- some *.dat files live in a different directory nowadays (at least in
openSUSE)
- the openSUSE smb.conf includes the (autogenerated) dhcp.conf, so this
file also needs to be readable.
References: https://bugzilla.novell.com/show_bug.cgi?id=863226
Acked-by: Seth Arnold <seth.arnold@canonical.com>
the suggestion to use @{XDG_DOWNLOAD_DIR} in abstractions/user-download as
well as the existing entries.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
The xdg-user-dirs specification[1] allows for translatable and movable common
directories. While this may be beneficial for users who for example want to have
~/Pictures translated into their own language, this flexibility provides
challenges for AppArmor. Untranslated xdg user directories are typically (see
~/.config/user-dirs.dirs):
XDG_DESKTOP_DIR="$HOME/Desktop"
XDG_DOWNLOAD_DIR="$HOME/Downloads"
XDG_TEMPLATES_DIR="$HOME/Templates"
XDG_PUBLICSHARE_DIR="$HOME/Public"
XDG_DOCUMENTS_DIR="$HOME/Documents"
XDG_MUSIC_DIR="$HOME/Music"
XDG_PICTURES_DIR="$HOME/Pictures"
XDG_VIDEOS_DIR="$HOME/Videos"
On an Ubuntu system with the fr_CA locale installed, these become:
XDG_DESKTOP_DIR="$HOME/Desktop"
XDG_DOWNLOAD_DIR="$HOME/Téléchargements"
XDG_TEMPLATES_DIR="$HOME/Templates"
XDG_PUBLICSHARE_DIR="$HOME/Public"
XDG_DOCUMENTS_DIR="$HOME/Documents"
XDG_MUSIC_DIR="$HOME/Musique"
XDG_PICTURES_DIR="$HOME/Images"
XDG_VIDEOS_DIR="$HOME/Vidéos"
While the kernel and AppArmor parser handle these translations fine, the
profiles do not.
As an upstream, we can vastly improve the situation by simply creating the
xdg-user-dirs tunable using the default 'C' xdg-user-dirs values:
$ cat /etc/apparmor.d/tunables/xdg-user-dirs
@{XDG_DESKTOP_DIR}=Desktop
@{XDG_DOWNLOAD_DIR}=Downloads
@{XDG_TEMPLATES_DIR}=Templates
@{XDG_PUBLICSHARE_DIR}=Public
@{XDG_DOCUMENTS_DIR}=Documents
@{XDG_MUSIC_DIR}=Music
@{XDG_PICTURES_DIR}=Pictures
@{XDG_VIDEOS_DIR}=Videos
# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
# to the various XDG directories
#include <tunables/xdg-user-dirs.d>
and then create the /etc/apparmor.d/tunables/xdg-user-dirs.d directory. With
that alone, we can start using rules like this in policy:
owner @{HOME}/@{XDG_MUSIC_DIR}/** r,
and users/admins can adjust /etc/apparmor.d/tunables/xdg-user-dirs or drop files
into /etc/apparmor.d/tunables/xdg-user-dirs.d, providing a welcome convenience.
This of course doesn't solve everything. Because users can modify their
~/.config/user-dirs.dirs file at will and have it point anywhere, so we can't
examine those files and do anything automatic there (when we have user policy we
can revisit this). This patch handles translations well though since use of
translations for these directories happens outside of the user's control. Users
who modify ~/.config/user-dirs.dirs can update policy like they need to now (ie,
this patch doesn't change anything for them).
[0] https://lists.ubuntu.com/archives/apparmor/2013-August/004183.html
[1] http://freedesktop.org/wiki/Software/xdg-user-dirs/
This patch adds basic support for XDG user dirs:
1. Update profiles/apparmor.d/tunables/global to include xdg-user-dirs.
2. Create the xdg-user-dirs tunable using the default 'C' xdg-user-dirs values
and includes tunables/xdg-user-dirs.d
3. Add profiles/apparmor.d/tunables/xdg-user-dirs.d/site.local with commented
out examples on how to use the directory.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
Thai-specific functions like word-breaking, input and output methods and basic
character and string support. This is: https://launchpad.net/bugs/1278702
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Description: Allow applications run under sanitized_helper to connect to DBus
This was originally 0076_sanitized_helper_dbus_access.patch in the Ubuntu
apparmor packaging.
jdstrand: +1 (this is in the Ubuntu namespace, so feel free to commit)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1056418
From: Steve Beattie <steve.beattie@canonical.com>
Came from 0021-webapps_abstraction.patch in the Ubuntu apparmor packaging.
jdstrand: +1 (this is in the Ubuntu namespace, so feel free to commit)
apparmor packaging.
These were originally 0030-easyprof-sdk.patch and
0037-easyprof-sdk-pt2.patch. Jamie posted an updated
0030-easyprof-sdk_v2.patch and I squashed both patches into one commit.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Grant access to specific files in the /var/run/user/UID/pulse/ directory to
remove access to potentially dangerous and non-essential files such as the
debug (cli) socket provided by the module-cli-protocol-unix module.
Author: Tyler Hicks <tyhicks@canonical.com>
Bug-Ubuntu: https://launchpad.net/bugs/1211380
Acked-by: Steve Beattie <steve@nxnw.org>
Description: allow mmap of fglrx dri libraries
Bug-Ubuntu: https://launchpad.net/bugs/1200392
Acked-by: Steve Beattie <steve@nxnw.org>
Came from 0038-lp1200392.patch.
Description: update mod_apparmor man page for Apache 2.4 and add new
apparmor.d/usr.sbin.apache2 profile (based on the prefork profile)
Acked-by: Steve Beattie <steve@nxnw.org>
Differs from original 0036-libapache2-mod-apparmor-profile-2.4.patch
ubuntu patch -- I've deleted the "delete the apache 2.2 profile" part of
the patch. So apache 2.2's profile is also still supported.
Author: Micah Gersten <micah@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Modified by Seth Arnold; nvidia nvpau_wrapper.cfg permission was hoisted
up into an nvidia abstraction.
Author: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This was originally patch 0018-lp1056391.patch in the Ubuntu apparmor
packaging; Steve noticed the now-redundant line for /var/lib/sss/mc/passwd
so I removed that at the same time.
After testing the dovecot profiles on a new server, I noticed
/usr/lib/dovecot/dict and /usrlib/dovecot/lmtp need more nameservice-
related permissions.
Therefore include abstractions/nameservice instead of adding more and
more files.
Acked-by: John Johansen (on IRC)
logprof/genprof and related utilities in python. Because the branch that
was worked on was not based on the apparmor tree, not all of the history
can be maintained for files that are not newly created or entirely
rewritten in the branch.
(This merge also includes a subsequent commit to the branch
I was merging from which includes my missed bzr add of
utils/apparmor/translations.py)
perl utilities to the deprecated to directory; a couple of perl
utilities remain, but they are still useful and do not depend on the
Immunix module (just the LibAppArmor perl module).
pep8 --ignore=E501,E302
on individual files. This uncovered a bug where the type of an object
was being compared to a type of a list. However, a python string is a
list of characters, and so would cause the test to be true.
the utility python modules to be used inside another tool with another
textdomain binding and still have the translations for that tool and the
stuff internal to the apparmor module convert properly.
When passing an include directory on the command line to
apparmor_parser, valgrind emits a warning:
Invalid read of size 4
at 0x404DA6: add_search_dir(char const*) (parser_include.c:152)
by 0x40BB37: process_arg(int, char*) (parser_main.c:457)
by 0x403D43: main (parser_main.c:590)
Address 0x572207c is 28 bytes inside a block of size 29 alloc'd
at 0x4C2A420: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x53E31C9: strdup (strdup.c:42)
by 0x404D94: add_search_dir(char const*) (parser_include.c:145)
by 0x40BB37: process_arg(int, char*) (parser_main.c:457)
by 0x403D43: main (parser_main.c:590)
This patch quiets the warning by removing strlen() calls on the t char
array. Instead, it only calls strlen() on the dir char array. t is a
dupe of dir and strlen(dir) does not trigger the valgrind warning.
Additionally, this patch adds a bit of defensive programming to the
while loop to ensure that index into the t array is never negative.
Finally, the valgrind suppression is removed from valgrind_simple.py.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
With commit 2364 addressing one of valgrind's false positives, we can
remove the related valgrind suppression entry from the test script.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
strlen() assumes that it can read an entire word but when a char array
does not end on a word boundary, it reads past the end of the array.
This results in the following valgrind warning:
Invalid read of size 4
at 0x40A162: yylex() (parser_lex.l:277)
by 0x40FA14: yyparse() (parser_yacc.c:1487)
by 0x40C5B9: process_profile(int, char const*) (parser_main.c:1003)
by 0x404074: main (parser_main.c:1340)
Address 0x578d870 is 16 bytes inside a block of size 18 alloc'd
at 0x4C2A420: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x53E31C9: strdup (strdup.c:42)
by 0x40A145: yylex() (parser_lex.l:276)
by 0x40FA14: yyparse() (parser_yacc.c:1487)
by 0x40C5B9: process_profile(int, char const*) (parser_main.c:1003)
by 0x404074: main (parser_main.c:1340)
This patch quiets the warning by not using strlen(). This can be done
because yyleng already contains the length of string.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
