Merge from trunk revision 2295:
libtoolize is the standard mechanism for incorporating libtool support
into a library; however, libapparmor's autogen.sh script specifically
looks for the existence of the libtool binary rather than libtoolize.
The libtoolize tool automatically generates a libtool script and does
not require the existence of the libtool binary, so we no longer need
to check for it.
The autogen.sh script aborting because it can't find the libtool
binary causes a spurious build failure in Ubuntu 14.04, due to the
libtool binary being separated out into its own package, and which
is not a strict dependency for libtool.
(I also added setting the package variable so that the error message
emitted will indicate that the failure is in building libapparmor.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
update-ca-certificates (from ca-certificates-1_201310161709-1.1.noarch)
stores certs in this directory now.
References: https://bugzilla.novell.com/show_bug.cgi?id=852018
Acked-by: Seth Arnold <seth.arnold@canonical.com>
patch is needed to fix the build.
patch from: Jan Rękorajski <baggins@pld-linux.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
dnsmasq needs read access to more files in /var/lib/libvirt/dnsmasq/
(at least *.conf and *.addnhosts)
Since this directory contains only files that are intended for dnsmasq
(also confirmed by Jim Fehlig, the SUSE libvirt maintainer), the best
way is to just allow "/var/lib/libvirt/dnsmasq/* r,"
References: https://bugzilla.novell.com/show_bug.cgi?id=848215
+1'd for trunk and 2.8 by Jamie Strandboge <jamie@canonical.com>
$HOME/.config/fontconfig/conf.d/* and
$HOME/.config/fontconfig/fonts.conf
/etc/fonts/conf.d/50-user.conf:
<!--
Load per-user customization files where stored on XDG Base Directory
specification compliant places. it should be usually:
$HOME/.config/fontconfig/conf.d
$HOME/.config/fontconfig/fonts.conf
-->
<include ignore_missing="yes" prefix="xdg">fontconfig/conf.d</include>
<include ignore_missing="yes" prefix="xdg">fontconfig/fonts.conf</include>
abstractions/fonts should allow read access to those files:
From: Felix Geyer debfx@ubuntu.com
Acked-by: John Johansen <john.johansen@canonical.com>
cache files will be written out even if the '--skip-bad-cache' option
is given and the cached features file differs from the features of
the currently running kernel. The patch below fixes the regression.
From: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
we are writing a new cache .features file the cache dir should be cleared
out.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
--cache-loc= is specified. This results in using the .features file from
/etc/apparmor.d/cache or always recompiling policy.
The former case is particularly bad as the .features file in
/etc/apparmor.d/cache/ may not correspond to the file in the specified
cache location.
bug: launchpad.net/bugs/1229393
Signed-off-by: John Johansen <john.johansen@canonical.com>
example with LANG=pt_BR) because a regex relies on netstat output.
Enforce LANG=C to make sure aa-unconfined always sees the expected output.
Acked-by: Steve Beattie <steve@nxnw.org>
(The broken URLs were introduced in r1582.)
for utils/*.pod:
Acked-by: Steve Beattie <steve@nxnw.org>
for the other directories:
Patch by Steve Beattie
Acked-by: Christian Boltz <apparmor@cboltz.de>
Patch-Author: Stefan Seyfried <seife+obs@b1-systems.com>
After this change in ntp:
* Mo Aug 19 2013 crrodriguez@opensuse.org
- Build with -DOPENSSL_LOAD_CONF , ntp must respect and use
the system's openssl configuration.
we need to read openssl.cnf or starting of ntpd will fail silently(!)
Patch v2 by Christian Boltz: use abstractions/openssl instead of
allowing /etc/ssl/openssl.cnf directly
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Merge from trunk commit rev 2181
From: intrigeri <intrigeri@boum.org>
D-Bus now uses /etc/machine-id in some cases:
https://bugs.freedesktop.org/show_bug.cgi?id=35228
Acked-by: Steve Beattie <steve@nxnw.org>
Patch by Kshitij Gupta <kgupta8592@gmail.com>
A previous bugreport [1] was fixed using the smartmatch operator,
which raised the minimum Perl version requirement to >=5.10.1 .
However in Perl5.18 the smartmatch operator has again become
"experimental" [2] so the following patch replace smartmatch operator
with grep and thereby avoiding the requirement hike and avoiding
warnings.
[1] https://bugs.launchpad.net/apparmor/+bug/1180230
[2] http://blogs.perl.org/users/mike_b/2013/06/a-little-nicer-way-to-use-smartmatch-on-perl-518.html
ACKed-by: Christian Boltz <apparmor@cboltz.de>
Merge from trunk revision 2142
This patch fixes problems in the handling of both the final cache
name location and the temporary cache file when an alternate location
is specified.
The first issue is that if the alternate cache directory location was
specified, the alternate directory name would be used as the final
location for the cache file, rather than the alternate directory +
the basename of the profile.
The second issue is that it would generate the temporary file that it
stores the cache file in [basedir]/cache even if an alternate cache
location was specified on the command line. This causes a problem
if [basedir]/cache is on a separate device than the alternate cache
location, because the rename() of the tempfile into the final location
would fail (which the parser would not check the return code of).
This patch fixes the above by incorporating the basename into the cache
file name if the alternate cache location has been specified, bases the
temporary cache file name on the destination cache name (such that they
end up in the same directory), and finally detects if the rename fails
and unlinks the temporary file if that happens (rather than leave it
around). It also has been updated to add a couple of testcases to verify
that writing and reading from an alternate cache location work.
Patch history:
v1: first draft of patch
v2: add testcases, convert PERROR() to pwarn() if rename() fails for
placing cachefile into place.
For 2.8 branch:
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
and Glob with Ext putting duplicate entries in the list.
The fix introduced a Perl 5.10.1 or higher dependency, so start documenting
minimum required versions of packages.
Acked-By: Christian Boltz <apparmor@cboltz.de>
https://bugs.launchpad.net/apparmor/+bug/1196880
Patch by Gernot Vormayr <gvormayr@gmail.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Merge from trunk commit 2108
Author: Dmitrijs Ledkovs <dmitrij.ledkov@ubuntu.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Modifiy the libapparmor macro for python to use python-config if it
exists to determine what CPPFLAGS and LDFLAGS to use when building
the python swig libraries. Without this addition, python detection
fails on ubuntu 13.04. I've confirmed that with this patch applied,
the python libraries still build successfully on older releases as well
(as far back as ubuntu 11.10).
abstractions/ubuntu-browsers.d/ubuntu-integration.
Patch by Felix Geyer <debfx@ubuntu.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(backport of trunk r2133)
deny writes to upstart user sessions jobs in abstractions/private-files
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
the 2.8 branch.
Original commit message:
committer: Jamie Strandboge <jamie@canonical.com>
Initial port to python3 for utilities. Thanks to Dmitrijs Ledkovs
Acked-By: Jamie Strandboge <jamie@canonical.com>
Most of trunk r2052 also applies to the 2.8 branch. The only difference
is the last section of changes in utils/vim/create-apparmor.vim.py
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Skimmed-by: Seth Arnold <seth.arnold@canonical.com>
file is larger than the feature buffer used for cache version comparison.
Ideally this would be dynamically allocated but for 2.8 just bumping the
buffer size is the quick fix.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Also deny capability block_suspend because nobody can imagine why it
would be needed.
References: https://bugzilla.novell.com/show_bug.cgi?id=807104
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(backport of trunk r2109)
abstractions/mysql contains
/var/lib/mysql/mysql.sock rw,
/usr/share/mysql/charsets/ r,
/usr/share/mysql/charsets/*.xml r,
but the files moved (at least on openSUSE) to
/usr/share/mysql-community-server/charsets/*.xml
/var/run/mysql/mysql.sock
This causes denials for all applications using MySQL on 12.2 and
Factory.
MariaDB has the *.xml files in
/usr/share/mariadb/charsets/*.xml
and also seems to use /var/run/mysql/ for the socket.
Since MariaDB is basically a drop-in replacement for MySQL, it makes
sense to allow access to it via abstractions/mysql.
References: https://bugzilla.novell.com/show_bug.cgi?id=798183
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Merge from trunk commit 2102
Original message:
I was testing out a profile for pulseaudio and hit an issue where my
pulseaudio process was getting the firefox profile applied to it. This
is because in abstractions/ubuntu-browsers.d/multimedia the rule for
pulseaudio is /usr/bin/pulseaudio ixr; attached is a patch to change it
to Pixr, so as to use a global pulseaudio policy if it exists.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
time formats. As this is causing failures on some systems
currently the only supported format is
<Month> ## hh:mm:ss
extend this to
<Month> ## hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-dd hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-ddThh:mm:ss(.ms)?((+|-)timezone)?
Merge from trunk commit 2077
Original message:
Subject: aa-decode test script v3
This patch adds a test script/driver for the aa-decode utility. The only
change from the previous versions is to support overriding the location
of the aa-decode to test via the APPARMOR_DECODE environment variable
and documenting the utils/ tests in the top level README.
The aa-decode test can be run directly from the commandline in the utils
directory like so:
test/test-aa-decode.py -v
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
release. In this merge are the following trunk commits:
2050 - parser - network rules debugging statements
2057 - update ubuntu-browsers.d/java for IcedTea 7
2058 - let sanitized-helper also allow access to /usr/local
2059 - ubuntu-integration does not work properly with exo-open
2062 - support alternate ping install location in /usr
2064 - parser - update apparmor_parser man page
2065 - parser - correct apparmor_parser -N command privilege
2066 - parser - *just* the updated caching test message from this commit
2065.1.1 - profiles update fonts abstraction for new fontconfig paths
2065.1.{3,4} - profiles - Gnome applications are now quite interested
in reading /usr/share/poppler/cMap/**
2069 - profiles - update extras README with mail list info
2074 - tests - fix clone test on arm
2076 - parser tests - fix test driver for exec() failure
2079 - libapparmor - add pkgconfig support
2083 - parser tests - fix fine grained timestamp detection in caching tests
2090 - nvidia abstractions cleanups
2092 - update skype profile
2093 - add XCompose to abstractions/X
2096 - dnsmasq network-manager integration
Merge from trunk commit 2093
Original message:
Subject: profiles - add user's XCompose file to X abstraction
In testing the skype profile, I found access to my @{HOME}/.XCompose
was being rejected. This patch updates the X abstraction to take a
user's defined XCompose key shortcuts into account.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Merge from trunk commit 2092 (w/ dropping the last modified timestamp
entirely)
Original message:
Subject: profiles - update skype profile
Author: Jamie Strandboge <jamie@canonical.com>
Bug-Ubuntu: https://launchpad.net/bugs/933440 Forwarded: yes
This is a very slightly updated version of the skype profile
update that Jamie Strandboge submitted, but did not get a review.
The only addition over the previously submitted version is rw access
to @{HOME}/.config/Skype/Skype.conf.
(This commit incorporates the additional @{HOME}/.kde4 change proposed
by Christian Boltz <apparmor@cboltz.de>)
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Merge from trunk commit 2090
Original message:
Subject: profiles - nvidia abstraction cleanups
This patch modifies the nvidia abstraction to add the livdpau wrapper
config file for nvidia workarounds. It also converts the /proc/
rules to use the @{PROC} tunable. And finally, it converts the
ubuntu-browsers.d/multimedia abstraction to use the nvidia abstraction.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Nominated-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
caching tests
Merge from trunk commit 2083
Original message:
This patch modifies the parser's caching test to more accurately detect
whether or not the filesystem has a fine enough timestamp resolution.
Occasionally even on filesystems like ext3, the two files' creation
dates would differ when created less than a second apart, which would
typically cause the 'Cache is used when cache is newer' test to fail
because the cached file would have the same timestamp as the profile.
The fix creates 10 files 0.1 seconds apart and ensures that all ten
have distinct timestamps.
(The occasional failure was caught in testing runs like
https://bugs.launchpad.net/qa-regression-testing/+bug/1087061/ )
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
