As mir has come into use in Ubuntu touch and is available for testing on
Ubuntu desktop, confined apps need access to a few mir specific things.
This patch adds a mir abstraction.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The smbd profile contains /{,var/}run/cups/cups.sock rw, which is
covered by abstractions/cups-client and therefore superfluous.
Acked-by: Steve Beattie <steve@nxnw.org>
From: Felix Geyer <debfx@ubuntu.com>
At least Debian/Ubuntu started shipping some aspell files in
/usr/share/aspell/.
For example:
/usr/share/aspell/iso-8859-1.cmap
/usr/share/aspell/iso-8859-1.cset
The abstraction should allow read access to these files.
Acked-by: Steve Beattie <steve@nxnw.org>
- drop the symlink magic of the common/ directory, and just include
files directly from there.
- update comments indicating required steps to take when including
common/Make.rules
- drop make clean steps that refer to no longer generated tarballs,
specfiles, and symlinks to the common directory/Make.rules.
- don't silence clean steps if VERBOSE is set
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian "Ghostbuster" Boltz <apparmor@cboltz.de>
journal socket. On Debian and Ubuntu systems, /dev/log is a symlink to
/run/systemd/journal/dev-log, so this access is now required in the base
abstraction to maintain current behavior.
Bug: https://bugs.launchpad.net/apparmor/+bug/1413232
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt
leasehelper script to run even on x86_64.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=911001
Patch by "Cédric Bosdonnat" <cbosdonnat@suse.com>
Note: the original patch used {lib,lib64} - I changed it to lib{,64} to
match the style we typically use.
Acked-by: John Johansen <john.johansen@canonical.com>
Adds #include <abstractions/dovecot-common> to the usr.sbin.dovecot
profile. Effectively this adds "deny capability block_suspend," which
is the only missing part from
https://bugs.launchpad.net/apparmor/+bug/1296667/
It also removes "capability setgid," (covered by
abstractions/dovecot-common) and "@{PROC}/filesystems r," (part of
abstractions/base).
Acked-by: John Johansen <john.johansen@canonical.com>
Add the needed permissions as reported in
https://bugs.launchpad.net/apparmor/+bug/1296667/ comment #1
to the usr.lib.dovecot.imap and imap-login profiles.
Acked-by: John Johansen <john.johansen@canonical.com>
Those *.spec{,.in} files were not updated for years (last change
2006/2007) and don't fit the current "one tarball for everything" model.
Acked-by: Steve Beattie <steve@nxnw.org>
The check-logprof target was not updated to use the python tools, when
they were merged in. This patch fixes the issue.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
socket. Note, DBus mediation is still in effect so rules still need to be added
for accessing the DBus API (LP: #1375067)
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1339727
LightDM keeps moving the location where it stores xauthority files for
users, when configured to store them in a system directory (e.g. with
[LightDM]
user-authority-in-system-dir=true
set in a lightdm configuration file).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
- usr.lib.dovecot.auth needs /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
- usr.lib.dovecot.imap requests block_suspend, which I propose to deny as usual
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Based on a patch from Felix Geyer who wrote in April:
> On Ubuntu trusty the php package creates config symlinks in
> /etc/php5/cli/conf.d/, /etc/php5/cgi/conf.d/ and
> /etc/php5/fpm/conf.d/ to /etc/php5/mods-available/.
This patch is a simplified version of his patch that allows
/etc/php5/**.ini r and /etc/php5/**/ r
Acked-by: Seth Arnold <seth.arnold@canonical.com> on IRC
(after menacing an Acked-by: <timeout>)
The Debian and Ubuntu Ruby 1.9.1 package is configured like this:
--with-vendordir='/usr/lib/ruby/vendor_ruby' --with-sitedir='/usr/local/lib/site_ruby
These paths are missing in the ruby abstraction.
Patch by Felix Geyer <debfx@ubuntu.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
> Allow dnsmasq read access to IPv6 config
The commit did not match this part of the commit message
> slightly modified (../conf/**/mtu -> ../conf/*/mtu)
which I'm fixing now.
The IPv6 Neighbor Discovery protocol (RFC 2461) suggests
implementations provide MTU in Router Advertisement (RA)
messages. From section 4.2
MTU SHOULD be sent on links that have a variable MTU
(as specified in the document that describes how to
run IP over the particular link type). MAY be sent
on other links.
dnsmasq supports this option and should have read access
to an interface's MTU.
Patch by James Fehlig <jfehlig@suse.com>
slightly modified (../conf/**/mtu -> ../conf/*/mtu)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
getopt, setopt and shutdown. This was added based on incorrect logging in early
iterations of the abstract kernel patches which have since been fixed. These
options don't make sense with peer=(addr=none), so drop that.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
mistakenly did not incorporate feedback from Seth Arnold. Specifically, don't
specify label=unconfined on the abstract sockets.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Update mdnsd for fine-grained netlink mediation. A mdnsd binary was not
available to test but code inspection showed it set up the socket the same as
avahi, which uses SOCK_DGRAM type instead of SOCK_RAW with netlink.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
