AppArmor profile for `iotop-c`, developed and tested in Ubuntu 24.04 LTS.
Signed-off-by: Allen Huang <allen.huang@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1520
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
profile for wpa_supplicant in oracular
tested: creating, connecting, disconnecting, removing wireless networks, hotspot and p2 networks
Signed-off-by: Sudhakar Verma <sudhakar.verma@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1385
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
- Remove `owner` in /proc/ rules to enable non-root users
- add "include if exists" line to pass the pipeline
- change <abstractions/nameservice> to smaller <abstractions/nameservice-strict>
Signed-off-by: Allen Huang <allen.huang@canonical.com>
- add profile for tshark
- sub profile for dumpcap
- tested with tests from upstream wireshark project,not all test cases
passed but failures unrelated to apparmor restriction
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1384
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
Some weirdnesses:
- The Perl abstraction specifies an ix execution mode for Perl, while my impression from the Python abstraction is that we shouldn't be specifying execution modes for the script interpreter in the abstractions. It's probably too late to change that though.
- Tcl apparently doesn't have an abstraction available. Given the way it's embedded into applications like ZNC, I'm assuming that Tcl doesn't have support files the way Python does.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1376
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Add AA profile for tnftp. This profile has been tested on the latest oracular tnftp version 20230507-2build3 which is also the latest upstream version. This profile limits the file downloads to common download directories and /tmp. It also cripples the "!" command denying access to network and allowing the execution of binaries located directories for which we deny write access. Any feedback is welcome.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1363
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Add AA profile for `socat`. This profile has been tested on the latest oracular socat version `1.8.0.0-4build3` and the latest upstream version `1.8.0.1`. I raised the PR and this profile has already been merged on the `roddhjav/apparmor.d` repo, [here](https://github.com/roddhjav/apparmor.d/pull/454). For now, I have added this profile in "extra", but let me know if you think otherwise, any feedback is welcome.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1319
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
This profile deliberately does not use `abstractions/audio`, instead listing only the subset of the interfaces required to enumerate audio devices and control their volume, without the parts needed to actually send or receive audio from them. This could also be a useful basis for splitting `abstractions/audio` into finer-grained subcomponents.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1517
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Unfortunately similar to bwrap unshare will need the mediate_deleted
flag in some cases.
see
commit 6488e1fb7 "profiles: add mediate_deleted to bwrap"
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1521
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Ryan Lee <rlee287@yahoo.com>
This was tested using the test-tinyproxy.py script from qa-regression-testing as
well as by running the upstream test suite with a brief hack to ensure it
invokes tinyproxy with aa-exec -p tinyproxy first.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1477
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
Unfortunately similar to bwrap unshare will need the mediate_deleted
flag in some cases.
see
commit 6488e1fb7 "profiles: add mediate_deleted to bwrap"
Signed-off-by: John Johansen <john.johansen@canonical.com>
tinyproxy does not need all of nameservice, nameservice-strict is
sufficient. Thanks to @cboltz for the suggestion.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Add comments to the profile to explain the use of the local override if the
default configuration is changed. As suggested by @rlee287.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Add rules to allow tinyproxy to bind to privileged ports and access files even
when run as unprivileged/privileged users when using non-standard
configurations. As suggested by @rlee287.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
This was tested using the test-tinyproxy.py script from qa-regression-testing as
well as by running the upstream test suite with a brief hack to ensure it
invokes tinyproxy with aa-exec -p tinyproxy first.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
I had this message in my log
```
Dez 30 08:14:46 kernel: audit: type=1400 audit(1735542886.787:307): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/cupsd" name="/etc/paperspecs" pid=317509 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
If the second commit is bad, I can drop it.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1472
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
