel*
- add the following, confirmed via specifications:
  /usr/share/applications/mimeinfo.cache r,
  /usr/share/applications/*.desktop r,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  owner @{HOME}/.local/share/applications/mimeapps.list r,
  owner @{HOME}/.local/share/applications/*.desktop r,

References:
http://standards.freedesktop.org/basedir-spec/basedir-spec-0.6.html
http://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-0.9.4.html
http://www.freedesktop.org/wiki/Specifications/mime-actions-spec
 2010-12-23 18:39:28 -06:00
Jamie Strandboge
73c1283e98 abstractions/X: allow access to /usr/lib32 and /usr/lib64 for dri modules 
(LP: #658135)
 2010-12-23 18:39:02 -06:00
Jamie Strandboge
e356c4b19e add enchant abstraction. Enchant is a frontend for spellcheckers and in 
use by more and more applications, including empathy and evolution. It
is listed on freedesktop.org. See:
http://www.abisource.com/projects/enchant/

This abstraction gives access to enchant itself, files in the user's home
directory for enchant and various dictionaries for:
- aspell
- ispell
- hunspell
- myspell
- hspell
- zemberek
- voikko
 2010-12-22 16:59:44 -06:00
Jamie Strandboge
5c040c6149 allow 'rw' to /var/log/samba/cores/ (LP: #652562) 2010-12-22 16:58:23 -06:00
Jamie Strandboge
d097df8226 add preliminary ibus abstraction. Will likely need more once more ibus users 
start to use it. Additionally, the 'rw' on the @{HOME}/.config/ibus/bus/
probably only needs 'create' and 'chmod', so that could be tightened up once
those are exposed in the tools. LP: #649497.
 2010-12-22 16:57:35 -06:00
Jamie Strandboge
add5d47fc3 abstractions/user-manpages: require owner match for files in @{HOME} and /tmp 2010-12-22 16:55:50 -06:00
Jamie Strandboge
2227de709b abstractions/user-mail: 
- use character globbing
- require owner match for files in @{HOME}
 2010-12-22 16:55:18 -06:00
Jamie Strandboge
84b5f6e441 abstractions/user-write: 
- require owner match
- add @{HOME}/Public/
 2010-12-22 16:54:40 -06:00
Jamie Strandboge
1f2b4a5a19 abstractions/user-download: 
- fix typo for Desktop (should be Desktop/)
- require owner match
- allow writes to @{HOME}/[dD]ownload{,s}
 2010-12-22 16:52:13 -06:00
Jamie Strandboge
046cfe305f update ubuntu abstractions to use '# vim:syntax=apparmor' 2010-12-21 12:53:33 -06:00
Kees Cook
723a20ba7d as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
Kees Cook
46e96476d8 add python2.7 to python abstraction, LP: #644983 
Bug: https://launchpad.net/bugs/644983
 2010-12-20 12:10:52 -08:00
Jamie Strandboge
7f1b117675 abstractions/ubuntu-browsers: adjust sensible browser to use Pixr 2010-10-22 07:43:23 -05:00
Jamie Strandboge
fb418015e3 add /usr/bin/emacs-snapshot-gtk PUxr to ubuntu-browsers.d/text-editors 2010-10-21 09:03:09 -05:00
Jamie Strandboge
39902eff28 abstractions/ubuntu-email: adjustment for ever-changing path of thunderbird 
(LP: #648900)
 2010-09-27 08:47:08 -05:00
Jamie Strandboge
2cb3463cc8 add ubuntu-integration-xul for firefox-notify 2010-09-23 08:16:56 -05:00
Jamie Strandboge
6b81b50d36 ubuntu-browsers.d/multimedia: allow lpr and lpstat for printing from flash 
plugin
 2010-09-15 08:20:21 -05:00
Jamie Strandboge
b465b91ec9 exported smbd files need to have 'k' to work properly with certain applications 2010-09-14 14:12:49 -05:00
Jamie Strandboge
7aac7a23a3 profiles/apparmor.d/local/README: use commented text since aa-genprof is pretty 
grumpy without it
 2010-09-10 09:39:29 -05:00
Jamie Strandboge
edb1ae1798 allow mmap of font cache files in @{HOME}/.fontconfig/ for sun-java6 2010-09-08 13:56:19 -05:00
Jamie Strandboge
85c20fb564 update ubuntu-browsers.d/java for latest sun-java6 (LP: #633369) 2010-09-08 12:27:09 -05:00
Jamie Strandboge
834efc7b2c fix LP: #626451 (GoogleTalk in ubuntu-browsers.d/multimedia) 2010-09-08 08:51:06 -05:00
Jamie Strandboge
d2c61794ea update fonts abstraction to add '/var/lib/ghostscript/** r,' 2010-09-03 08:38:14 -05:00
Jamie Strandboge
b56e654f26 abstractions/ubuntu-browsers: add '/usr/bin/sensible-browser PUxr' 2010-08-30 07:52:20 -05:00
Jamie Strandboge
40751c2ed3 abstractions/ubuntu-browsers.d/ubuntu-integration: update for kmozillahelper 
and gnome-appearance-properties (LP: #514356, LP: #573344)
abstractions/ubuntu-browsers.d/user-files: update for /net (LP: #593413)
 2010-08-18 10:06:40 -05:00
Jamie Strandboge
c96c8a391f profiles/apparmor.d/abstractions/ubuntu-browsers.d/java: generalize names 
of child profiles
 2010-08-11 14:10:16 -05:00
Jamie Strandboge
7536899894 create ubuntu-feed-readers abstraction and have ubuntu-browsers.d/multimedia 
use it instead of specifying liferea directly
 2010-08-11 09:58:34 -05:00
Jamie Strandboge
44f2e73d1b update X abstraction for gdm's new placement of XAUTHORITY (LP: #601583) 2010-08-11 09:57:54 -05:00
Jamie Strandboge
9e99dfc8b2 add ca-certificates to ssl_certs abstraction (LP: #605835) 2010-08-11 09:15:56 -05:00
Jamie Strandboge
42cd946ff2 update ubuntu-browsers.d/kde to use PUx for kde4-config 2010-08-10 17:57:42 -05:00
Jamie Strandboge
cbbf3ea75e update abstractions/ubuntu-browsers.d/java for icedtea 2010-08-10 16:45:23 -05:00
Jamie Strandboge
23a77d70e8 adjust profiles/Makefile for abstractions/ubuntu-browsers.d 2010-08-10 16:42:00 -05:00
Jamie Strandboge
e1e85f285c remove kde4-config from the kde abstraction 2010-08-10 15:38:58 -05:00
Jamie Strandboge
6988cd07a0 adjust profiles/apparmor.d/local/README to codify the intended usage of local/ 2010-08-10 14:28:10 -05:00
Jamie Strandboge
1bdb6069da fix whitespace abstractions/ubuntu-browsers.d/* 
add 'owner' match to abstractions/ubuntu-browsers.d/java
 2010-08-10 14:18:21 -05:00
Jamie Strandboge
0978a1ad8a update ubuntu-* abstractions to use PUx instead of Ux 2010-08-10 14:11:04 -05:00
Jamie Strandboge
2a3aae6d57 'owner' match in commit 1406 too strict for /tmp/ and /var/tmp/ 2010-08-09 09:56:31 -05:00
Jamie Strandboge
d472cf13b1 add Ubuntu-specific profiles/apparmor.d/abstractions/ubuntu-browsers.d/* 
for use with browser profiles
 2010-08-06 16:01:57 -05:00
Jamie Strandboge
eace04e2e7 profiles/Makefile: use LOCAL_ADDITIONS using filter-out in clean target, which 
is much cleaner.
 2010-08-05 16:00:23 -05:00
Jamie Strandboge
f9187ac661 profiles/Makefile: use same logic in 'clean' target as we did in 'local' 2010-08-05 15:53:07 -05:00
Jamie Strandboge
b550fa291c adjust profiles/Makefile for local files 2010-08-05 15:10:33 -05:00
Jamie Strandboge
6fb3f5c4a6 move profiles/local to profiles/apparmor.d/local 2010-08-05 14:15:56 -05:00
Jamie Strandboge
f25949cf84 start on 'local/' mechanism to aid in packaging: 
- add profiles/local/README
- adjust profiles/apparmor.d/{bin,sbin,usr}* to include a file from local/
- adjust profiles/apparmor.d/{bin,sbin,usr}* for for copyright, some whitespace
  and svn conventions
 2010-08-05 14:00:02 -05:00
Jamie Strandboge
24e3b5296e tighten up the dbus abstractions 2010-08-03 12:04:37 -05:00
Jamie Strandboge
9533ac3405 fix for LP: #611248 2010-08-03 09:13:34 -05:00