Allow /usr/etc/ in abstractions/authentication
openSUSE (and hopefully some other distributions) work on moving shipped
config files from /etc/ to /usr/etc/ so that /etc/ only contains files
written by the admin of each system.
See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
the first moved files.
Updating abstractions/authentication is the first step, and also fixes
bugzilla.opensuse.org/show_bug.cgi?id=1153162
See merge request apparmor/apparmor!426
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
Some applications queries network configuration (using QNetworkConfigurationManager class in Qt and similar), and that produces DBus denials under AppArmor confinement when NetworkManager backend is used.
Add abstraction that allows most common read-only DBus queries for getting current network configuration from NetworkManager backend.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/409
Acked-by: John Johansen <john.johansen@canonical.com>
Requires NPAPI which no major browsers support anymore: Mozplugger npviewer / nspluginwrapper
The following have been discontinued Google Talk (and plugin) f-spot conkeror galeon Mozilla Prism rekonq Adobe Reader for Linux
Other gnome-codec-install is not in Ubuntu anymore gstreamer0.10 was replaced by 1.0
PR: https://gitlab.com/apparmor/apparmor/merge_requests/417
Acked-by: John Johansen <john.johansen@canonical.com>
abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
See merge request apparmor/apparmor!425
Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
openSUSE (and hopefully some other distributions) work on moving shipped
config files from /etc/ to /usr/etc/ so that /etc/ only contains files
written by the admin of each system.
See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
the first moved files.
Updating abstractions/authentication is the first step, and also fixes
bugzilla.opensuse.org/show_bug.cgi?id=1153162
Permit the use of /etc/krb5.conf.d configuration snippets
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Originally submitted as https://build.opensuse.org/request/show/733763
879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for
@{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been
a source of CVEs. Confined applications should absolutely have read
access, but write access could lead to breaking out of the sandbox if a
confined application can write a malformed font cache file since
unconfined applications could then pick them up and be controlled via
the malformed cache. The breakout is dependent on the fontconfig
vulnerability, but this is the sort of thing AppArmor is meant to help
guard against.
Bug-Debian: https://bugs.debian.org/935058
Applications running under Xwayland in a GNOME+Wayland session need read access
to this file since:
a8984a81c2
… that was first included in mutter 3.33.3.
This rule is presumably only needed for GNOME+Wayland sessions, so one could
argue that it should live in abstractions/wayland instead, but Jamie argued that
it should be in the X abstraction because Xwayland is a X server.
Requires NPAPI which no major browsers support anymore:
Mozplugger
npviewer / nspluginwrapper
The following have been discontinued
Google Talk (and plugin)
f-spot
conkeror
galeon
Mozilla Prism
rekonq
Adobe Reader for Linux
Other
gnome-codec-install is not in Ubuntu anymore
gstreamer0.10 was replaced by 1.0
When a filesystem is mounted with the option *user*, the file selection
dialogue, e.g. in *Evince*, triggers an access of */run/mount/utab*, which
comes from *libmount* and should be allowed.
Winbind requires access to /var/cache/samba/msg.lock/*.
Move msg.lock/ to abstractions/samba.
On Arch Linux Winbind's pid is set to /run/winbindd.pid.
Signed-off-by: nl6720 <nl6720@gmail.com>
Some applications queries network configuration (using
QNetworkConfigurationManager class in Qt and similar), and that produces
DBus denials under AppArmor confinement when NetworkManager backend is
used.
Add abstraction that allows most common read-only DBus queries for
getting current network configuration from NetworkManager backend.
freshclam needs to write more files in /var/lib/clamav/, and also needs
to write its pid file.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/381
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
update postfix profiles
On openSUSE Leap 15.1, the postfix binaries live in /usr/lib/postfix/bin/ which was not covered in the postfix.\* attachment and mrix rules.
Also add several permissions to the postfix.\* profiles needed on openSUSE Leap 15.1.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/380
Signed-off-by: John Johansen <john.johansen@canonical.com>
base abstraction: allow mr on *.so* in common library paths.
For example, VirtualBox guests have /usr/lib/VBoxOGL.so.
Without this changes, in a VirtualBox VM with VBoxVGA graphics,
at least one Qt5 application (OnionShare) won't start and display:
ImportError: libGL.so.1: failed to map segment from shared object
… and the system logs have:
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.
So let's not assume all libraries have a name that starts with "lib".
Bug-Tails: https://redmine.tails.boum.org/code/issues/16414
Candidate for master and 2.13.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/345
Signed-off-by: John Johansen <john.johansen@canonical.com>
For example, VirtualBox guests have /usr/lib/VBoxOGL.so.
Without this changes, in a VirtualBox VM with VBoxVGA graphics,
at least one Qt5 application (OnionShare) won't start and display:
ImportError: libGL.so.1: failed to map segment from shared object
… and the system logs have:
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.
So let's not assume all libraries have a name that starts with "lib".
Those 3 login daemons should have similiar needs and thus similar profiles. IMAP is likely the most tested one so let's align the other 2 with it. Unix and TCP sockets rules were added to pop3-login after the removal of abstractions/nameservice that included them implicitly.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/338
Signed-off-by: Simon Deziel [simon@sdeziel.info](mailto:simon@sdeziel.info)
Signed-off-by: John Johansen <john.johansen@canonical.com>
profiles/gnome: add @{HOME}/.cache/gtk-3.0
Found this path is used by gtk_compose_hash_get_cache_path() in
gtkcomposetable.c.
See merge request apparmor/apparmor!342
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Being able to read the config means accessing ssl_key data so
should only be restricted to root https://wiki.dovecot.org/Services#config
Signed-off-by: Simon Deziel <simon@sdeziel.info>
Those 3 login daemons should have similiar needs and thus similar
profiles. IMAP is likely the most tested one so let's align the
other 2 with it. Unix and TCP sockets rules were added to pop3-login
after the removal of abstractions/nameservice that included them
implicitly.
Signed-off-by: Simon Deziel <simon@sdeziel.info>
When using passdb/userdb not requiring root (!= /etc/shadow access)
it is recommended to run the auth processes as non root and chroot'ed
Signed-off-by: Simon Deziel <simon@sdeziel.info>
Exceptions are
- ubuntu-browsers (because we already have ubuntu-browsers.d with
different usage)
- ubuntu-helpers (which includes the sanitized_helper subprofile, so
adding something in the global area wouldn't make much sense)
Also adjust abstractions/postfix-common to use the style all
abstractions use.
