journal socket. On Debian and Ubuntu systems, /dev/log is a symlink to
/run/systemd/journal/dev-log, so this access is now required in the base
abstraction to maintain current behavior.
Bug: https://bugs.launchpad.net/apparmor/+bug/1413232
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
socket. Note, DBus mediation is still in effect so rules still need to be added
for accessing the DBus API (LP: #1375067)
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1339727
LightDM keeps moving the location where it stores xauthority files for
users, when configured to store them in a system directory (e.g. with
[LightDM]
user-authority-in-system-dir=true
set in a lightdm configuration file).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Based on a patch from Felix Geyer who wrote in April:
> On Ubuntu trusty the php package creates config symlinks in
> /etc/php5/cli/conf.d/, /etc/php5/cgi/conf.d/ and
> /etc/php5/fpm/conf.d/ to /etc/php5/mods-available/.
This patch is a simplified version of his patch that allows
/etc/php5/**.ini r and /etc/php5/**/ r
Acked-by: Seth Arnold <seth.arnold@canonical.com> on IRC
(after menacing an Acked-by: <timeout>)
The Debian and Ubuntu Ruby 1.9.1 package is configured like this:
--with-vendordir='/usr/lib/ruby/vendor_ruby' --with-sitedir='/usr/local/lib/site_ruby
These paths are missing in the ruby abstraction.
Patch by Felix Geyer <debfx@ubuntu.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
getopt, setopt and shutdown. This was added based on incorrect logging in early
iterations of the abstract kernel patches which have since been fixed. These
options don't make sense with peer=(addr=none), so drop that.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
mistakenly did not incorporate feedback from Seth Arnold. Specifically, don't
specify label=unconfined on the abstract sockets.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- the base abstraction for common abstract and anonymous rules (comments
included per rule)
- dbus-session-strict to add a rule for connecting to the dbus session
abstract
socket. I used 'peer=(label=unconfined)' here, but I could probably lose the
explicit label if people preferred that
- X to add a rule for connecting to the X abstract socket. Same as for
dbus-session-strict
- nameservice to add a rule for connecting to a netlink raw. This change could
possibly be excluded, but applications using networking (at least on Ubuntu)
all seem to need it. Excluding it would mean systems using nscd would need to
add this and ones not using it would have a noisy denial
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
When configured with "clustering = yes", Samba needs to be able to
connect to the local ctdbd daemon socket, and directly manipulate .tdb
database files managed by ctdb.
Signed-off-by: David Disseldorp <ddiss@suse.de>
This commit adds a dovecot-common abstraction, as well as adjusting
the profiles for dovecot's helper binaries to make use of it. The
important addition is the ability for the dovecot master process to
send signals to the helpers.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Move postfix-common from program-chunks/ to abstractions/; remove
program-chunks directory since postfix-common was the last resident of
that directory (and had been since 2007), and adjust the includes of all
the profiles that include postfix-common.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- Allow reciprocal ptrace readby to everyone (requires peer unconfined or to
ptrace read to us)
- same for ptrace tracedby
- allow us to ptrace read ourselves
- receive all signals from unconfined
- allow us to signal ourselves
- allow sending and receiving "exists" (for pid existence)
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Update the apache2-common abstraction so that the parent apache process
can kill worker processes inside of hats, as well as handle the updated
mod_apparmor behavior that invokes aa_change_hatv() and then checks
which hat it ended up in via aa_getconn() (which reads from
{PROC}/@{pid}/attr/current).
Author: Kees Cook <kees@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/apparmor/+bug/1322764
Ubuntu 14.04's chromium-browser has changed paths in a way that prevents
evince from opening clicked links in chromium-browser windows.
This patch adds a new path for the chrome-sandbox executable to the
sanitized_helper profile, so chromium will get its own tailored profile if
necessary.
The reporter who said this patch helped included some further DENIED lines
for signals that indicates this is probably not sufficient but did make
the links work as expected.
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1282314
Signed-off-by: Seth Arnold <seth.arnold@canonical.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
and its derivatives
Bug-Ubuntu: https://launchpad.net/bugs/1285653
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
- some *.dat files live in a different directory nowadays (at least in
openSUSE)
- the openSUSE smb.conf includes the (autogenerated) dhcp.conf, so this
file also needs to be readable.
References: https://bugzilla.novell.com/show_bug.cgi?id=863226
Acked-by: Seth Arnold <seth.arnold@canonical.com>
the suggestion to use @{XDG_DOWNLOAD_DIR} in abstractions/user-download as
well as the existing entries.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
Thai-specific functions like word-breaking, input and output methods and basic
character and string support. This is: https://launchpad.net/bugs/1278702
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Description: Allow applications run under sanitized_helper to connect to DBus
This was originally 0076_sanitized_helper_dbus_access.patch in the Ubuntu
apparmor packaging.
jdstrand: +1 (this is in the Ubuntu namespace, so feel free to commit)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1056418
From: Steve Beattie <steve.beattie@canonical.com>
Came from 0021-webapps_abstraction.patch in the Ubuntu apparmor packaging.
jdstrand: +1 (this is in the Ubuntu namespace, so feel free to commit)
Grant access to specific files in the /var/run/user/UID/pulse/ directory to
remove access to potentially dangerous and non-essential files such as the
debug (cli) socket provided by the module-cli-protocol-unix module.
Author: Tyler Hicks <tyhicks@canonical.com>
Bug-Ubuntu: https://launchpad.net/bugs/1211380
Acked-by: Steve Beattie <steve@nxnw.org>
Description: allow mmap of fglrx dri libraries
Bug-Ubuntu: https://launchpad.net/bugs/1200392
Acked-by: Steve Beattie <steve@nxnw.org>
Came from 0038-lp1200392.patch.
Author: Micah Gersten <micah@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Modified by Seth Arnold; nvidia nvpau_wrapper.cfg permission was hoisted
up into an nvidia abstraction.
Author: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This was originally patch 0018-lp1056391.patch in the Ubuntu apparmor
packaging; Steve noticed the now-redundant line for /var/lib/sss/mc/passwd
so I removed that at the same time.
