mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
7276 commits 23 branches 109 tags 32 MiB
Commit graph

7 commits

Author SHA1 Message Date
Christian Boltz
5657799dc7
Add include if exists <tunables/$FILE.d> to all tunables 
(except the deprecated tunables/sys)

This allows users to extend variables without editing the main tunables
files.

It also allows to cleanly introduce new tunable files (via
tunables/global.d) and new aliases (via tunables/alias.d).

Note: some files already had `include <tunables/$FILE.d>`. These get
changed to `include if exists`, and the comments for these includes get
unified.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/347
 2023-07-30 00:47:34 +02:00
intrigeri
cdeb618518 tunables/share: fix buggy syntax that broke the ~/.local/share part of the @{user_share_dirs} tunable 
Fixes regression introduced in a91d199ab1.

Bug: https://bugs.launchpad.net/apparmor/+bug/1816470
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920833, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921888
 2019-02-24 15:20:17 +00:00
intrigeri
a91d199ab1 Make tunables/share play well with aliases. 
This reverts commit aa3022208f.

Space-separated list of values don't play well with aliases.
For example, in Tails, despite this alias rule:

  alias / -> /lib/live/mount/rootfs/*.squashfs/,

… the Tor Browser profile denies access to
/lib/live/mount/rootfs/filesystem.squashfs/usr/share/mime/mime.cache, which
should be equivalent to /usr/share/mime/mime.cache. That's fixed by using
alternations instead; too bad they're less readable.

Possibly related:
https://bugs.launchpad.net/apparmor/+bug/888077
https://bugs.launchpad.net/apparmor/+bug/1703692
https://bugs.launchpad.net/apparmor/+bug/1703692
 2019-01-07 12:58:56 +00:00
intrigeri
aa3022208f tunables/share: make variables value more readable by avoiding the use of too many alternations. 
Thanks to Christian Boltz for the suggestion and the patch!
 2018-07-29 01:31:39 +00:00
intrigeri
34dbe372c5 Rename @{usr_share} → @{system_share_dirs} and @{home_local_share} → @{user_share_dirs}. 
Thanks a lot to Simon McVittie for the much better names suggestion.
 2018-07-27 06:33:42 +00:00
intrigeri
0ba94f5a04 freedesktop.org abstraction: treat Flatpak exports the same way as bits shipped by the distro. 
As Simon McVittie <smcv@collabora.com> wrote on
https://bugs.debian.org/865206 and on the AppArmor mailing list:

"Anything in /var/lib/flatpak/exports/share or
~/.local/share/flatpak/exports/share is essentially equivalent to
the corresponding path in /usr/{local/,}share, and is something
that has deliberately been "exported" to the rest of the system by a
Flatpak-confined app.

The only reason to prevent reading those directories would be if you do
not want the AppArmor-confined app to be able to enumerate the other
software you have installed on your system, as an anti-fingerprinting
mechanism.".

Bug-Debian: https://bugs.debian.org/865206
 2018-07-27 06:22:22 +00:00
intrigeri
160f1027e4 freedesktop.org abstraction: DRY by factorizing duplicated path components with variables. 
These alternations will need to grow quite a bit in order to support Flatpak
exports. Let's avoid repeating ourselves too much.
 2018-07-27 06:21:40 +00:00