mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 09:21:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
4513 commits 23 branches 109 tags 32 MiB
Commit graph

4513 commits

This branch
This branch
All branches
Author SHA1 Message Date
Christian Boltz
a054855433
Fix typo (double /) in opencl-pocl abstraction 2018-08-05 17:03:34 +02:00
Christian Boltz
b4c848c81e Merge branch 'drg-mods-1' into 'master' 
Various profile/abstraction updates

See merge request apparmor/apparmor!153

Acked-by: intrigeri <intrigeri@debian.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
 2018-08-02 17:17:30 +00:00
intrigeri
ddb256076b Consistently point to the current (Launchpad) issue tracker. 2018-08-02 14:46:14 +00:00
intrigeri
2233818325 Merge branch 'drg-mods-3' into 'master' 
Updated README to direct users to the GitLab issue tracker.

See merge request apparmor/apparmor!155
 2018-08-02 04:20:59 +00:00
intrigeri
47e38944f3 Merge branch 'drg-mods-2' into 'master' 
New abstraction: lsb_release (sub-profile).

See merge request apparmor/apparmor!154
 2018-08-02 04:12:13 +00:00
Daniel Richard G
cffaa7a035 Updated README with links to the GitLab AppArmor project. 2018-08-01 23:56:59 -04:00
Daniel Richard G
99e45b59d3 lsb_release: added permissions needed by openSUSE implementation. 2018-08-01 19:13:26 -04:00
Daniel Richard G
f73514052d New profile: lsb_release (no attachment path) 
This will allow removal of the lsb_release sub-profile from the
chromium, firefox and murmurd profiles, and consolidation of the rules
for /usr/bin/lsb_release in a single file.
 2018-08-01 19:13:18 -04:00
Daniel Richard G
67728c4f91 usr.sbin.sshd: need write access to Kerberos ticket cache. 2018-08-01 17:39:30 -04:00
Daniel Richard G
0de3d5e14b usr.sbin.lighttpd: minor updates, added Debian/Ubuntu integration. 
The integration changes are taken from the patch at
apparmor-2.12/debian/patches/debian/add-debian-integration-to-lighttpd.patch
and are necessary so that lighttpd doesn't serve everything as
application/octet-stream.
 2018-08-01 17:39:17 -04:00
Daniel Richard G
e43468c94a usr.sbin.in.fingerd: needs lock access on /run/utmp. 2018-08-01 17:37:11 -04:00
Daniel Richard G
c047abcaf3 sbin.rpc.statd: updated so that it actually works. 2018-08-01 17:36:54 -04:00
Daniel Richard G
ac1d0545f4 ldapclient abstraction: allow rw access to the nslcd socket. 
This addresses https://launchpad.net/bugs/1575438 and also the case of
applications accessing the socket directly (due to NSS config).
 2018-07-30 22:49:24 -04:00
intrigeri
f30544f185 Merge branch 'flatpak-exports' into 'master' 
abstractions/freedesktop.org: treat Flatpak exports the same way as bits shipped by the distro

See merge request apparmor/apparmor!71
 2018-07-29 23:39:41 +00:00
intrigeri
aa3022208f tunables/share: make variables value more readable by avoiding the use of too many alternations. 
Thanks to Christian Boltz for the suggestion and the patch!
 2018-07-29 01:31:39 +00:00
Steve Beattie
4ee50ae1c4
Profiles: Patch usr.sbin.useradd to support usr-merge. 
Merge branch 'xnox/apparmor-master'

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/152
 2018-07-27 10:25:56 -07:00
Dimitri John Ledkov
e99fa6c605 Patch usr.sbin.useradd to support usr-merge. 2018-07-27 17:05:00 +01:00
intrigeri
34dbe372c5 Rename @{usr_share} → @{system_share_dirs} and @{home_local_share} → @{user_share_dirs}. 
Thanks a lot to Simon McVittie for the much better names suggestion.
 2018-07-27 06:33:42 +00:00
intrigeri
51f2259c08 freedesktop.org abstraction: refactor (factorize) for consistency. 
This change makes the @{home_local_share} rules similar to the
@{usr_share} ones.
 2018-07-27 06:28:22 +00:00
intrigeri
aed447aca2 freedesktop.org abstraction: simplify by not attempting to guess the exhaustive list of files that can exist in {~/.local/share,/usr/share}/applications/. 
As Simon McVittie wrote, "if a specification or library creates extra caches, or
has .desktop files in a subdirectory, or anything like that, then I don't see
why we wouldn't want to allow reading those too".
 2018-07-27 06:26:57 +00:00
intrigeri
9d843b90fe kde abstraction: drop redundant rules for icons access. 
These rules are already in abstractions/freedesktop.org that's included
by the abstractions/kde.
 2018-07-27 06:22:29 +00:00
intrigeri
0ba94f5a04 freedesktop.org abstraction: treat Flatpak exports the same way as bits shipped by the distro. 
As Simon McVittie <smcv@collabora.com> wrote on
https://bugs.debian.org/865206 and on the AppArmor mailing list:

"Anything in /var/lib/flatpak/exports/share or
~/.local/share/flatpak/exports/share is essentially equivalent to
the corresponding path in /usr/{local/,}share, and is something
that has deliberately been "exported" to the rest of the system by a
Flatpak-confined app.

The only reason to prevent reading those directories would be if you do
not want the AppArmor-confined app to be able to enumerate the other
software you have installed on your system, as an anti-fingerprinting
mechanism.".

Bug-Debian: https://bugs.debian.org/865206
 2018-07-27 06:22:22 +00:00
intrigeri
160f1027e4 freedesktop.org abstraction: DRY by factorizing duplicated path components with variables. 
These alternations will need to grow quite a bit in order to support Flatpak
exports. Let's avoid repeating ourselves too much.
 2018-07-27 06:21:40 +00:00
Steve Beattie
b75d19ea79
common/Version: update to show master is deveoping towards 2.14 
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
 2018-07-25 16:10:12 -07:00
intrigeri
d5e72d2ef2 Merge branch 'mesa-shader-lock' into 'master' 
mesa abstraction: allow locking .cache/mesa_shader_cache/??/*.

See merge request apparmor/apparmor!148
 2018-07-25 07:43:58 +00:00
intrigeri
59865e54c5 mesa abstraction: allow locking .cache/mesa_shader_cache/??/*. 
At least Totem needs it on current Debian sid.
 2018-07-24 07:21:51 +00:00
Christian Boltz
04e5b9fb8a Merge branch 'wireshark-refresh' into 'master' 
Wireshark refresh

See merge request apparmor/apparmor!143

Acked-by: Vincas Dargis <vindrg@gmail.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
 2018-07-23 15:17:04 +00:00
Steve Beattie
e162461f9d
parser: add missing break in load_profile() 
Merge branch 'cboltz-parser-break' into 'master'

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/146
 2018-07-17 22:33:50 -07:00
Simon Deziel
8684282a1b usr.bin.wireshark: allow saving pcaps with optional gzip compression 2018-07-17 17:26:34 -04:00
Simon Deziel
b077fccaef usr.bin.wireshark: allow creating QT compose cache 2018-07-17 17:15:15 -04:00
Simon Deziel
70a40566f5 usr.bin.wireshark: restrict hidden file creation under ~/.config/ 2018-07-17 17:14:17 -04:00
Simon Deziel
fa30238293 usr.bin.dumpcap: drop useless/redundant rules 2018-07-17 17:12:44 -04:00
Simon Deziel
e0ba7a4609 usr.bin.wireshark: fix access to configuration profiles 2018-07-17 17:02:28 -04:00
Simon Deziel
bf8222a361 usr.bin.wireshark: add a comment for QtProject.conf rules 2018-07-17 06:15:51 -04:00
Christian Boltz
c437e9d4a5
add missing 'break' in load_profile() 
'case OPTION_OFILE' missed the 'break', which means if did fallthrough
to the default case.

Adding the 'break' means no longer executing another PERROR, and no
longer executing the 'exit(1)' in the default branch.

References: coverity #55994
 2018-07-13 15:21:24 +02:00
Simon Deziel
0e38f51aad usr.bin.wireshark: mention that dri rules were backported from abstraction/dri-enumerate 2018-07-13 04:56:42 -04:00
Simon Deziel
5a8453fbe0 usr.bin.dumpcap: incorporate feedback from Talkless an cboltz 2018-07-12 05:13:55 -04:00
Simon Deziel
0c0a90be0b usr.bin.wireshark: refresh for 18.04 2018-07-11 12:29:36 -04:00
Simon Deziel
b765dab52e usr.bin.dumpcap: new profile 2018-07-11 12:29:12 -04:00
John Johansen
aa42e33860 kernel-patches: add v4.17-out-of-tree net compatibility patches 
Add kernel patches that will NEVER be sent upstream. These provide abi
compatibility with the v2.x network and af_unix rules.

The 4.17 network mediation pull request deliberately broke abi
compatibility with the v2.x rules, and these are provided so that
distros who shipped the v2.x compatible patches can provide new
kernels on older releases that require v2.x network support.

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2018-07-10 22:18:48 -07:00
Steve Beattie
8fc0ff7ffc
utils: cleanup serialize_profile() and its callers 
Merge branch 'cboltz-cleanup-serialize-profile'

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/138
 2018-06-29 15:21:24 -07:00
Steve Beattie
640556637f adjust abstractions/python for python 3.7 
Merge branch 'cboltz-python-version' into 'master'

Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/139/
 2018-06-29 18:15:47 +00:00
Christian Boltz
01f41fbff8
adjust abstractions/python for python 3.7 
Python 3.7 was released yesterday - and to make the abstraction
future-proof, also cover 3.8 and 3.9 in advance ;-)
 2018-06-28 13:34:08 +02:00
Christian Boltz
e5ffa6815c Merge branch 'mesa' into 'master' 
Add mesa abstraction

See merge request apparmor/apparmor!137


Acked-by: Christian Boltz <apparmor@cboltz.de>
 2018-06-27 19:11:06 +00:00
Christian Boltz
b613860f14
serialize_profile: simplify setting of include_flags 
Note that NO_FLAGS was an inverse option, therefore
- NO_FLAGS was changed to FLAGS (also in sync_profile() which is the
  only caller that sets FLAGS)
- the default for include_flags (if FLAGS is not set) is True
 2018-06-25 22:55:26 +02:00
Christian Boltz
9865e112f7
serialize_profile(): simplify setting include_metadata 2018-06-25 22:47:30 +02:00
Christian Boltz
5ef95fff4f
serialize_profile(): add type check for options 
This makes the "if options:" check superfluous, therefore remove it and
change the whitespace of the following lines
 2018-06-25 22:43:39 +02:00
Christian Boltz
7e42135010
fix serialize_profile() calls to always use a dict for options 2018-06-25 21:42:29 +02:00
Christian Boltz
db7983aee5
simplify setting serialize_options 2018-06-25 21:39:47 +02:00
Vincas Dargis
a0c719df73 Add mesa abstraction 
Add mesa abstraction to allow writing to the Mesa-specific cache
locations and listing devices. Abstraction is needed for applications
utilizing OpenGL API with Mesa implementation available on the system.
 2018-06-23 17:07:05 +03:00