At least on Debian, with recent versions of fontconfig-config
(>= 2.10), files in /etc/fonts/conf.d/ are symlinks pointing to
/usr/share/fontconfig/.
This was reported by Jakub Wilk <jwilk@debian.org> on Debian bug #714843.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
abstractions/ubuntu-browsers.d/ubuntu-integration.
Patch by Felix Geyer <debfx@ubuntu.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
abstractions/mysql contains
/var/lib/mysql/mysql.sock rw,
/usr/share/mysql/charsets/ r,
/usr/share/mysql/charsets/*.xml r,
but the files moved (at least on openSUSE) to
/usr/share/mysql-community-server/charsets/*.xml
/var/run/mysql/mysql.sock
This causes denials for all applications using MySQL on 12.2 and
Factory.
MariaDB has the *.xml files in
/usr/share/mariadb/charsets/*.xml
and also seems to use /var/run/mysql/ for the socket.
Since MariaDB is basically a drop-in replacement for MySQL, it makes
sense to allow access to it via abstractions/mysql.
References: https://bugzilla.novell.com/show_bug.cgi?id=798183
Acked-by: Seth Arnold <seth.arnold@canonical.com>
I was testing out a profile for pulseaudio and hit an issue where my
pulseaudio process was getting the firefox profile applied to it. This
is because in abstractions/ubuntu-browsers.d/multimedia the rule for
pulseaudio is /usr/bin/pulseaudio ixr; attached is a patch to change it
to Pixr, so as to use a global pulseaudio policy if it exists.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
From: Simon Deziel <simon.deziel@gmail.com>
A fair number of the rules that apply to files in @{HOME} predate the
existence of the 'owner' qualifier. This patch adds the 'owner'
qualifier in several places.
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
target in the profiles Makefile, for future archaeological spelunking.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adds the kernelvars tunable to the global set that is usually
included by default in apparmor policies. It then converts the rules
that are intended to match /proc/pid to use this tunable.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
This patch finishes the conversion from /proc to the @{PROC}
tunable within profiles and abstractions. It also adjusts some of
the /proc/*/something usages to @{PROC}/[0-9]*/something to restrict
things to just the /proc/pid directories. (A followup patch will
convert these to use @{pid} from the kernelvars tunable.)
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
In testing the skype profile, I found access to my @{HOME}/.XCompose
was being rejected. This patch updates the X abstraction to take a
user's defined XCompose key shortcuts into account.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Author: Jamie Strandboge <jamie@canonical.com>
Bug-Ubuntu: https://launchpad.net/bugs/933440 Forwarded: yes
This is a very slightly updated version of the skype profile
update that Jamie Strandboge submitted, but did not get a review.
The only addition over the previously submitted version is rw access
to @{HOME}/.config/Skype/Skype.conf.
(This commit incorporates the additional @{HOME}/.kde4 change proposed
by Christian Boltz <apparmor@cboltz.de>)
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
The apparmor_api abstractions make the mistake of including tunables
directly, which is a no-no since the variable definitions in tunables
need to occur in the preamble of a profile, not embedded within it.
This patch removes those includes, and replaces them documentation of
tunables are necessary, as some of the expected ones are not part of
tunables/global.
It also adjust the kernelvars tunable's definition of the @{pid}
regex, as the current parser does not support nesting of {} groupings,
which breaks any profile that attempts to use the tunable.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
This patch modifies the nvidia abstraction to add the livdpau wrapper
config file for nvidia workarounds. It also converts the /proc/
rules to use the @{PROC} tunable. And finally, it converts the
ubuntu-browsers.d/multimedia abstraction to use the nvidia abstraction.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
This patch separates out make check in the profiles/ directory into
two sub targets, for checking profiles against the built parser
and aa-logprof respectively. The logprof check currently makes some
assumptions about the environment that make it difficult to run in
a minimal chroot environment.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
When I corrected the profiles/Makefile to automatically find files to
install, I converted one variable name but missed a later location where
that variable was used, which broke the 'make check' target, because
directories would be handed to the apparmor parser. This patch corrects
that and also makes the VERBOSE flag report each profile name as it's
being handed to the parser.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
to the apparmor_api subtree not getting added in the Makefile. Rather
Rather than require every sub-directory that gets added to be
enumerated, it uses find to determine what directories and files to
install, to avoid future breakage. It is admittedly slower than the
original code because install(1) is being invoked for every file in
the apparmor.d tree, rather than acting on wildcard globs. That said,
I think it's an acceptable tradeoff.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
I added this profile to the openSUSE apparmor-profiles package in Feb 2012.
Until now I didn't receive any bugreports so I'd say it's complete ;-)
References: https://bugzilla.novell.com/show_bug.cgi?id=748499
Acked-By: jdstrand (on IRC)
/etc/apparmor/profiles/extras/, and update the path at various places.
Also update the mailinglist address in extra-profiles README and
recommend cp instead of mv.
Note: if you want to have a symlink
/etc/apparmor/profiles/extras -> /usr/share/apparmor/extra-profiles/
for backward compability, you'll have to create it yourself (for example
in the .spec file)
This also fixes https://bugzilla.novell.com/show_bug.cgi?id=713647
Acked-by: John Johansen <john.johansen@canonical.com>
/usr/share/poppler/cMap/**. These files are included in the poppler-data
package on Ubuntu, and their 'r' denials create quite a bit of noise.
Apparently they are needed to display PDF documents containing CJK
characters with libpoppler. I added it to the gnome abstraction because
several applications not linked against poppler are consulting this
data.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Description: ubuntu-integration does not work properly with exo-open
Bug-Ubuntu: https://launchpad.net/bugs/987578
Acked-By: Jamie Strandboge <jamie@canonical.com>
the chromium and chrome sandboxes are setuid root, they only link in limited
libraries so glibc's secure execution should be enough to not require the
santized_helper (ie, LD_PRELOAD will only use standard system paths (man
ld.so)). Also allow some paths in /opt for Chrome.
Ubuntu-Bug: https://launchpad.net/bugs/964510
Acked-By: Jamie Strandboge <jamie@canonical.com>
sanitized_helper. For now this only allows software-center scripts in
/usr/share, but we may need to increase what is allowed in /usr/share if more
things are denied when they shouldn't be.
Ubuntu-Bug: https://launchpad.net/bugs/972367
Acked-By: Jamie Strandboge <jamie@canonical.com>
