Also deny capability block_suspend because nobody can imagine why it
would be needed.
References: https://bugzilla.novell.com/show_bug.cgi?id=807104
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(backport of trunk r2109)
abstractions/mysql contains
/var/lib/mysql/mysql.sock rw,
/usr/share/mysql/charsets/ r,
/usr/share/mysql/charsets/*.xml r,
but the files moved (at least on openSUSE) to
/usr/share/mysql-community-server/charsets/*.xml
/var/run/mysql/mysql.sock
This causes denials for all applications using MySQL on 12.2 and
Factory.
MariaDB has the *.xml files in
/usr/share/mariadb/charsets/*.xml
and also seems to use /var/run/mysql/ for the socket.
Since MariaDB is basically a drop-in replacement for MySQL, it makes
sense to allow access to it via abstractions/mysql.
References: https://bugzilla.novell.com/show_bug.cgi?id=798183
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Merge from trunk commit 2102
Original message:
I was testing out a profile for pulseaudio and hit an issue where my
pulseaudio process was getting the firefox profile applied to it. This
is because in abstractions/ubuntu-browsers.d/multimedia the rule for
pulseaudio is /usr/bin/pulseaudio ixr; attached is a patch to change it
to Pixr, so as to use a global pulseaudio policy if it exists.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Merge from trunk commit 2093
Original message:
Subject: profiles - add user's XCompose file to X abstraction
In testing the skype profile, I found access to my @{HOME}/.XCompose
was being rejected. This patch updates the X abstraction to take a
user's defined XCompose key shortcuts into account.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Merge from trunk commit 2092 (w/ dropping the last modified timestamp
entirely)
Original message:
Subject: profiles - update skype profile
Author: Jamie Strandboge <jamie@canonical.com>
Bug-Ubuntu: https://launchpad.net/bugs/933440 Forwarded: yes
This is a very slightly updated version of the skype profile
update that Jamie Strandboge submitted, but did not get a review.
The only addition over the previously submitted version is rw access
to @{HOME}/.config/Skype/Skype.conf.
(This commit incorporates the additional @{HOME}/.kde4 change proposed
by Christian Boltz <apparmor@cboltz.de>)
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Merge from trunk commit 2090
Original message:
Subject: profiles - nvidia abstraction cleanups
This patch modifies the nvidia abstraction to add the livdpau wrapper
config file for nvidia workarounds. It also converts the /proc/
rules to use the @{PROC} tunable. And finally, it converts the
ubuntu-browsers.d/multimedia abstraction to use the nvidia abstraction.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Merge mailing list update from profiles/apparmor/profiles/extras/README
in trunk commit 2069.
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
/usr/share/poppler/cMap/**
Merge from trunk commit 2065.1.3
Original message:
Gnome applications are now quite interested in reading
/usr/share/poppler/cMap/**. These files are included in the poppler-data
package on Ubuntu, and their 'r' denials create quite a bit of noise.
Apparently they are needed to display PDF documents containing CJK
characters with libpoppler. I added it to the gnome abstraction because
several applications not linked against poppler are consulting this
data.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Merge from trunk commit 2065.1.1.
Original message:
update fonts abstraction for new fontconfig paths
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Original message:
/bin/ping moved to /usr/bin/ping on openSUSE (usrMerge)
Update the profile to make sure it's still used.
Acked-by: John Johansen <john.johansen@canonical.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Original message:
Author: Mark Ramsell <mramsell@qazonline.net>
Description: ubuntu-integration does not work properly with exo-open
Bug-Ubuntu: https://launchpad.net/bugs/987578
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Original message:
Description: let sanitized-helper also allow access to /usr/local.
Patch based on work by Reuben Thomas
Bug-Ubuntu: https://launchpad.net/bugs/1013887
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
the chromium and chrome sandboxes are setuid root, they only link in limited
libraries so glibc's secure execution should be enough to not require the
santized_helper (ie, LD_PRELOAD will only use standard system paths (man
ld.so)). Also allow some paths in /opt for Chrome.
Ubuntu-Bug: https://launchpad.net/bugs/964510
Acked-By: Jamie Strandboge <jamie@canonical.com>
sanitized_helper. For now this only allows software-center scripts in
/usr/share, but we may need to increase what is allowed in /usr/share if more
things are denied when they shouldn't be.
Ubuntu-Bug: https://launchpad.net/bugs/972367
Acked-By: Jamie Strandboge <jamie@canonical.com>
Description: glibc's __get_nprocs() now checks /sys/devices/system/cpu/online
in addition to /proc/stat for the number of processors. This is used in the
_SC_NPROCESSORS_ONLN implementation, a part of sysconf. This was introduced in
upstream glibc commit:
84e2a551a7
Bug-Ubuntu: https://launchpad.net/bugs/929531
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
(At least) openSUSE uses ~/.kde4 to store KDE4 settings.
This patch changes ~/.kde/ to ~/.kde{,4} in all abstractions.
The patch is mostly from Velery Valery, I only fixed a merge conflict
and added the kmail{,2} part in private-files-strict.
References: https://bugzilla.novell.com/show_bug.cgi?id=741592
Acked-By: Steve Beattie <sbeattie@ubuntu.com> for both trunk and 2.7.
which is needed by NetworkManager integration in Ubuntu. (LP: #917628)
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
A bug in Ubuntu reported that the aspell abstraction does
not allow write access to the user customizable dictionaries, the
personal dictionary (~/.aspell.$LANG.pws) and the personal replacement
dictionary (~/.aspell.$LANG.prepl). It also adjusts the abstraction
to add the owner modifier to the personal dictionaries.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/917859
it is needed by pretty much all of the browser abstractions. aa-update-browser
unconditionally adds the plugins-common abstraction, so this should be
sufficient.
Lenient profile that is intended to be used when 'Ux' is desired but
does not provide enough environment sanitizing. This effectively is an
open profile that blacklists certain known dangerous files and also
does not allow any capabilities. For example, it will not allow 'm' on files
owned be the user invoking the program. While this provides some additional
protection, please use with care as applications running under this profile
are effectively running without any AppArmor protection. Use this profile
only if the process absolutely must be run (effectively) unconfined.
Limitations:
1. This does not work for root owned processes, because of the way we use
owner matching in the sanitized helper. We could do a better job with
this to support root, but it would make the policy harder to understand
and going unconfined as root is not desirable anyway.
2. For this sanitized_helper to work, the program running in the sanitized
environment must open symlinks directly in order for AppArmor to mediate
it. This is confirmed to work with:
- compiled code which can load shared libraries
- python imports
It is known not to work with:
- perl includes
3. Going forward it might be useful to try sanitizing ruby and java
Use at your own risk. This profile was developed as an interim workaround for
LP: #851986 until AppArmor implements proper environment filtering.
Acked-by: Jamie Strandboge <jamie@canonical.com>
Adjust ubuntu abstractions to use sanitized_helper instead of (P)Ux.
Acked-by: Jamie Strandboge <jamie@canonical.com>
Update launchpad-integration to use a sanitized helper in a similar manner
as that in ubuntu-helpers.
Acked-by: Jamie Strandboge <jamie@canonical.com>
creating owner writes on things like ~/.cache and ~/.config
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
