/var/lib/dhcp/dhclient6.leases path for lease file on IPv6 has been in
dhcp repository since 2008, now visible in commit 8dea7ba7 ("Add DHCPv6
files in configure").
Adding it via extending dhclient-*.leases pattern.
Not sure whether /var/lib/dhcp6/dhclient.leases was ever used on Linux,
but keep in for backward compatibility.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
dovecot: allow reading /proc/sys/fs/suid_dumpable
This is needed if a dovecot child process segfaults - in this case, dovecot provides a helpful error message like
dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.or /bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2)
which involves reading the current value in suid_dumpable.
I propose this fix for 2.10..master.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/286
Acked-by: John Johansen <john.johansen@canonical.com>
i.e. move '*' from beginning to before suffix.
Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added
pattern, which is not compatible with SELinux. As this pattern has been
in SELinux since 2011 (with recent change to accept '.log' suffix +
logrotate patterns which are not relevant to AppArmor) IMHO it's better
to adjust our profile.
Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
This is needed if a dovecot child process segfaults - in this case,
dovecot provides a helpful error message like
dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.org/bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2)
which involves reading the current value in suid_dumpable.
Add /etc/letsencrypt/archive to ssl_key abstraction
See merge request apparmor/apparmor!283
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
`/etc/letsencrypt/live/` contains symlinks to
`/etc/letsencrypt/archive/` which contains the keys. Add the
certs to ssl_certs and the private keys to ssl_keys.
Grant the ability to communicate with the postfix named child profiles
via signals and unix sockets. Include the path-based match names as
a fallback on upgrades.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Convert all the postfix subprocesses to using named profiles instead of
path match profiles, and adjust exec paths for newer debian/ubuntu
releses. Rename profiles to match profile names.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Convert postfix's master profile to use a named profile
(postfix-master) rather than the exec path match pattern. Adjust
postfix-common abstraction to take this into account. Rename profile
name in the profiles/apparmor/profiles/extras/ directory to match
the profile name.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Commit aa06528790 made @{sys} tunable
available by default.
Update profiles and abstractions to actually use @{sys} tunable for
better confinement in the future (when @{sys} becomes kernel var).
Closes LP#1728551
Also adjust the signal rules in the dovecot-common and apache2-common
abstractions to match the profile names, and to really do that
(peer=...{bin,sbin}... didn't work, the correct syntax would have been
peer=...\{bin,sbin\}...)
This fixes the regression introduced by !149 / commit
4200932d8f
Move @{sys} into tunables/kernelvars to make it readily available for
all profiles by default. In order to avoid duplicate variable
declaration, other tunable includes where modified accordingly.
Additionally, apparmor_api/is_enable has updated comment with regards to
@{sys} availability. tunables/sys is now marked as deprecated and should
not be used as it is noop, left only for backwards compatibility.
This is preparation for fixing bug:
https://bugs.launchpad.net/apparmor/+bug/1728551
Thanks to Christian Boltz for original idea to implement this in
non-breaking manner.
--log-facility option needs to have permission to open files.
Use '*' to allow using more files (for using more dnsmasq instances).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
We ship newer versions of these profiles in apparmor.d, so there's no
reason to keep the outdated ones (no serious change since > 10 years) in
the extra directory.
Use nvidia_modprobe named profile inside opencl-nvidia abstraction
Commit 8f9bd5b0 rightfully removed PUx
transition into nvidia-modprobe executable due to security concerns. To
overcome this, commit 327420b1 added
named nvidia_modprobe profile, which allows to use this abstraction
without requiring additional rules to make OpenCL work with NVIDIA
drivers.
Add rule to allow Px transition into nvidia_modprobe profile for
nvidia-modprobe executable.
I propose this for 2.13..master (opencl* are only available in 2.13...). Please check if nvidia_modprobe is already backported.
https://gitlab.com/apparmor/apparmor/merge_requests/219
Acked-by: John Johansen <john.johansen@canonical.com>
Add missing paths to usr.sbin.nmbd, usr.sbin.smbd and abstractions/samba
See merge request apparmor/apparmor!210
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
Commit 8f9bd5b0e3 rightfully removed PUx
transition into nvidia-modprobe executable due to security concerns. To
overcome this, commit 327420b151 added
named nvidia_modprobe profile, which allows to use this abstraction
without requiring additional rules to make OpenCL work with NVIDIA
drivers.
Add rule to allow Px transition into nvidia_modprobe profile for
nvidia-modprobe executable.
Add nvidia_modprobe named profile
nvidia-modprobe is setuid executable is used to create various device
files and load the the NVIDIA kernel module
(https://github.com/NVIDIA/nvidia-modprobe).
Add named profile to be used in application profiles for confining
potentially risky setuid application.
I propose this to 2.10..master.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/213
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: John Johansen <john.johansen@canonical.com>
nvidia-modprobe is setuid executable is used to create various device
files and load the the NVIDIA kernel module
(https://github.com/NVIDIA/nvidia-modprobe).
Add named profile to be used in application profiles for confining
potentially risky setuid application.
Currently, kde abstraction has rules relevant to Qt 3 and Qt 4
libraries, but are missing rules against latest Qt 5.
Include read-only Qt 5 abstraction to fix styling and similar issues for
software running on KDE 5 desktop.
Fixes https://bugs.launchpad.net/apparmor/+bug/1787201
Add @{uid} and @{uids} variables to allow migrating profiles in advance
while awaiting path mediation implementation, based on current user id,
in kernel side.
