Christian Boltz
9fc8e43c67
abstractions: remove '#' from 'include if exists'
...
This matches what we use in the profiles for local abstractions.
Also adjust the check in the Makefile to expect the variant without '#'.
2020-05-30 19:53:49 +02:00
John Johansen
730db17607
policy: tag policy with the AppArmor 3.0 abi
...
Tag profiles and abstractions with abi information.
Tagging abstractions is not strictly necessary but allows the parser
to detect when their is a mismatch and that policy will need an
update for abi.
We do not currently tag the tunables because variable declarations
are not currently affected by abi.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
2020-05-29 00:23:17 -07:00
Vincas Dargis
21bbfc0652
vulkan: fix device and driver enumeration
...
vkcube test application produces these DENIED messages on current Debian
Sid:
```
type=AVC msg=audit(1589815066.509:868): apparmor="DENIED"
operation="open" profile="/usr/bin/vkcube"
name="/sys/devices/pci0000:00/0000:00:02.0/drm/card0/gt_min_freq_mhz"
pid=32553 comm="vkcube" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
```
```
type=AVC msg=audit(1590082079.377:1155): apparmor="DENIED"
operation="open" profile="/usr/bin/vkcube"
name="/sys/devices/pci0000:00/0000:00:02.0/drm/card0/gt_max_freq_mhz"
pid=51348 comm="vkcube" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
```
```
type=AVC msg=audit(1590082107.057:1249): apparmor="DENIED"
operation="open" profile="/usr/bin/vkcube"
name="/sys/devices/pci0000:00/0000:00:02.0/drm/card0/metrics/" pid=51459
comm="vkcube" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
```
type=AVC msg=audit(1590082519.937:1408): apparmor="DENIED"
operation="open" profile="/usr/bin/vkcube"
name="/sys/devices/pci0000:00/0000:00:02.0/drm/card0/metrics/403d8832-1a27-4aa6-a64e-f5389ce7b212/id"
pid=51960 comm="vkcube" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
```
```
type=AVC msg=audit(1590082842.193:1829): apparmor="DENIED"
operation="open" profile="/usr/bin/vkcube"
name="/etc/glvnd/egl_vendor.d/" pid=53000 comm="vkcube"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
```
type=AVC msg=audit(1590082842.193:1830): apparmor="DENIED"
operation="open" profile="/usr/bin/vkcube"
name="/usr/share/glvnd/egl_vendor.d/" pid=53000 comm="vkcube"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
Add appropriate rules to fix these enumerations.
2020-05-21 21:00:13 +03:00
Vincas Dargis
e322c02c37
vulkan: allow reading /etc/vulkan/icd.d/
...
Recent Vulkan upgrades introduces new denies:
```
type=AVC msg=audit(1549749243.284:4250): apparmor="DENIED"
operation="open" profile="/usr/bin/vkcube" name="/etc/vulkan/icd.d/"
pid=16472 comm="vkcube" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
```
```
type=AVC msg=audit(1549800398.470:2612): apparmor="DENIED"
operation="open" profile="/usr/bin/vkcube"
name="/etc/vulkan/icd.d/test.j
son" pid=12230 comm="vkcube" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
```
Update `vulkan` abstraction to allow reading new configuration directory.
2019-02-10 14:07:17 +02:00
Matthew Garrett
d9ab83281b
Add support for local additions to abstractions
...
Local policy may want to extend or override abstractions, so add support for including local updates to them.
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: intrigeri <intrigeri@boum.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2019-01-24 03:06:03 -08:00
Vincas Dargis
2438179b76
Use @{sys} tunable in profiles and abstractions
...
Commit aa06528790
2018-11-08 20:04:46 +02:00
Vincas Dargis
47520931be
Add Vulkan abstraction
...
Add abstraction for Vulkan API specific file paths.
2018-05-22 21:48:13 +03:00
