Exceptions are
- ubuntu-browsers (because we already have ubuntu-browsers.d with
different usage)
- ubuntu-helpers (which includes the sanitized_helper subprofile, so
adding something in the global area wouldn't make much sense)
Also adjust abstractions/postfix-common to use the style all
abstractions use.
Commit b5be596460 added ability to read
/usr/share/drirc.d/ directory to mesa abstraction.
This seems to be a mistake, as it was noted that not all GUI
applications, that need access to drirc.d, also need whole mesa-related
rules (including writing caches).
Move /usr/share/drirc.d/ access to different abstraction. This is not a
breaking change, because any GUI application will have included X
abstraction already, and in the end result - dri-common abstraction too.
Fix typo introduced when resolving a merge conflict for d9ab83281b
("Add support for local additions to abstractions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Local policy may want to extend or override abstractions, so add support for including local updates to them.
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: intrigeri <intrigeri@boum.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Latest netconfig in openSUSE writes /run/netconfig/resolv.conf, and only
has a symlink to it in /etc
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1097370
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
*Add anonymous shared memory access rule for QtSettings.conf file
itself.
* Reduce strictness of anonymous shared memory file names - numbers in
them can be smaller or bigger.
* Fix consistency - require anonymous shared memory file names to end
with digit in all rules.
Add /etc/letsencrypt/archive to ssl_key abstraction
See merge request apparmor/apparmor!283
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
`/etc/letsencrypt/live/` contains symlinks to
`/etc/letsencrypt/archive/` which contains the keys. Add the
certs to ssl_certs and the private keys to ssl_keys.
Convert postfix's master profile to use a named profile
(postfix-master) rather than the exec path match pattern. Adjust
postfix-common abstraction to take this into account. Rename profile
name in the profiles/apparmor/profiles/extras/ directory to match
the profile name.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Commit aa06528790 made @{sys} tunable
available by default.
Update profiles and abstractions to actually use @{sys} tunable for
better confinement in the future (when @{sys} becomes kernel var).
Closes LP#1728551
Also adjust the signal rules in the dovecot-common and apache2-common
abstractions to match the profile names, and to really do that
(peer=...{bin,sbin}... didn't work, the correct syntax would have been
peer=...\{bin,sbin\}...)
This fixes the regression introduced by !149 / commit
4200932d8f
Move @{sys} into tunables/kernelvars to make it readily available for
all profiles by default. In order to avoid duplicate variable
declaration, other tunable includes where modified accordingly.
Additionally, apparmor_api/is_enable has updated comment with regards to
@{sys} availability. tunables/sys is now marked as deprecated and should
not be used as it is noop, left only for backwards compatibility.
This is preparation for fixing bug:
https://bugs.launchpad.net/apparmor/+bug/1728551
Thanks to Christian Boltz for original idea to implement this in
non-breaking manner.
Use nvidia_modprobe named profile inside opencl-nvidia abstraction
Commit 8f9bd5b0 rightfully removed PUx
transition into nvidia-modprobe executable due to security concerns. To
overcome this, commit 327420b1 added
named nvidia_modprobe profile, which allows to use this abstraction
without requiring additional rules to make OpenCL work with NVIDIA
drivers.
Add rule to allow Px transition into nvidia_modprobe profile for
nvidia-modprobe executable.
I propose this for 2.13..master (opencl* are only available in 2.13...). Please check if nvidia_modprobe is already backported.
https://gitlab.com/apparmor/apparmor/merge_requests/219
Acked-by: John Johansen <john.johansen@canonical.com>
Commit 8f9bd5b0e3 rightfully removed PUx
transition into nvidia-modprobe executable due to security concerns. To
overcome this, commit 327420b151 added
named nvidia_modprobe profile, which allows to use this abstraction
without requiring additional rules to make OpenCL work with NVIDIA
drivers.
Add rule to allow Px transition into nvidia_modprobe profile for
nvidia-modprobe executable.
Currently, kde abstraction has rules relevant to Qt 3 and Qt 4
libraries, but are missing rules against latest Qt 5.
Include read-only Qt 5 abstraction to fix styling and similar issues for
software running on KDE 5 desktop.
Fixes https://bugs.launchpad.net/apparmor/+bug/1787201
gio-launch-desktop helper tries to execute /usr/bin/thunderbird wrapper
script, not the /usr/lib/thunderbird... directly.
Add rule allowing to execute /usr/bin/thunderbird.
This reverts commit ab7459ed40.
This commit was meant to go to a branch to setup a merge request in
gitlab. Revert until the commit has gone through the regular review
process.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add qt5 writing abstractions
Qt-based applications stores QFileDialog (latest browsed directory) and
other shared user settings inside ~/.config/QtProject.conf. Currently
available qt abstraction only allows to read it (by design), so this
patch introduces abstraction that grants permissions for writing.
Relevant denies discovered with KDE Dragon Player:
/var/log/audit/audit.log.1:type=AVC msg=audit(1533485161.999:981): apparmor="DENIED" operation="mknod" profile="/usr/bin/dragon" name="/home/vincas/.config/QtProject.conf.lock" pid=29911 comm="dragon" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
type=AVC msg=audit(1533486419.266:1141): apparmor="DENIED" operation="file_lock" profile="/usr/bin/dragon" name="/home/vincas/.config/QtProject.conf.lock" pid=30406 comm="dragon" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
/var/log/audit/audit.log.1:type=AVC msg=audit(1533485206.575:1006): apparmor="DENIED" operation="link" profile="/usr/bin/dragon" name="/home/vincas/.config/QtProject.conf.Gflpds" pid=29946 comm="dragon" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/vincas/.config/#12982163"
In addition, added new qt-compose-cache-write abstraction as some applications wants to write compose cache. qt5 abstraction is appended with read-only rule (that's enough for LibreOffice using KDE file dialog).
See merge request apparmor/apparmor!159
Acked-by: John Johansen <john.johansen@canonical.com>
Qt GUI applications that uses "platforminputcontexts"-class of plugins
might need reading and/or writing compose cache. Add read-only rule in
qt5 abstraction and create new writing dedicated for compose cache
writing.
Qt-based applications stores QFileDialog (latest browsed directory) and
other shared user settings inside ~/.config/QtProject.conf. Currently
available qt abstraction only allows to read it (by design), so this
patch introduces abstraction that grants permissions for writing.
Abstractions need write access to create/update some common config dirs
See merge request apparmor/apparmor!165
Acked-by: John Johansen <john.johansen@canonical.com>
KIconLoader uses ~/.cache/icon-cache.kcache, and it is opened in
read-write mode. Because access to it does not seem to be critical, and
read-only mode is not used, rules for accessing this cache is added to
it's own new "write" abstraction, instead of making kde abstraction more
permissive by default.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently, kde abstraction only allows reading
~/.config/klanguageoverridesrc file (by design). Some KDE applications
has option to change language for it's interface, and this needs write
access. This is fixed by introducing new abstraction.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently, kde abstraction only allows reading ~/.config/kdeglobals (by
design), though some applications might need to update it's contents
such as KFileDialog settings. This patch fixes it by introducing new
abstraction.
Signed-off-by: John Johansen <john.johansen@canonical.com>
