- dict needs abstractions/openssl (seen with dovecot 2.2.31 since
using openssl 1.1)
- imap needs to write tempfiles (seen with dovecot 2.2.31)
- managesieve-login needs access to the login-master-notify socket
(seen with dovecot 2.2.33)
- pop3-login needs access to the anvil socket (reported by pfak on
IRC some months ago)
* Alter paths to allow Java version 8 and up.
* Add file rules to fix IcedTea browser plugin.
* Refactor to keep path consistensy against parent and child profile,
reduce repetitive rules.
On 64bit systems, /proc/sys/kernel/pid_max can be set to PID_MAX_LIMIT,
(2^22), which results in seven digit pids. Adjust the @{PID} variable in
tunables/global to accept this.
Acked-by: intrigeri <intrigeri@boum.org>
Acked-by: Steve Beattie <steve@nxnw.org>
/etc/netconfig is required by the tirpc library which nscd and several
other programs use.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
These files are used by OpenAL for better spatialization of sounds
when headphones are detected.
Bug and patch by Simon McVittie <smcv@debian.org>:
https://bugs.debian.org/874665
The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.
As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.
- change abstractions/postfix-common to allow /etc/postfix/*.db k
- add several permissions to postfix/error, postfix/lmtp and postfix/pipe
- remove superfluous abstractions/kerberosclient from all postfix
profiles - it's included via abstractions/nameservice
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
Merge from Vincas Dargis, approved by intrigeri
Fix user-write and user-download abstractions for non-latin file names.
Acked-by: Steve Beattie <steve@nxnw.org>
The updated rule covers the old-style /usr/lib/firefox/firefox.sh
wrapper and the current /usr/lib/firefox{,-esr}/firefox{,-esr} paths.
It is a tiny bit wide but let's lean on the side of compatibility with
whatever similar paths are used in the future. It doesn't grant access
to anything we don't want on a current Debian sid system.
The updated rule covers the old-style /usr/lib/firefox/firefox.sh
wrapper and the current /usr/lib/firefox{,-esr}/firefox{,-esr} paths.
It is a tiny bit wide but let's lean on the side of compatibility with
whatever similar paths are used in the future. It doesn't grant access
to anything we don't want on a current Debian sid system.
Based on Cameron Norman's initial work
(http://bazaar.launchpad.net/~cameronnemo/apparmor/gnome-abstraction/revision/3111) with the following changes:
* don't include GTK+ 3.0 configuration: already done earlier
* generalize to future GLib versions
* support /usr/local
* allow reading the parent directory as well, following the lead
of usr.lib.telepathy: this is harmless and could be needed in some cases.
Description: adjust the multiarch alternation rule in the perl abstraction for
modern Debian and Ubuntu systems which store some modules under the
architecture-specific perl-base directory instead of perl or perl5.
Signed-Off-By: Jamie Strandboge <jamie@canonical.com>
/run/systemd/journal/dev-log but journald offers both:
- a native journal API at /run/systemd/journal/socket (see sd_journal_print(4))
- /run/systemd/journal/stdout for connecting a program's output to the journal
(see systemd-cat(1)).
In addition to systemd-cat, the stdout access is required for nested container
(eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
containers require 'r' in addtion to 'w' to work. journald does not allow
reading log entries from this socket so the access is deemed safe.
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
glibc implements this by doing a readdir() and filtering.
We already allowed sysconf(_SC_NPROCESSORS_ONLN), which is
basically a read from /sys/devices/system/cpu/online.
Signed-off-by: Simon McVittie <smcv@collabora.com>
dovecot-lda needs
- the attach_disconnected flags
- read access to /usr/share/dovecot/protocols.d/
- rw for /run/dovecot/auth-userdb
References: https://bugs.launchpad.net/bugs/1650827
Acked-by: Steve Beattie <steve@nxnw.org> for 2.9, 2.10 and trunk.
