Add new dri-common abstraction to contain basic DRI-specific rules.
This refactoring is based on a decision to have set of dri-* abstractions for
fine grained control on case-by-case basis. While dri-common is included in X
abstraction by default, additional DRI-related abstractions can be introduced
(such as for enumerating graphics devices) while keeping them logically together
with same dri- prefix.
Bruce Pieterse reports that AppArmor denied evince, among other
applications, from starting properly:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1432126
He tested a slight variant of the attached patch and reported success. I
propose this patch for both trunk and 2.9.
Signed-off-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1339727
LightDM keeps moving the location where it stores xauthority files for
users, when configured to store them in a system directory (e.g. with
[LightDM]
user-authority-in-system-dir=true
set in a lightdm configuration file).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
mistakenly did not incorporate feedback from Seth Arnold. Specifically, don't
specify label=unconfined on the abstract sockets.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- the base abstraction for common abstract and anonymous rules (comments
included per rule)
- dbus-session-strict to add a rule for connecting to the dbus session
abstract
socket. I used 'peer=(label=unconfined)' here, but I could probably lose the
explicit label if people preferred that
- X to add a rule for connecting to the X abstract socket. Same as for
dbus-session-strict
- nameservice to add a rule for connecting to a netlink raw. This change could
possibly be excluded, but applications using networking (at least on Ubuntu)
all seem to need it. Excluding it would mean systems using nscd would need to
add this and ones not using it would have a noisy denial
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Description: allow mmap of fglrx dri libraries
Bug-Ubuntu: https://launchpad.net/bugs/1200392
Acked-by: Steve Beattie <steve@nxnw.org>
Came from 0038-lp1200392.patch.
From: Simon Deziel <simon.deziel@gmail.com>
A fair number of the rules that apply to files in @{HOME} predate the
existence of the 'owner' qualifier. This patch adds the 'owner'
qualifier in several places.
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
In testing the skype profile, I found access to my @{HOME}/.XCompose
was being rejected. This patch updates the X abstraction to take a
user's defined XCompose key shortcuts into account.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
make the final install layout match the layout in the repository (at
long last :) -- now we can use a single 'make check' target to check the
profiles in the repository against both apparmor_parser and logprof.
