mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/profiles/apparmor.d
History
John Johansen 7abfc1baf7 profiles: fix sbuild to work with the unprivileged_unshare profile 
sbuild is an unconfined profile allowing it to by-pass the unprivlieged
user namespace restritction.

unconfined profiles us a pix transition which means when the
unprivileged_unshare profile is enabled, the binaries in an unconfined
profile calls unshare it will transition to the unprivileged_unshare
profile.

This will break sbuild because it needs capabilities within the
user namespace.

However we can not just add a x transition rule to unconfined profiles,
the transitions won't be respected. Instead we have to make the profile
a default allow profile, and add a transition that will override
the default pix transition of allow all.

We have to add the attached_disconnected and mediated_deleted flags
because sbuild is manipulating mounts.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-02-19 16:05:57 -08:00
..
abi policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
abstractions abstraction: add devices-usb & devices-usb-read 2025-02-14 19:44:25 +01:00
apache2.d policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
local Don't create local/* profile sniplets by default 2023-08-20 11:49:10 +02:00
tunables tunable: add letter, alphanumeric character, hex and words variables. 2025-02-14 19:56:28 +01:00
1password profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
alsamixer Add an Alsamixer profile 2025-02-06 11:08:46 -08:00
babeld profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
balena-etcher profiles: add unconfined balena-etcher profile 2024-05-02 08:56:32 -03:00
bfdd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
bgpd profiles/bgpd: remove redundant /etc/services 2025-02-05 17:00:22 +01:00
bin.ping ping: allow reading /proc/sys/net/ipv6/conf/all/disable_ipv6 2024-09-27 12:05:29 +02:00
brave profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
buildah profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
busybox profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
cam profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
ch-checkns profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
ch-run profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
chrome profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
chromium profiles: Add userns stub for Chromium and variants 2024-05-24 00:12:05 -04:00
code profiles: update visual studio code so that it can be run from gnome 2024-02-24 20:27:13 -08:00
crun profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
devhelp add more unconfined profiles 2024-02-06 15:10:20 -03:00
Discord profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
eigrpd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
element-desktop add element-desktop unconfined profile 2024-02-20 12:38:26 +00:00
epiphany add more unconfined profiles 2024-02-06 15:10:20 -03:00
evolution add more unconfined profiles 2024-02-06 15:10:20 -03:00
fabricd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
firefox profiles: adjust unconfined firefox profile to support mozilla.org download 2024-04-03 15:22:57 -07:00
flatpak profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
foliate profiles: add unconfined foliate profile 2024-04-11 15:43:55 -07:00
fusermount3 mnt mount rule change 2025-02-10 10:38:02 -05:00
geary add unconfined profiles for geary, loupe and firefox dev versions 2024-03-15 17:44:23 -03:00
github-desktop profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
goldendict profiles: Add more unconfined profiles 2024-03-17 00:16:37 -07:00
iotop-c profiles/iotop-c: remove owner, redundant rules 2025-02-07 13:40:14 +00:00
ipa_verify profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
isisd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
kchmviewer profiles: Add more unconfined profiles 2024-03-17 00:16:37 -07:00
keybase add keybase unconfined profile 2024-02-02 16:53:58 -03:00
lc-compliance profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
ldpd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
libcamerify profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
linux-sandbox profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
loupe add unconfined profiles for geary, loupe and firefox dev versions 2024-03-15 17:44:23 -03:00
lsb_release policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
lsblk Remove read_search capability 2024-12-03 16:13:33 -03:30
lxc-attach profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
lxc-create profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
lxc-destroy profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
lxc-execute profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
lxc-stop profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
lxc-unshare profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
lxc-usernsexec profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
mmdebstrap profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
MongoDB_Compass profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
msedge profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
nautilus profiles: add nautilus unconfined profile 2024-02-29 08:21:25 -03:00
nhrpd profiles/*frr*: fix includes 2025-01-07 11:39:10 +01:00
notepadqq profiles: Add more unconfined profiles 2024-03-17 00:16:37 -07:00
nvidia_modprobe policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
obsidian profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
opam add more unconfined profiles 2024-02-06 15:10:20 -03:00
opera profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
ospf6d profiles/ospf6d: remove duplicated /etc/services r 2025-01-07 11:36:25 +01:00
ospfd profiles/abstractions/frr: add owner to world-writable directories 2025-01-07 11:36:17 +01:00
pageedit profiles: Add more unconfined profiles 2024-03-17 00:16:37 -07:00
pathd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
pbrd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
php-fpm php-fpm: widen allowed socket paths 2024-11-05 20:03:11 +01:00
pim6d profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
pimd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
plasmashell Add openSUSE path to plasmashell profile 2024-06-04 21:24:53 +02:00
podman profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
polypane profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
privacybrowser profiles: Add more unconfined profiles 2024-03-17 00:16:37 -07:00
qcam profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
qmapshack profiles: Add more unconfined profiles 2024-03-17 00:16:37 -07:00
QtWebEngineProcess profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
qutebrowser profiles: Add more unconfined profiles 2024-03-17 00:16:37 -07:00
remmina remmina: add dconf abstraction and use {etc_ro} for /etc path 2024-11-06 12:40:07 -03:00
ripd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
ripngd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
rootlesskit profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
rpm profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
rssguard profiles: Add more unconfined profiles 2024-03-17 00:16:37 -07:00
runc profiles: runc: allow /usr/bin/runc as well as /usr/sbin/runc 2024-08-14 18:32:35 +09:00
rygel profiles/apparmor.d/rygel: enumerate specific bits for /sys and /dev 2024-12-12 13:05:52 +10:30
samba-bgqd Clean superfluous openssl abstraction includes 2024-03-12 14:54:01 +01:00
samba-dcerpcd samba-dcerpcd: allow to execute rpcd_witness 2024-06-08 22:46:53 +02:00
samba-rpcd samba-dcerpcd: allow to execute rpcd_witness 2024-06-08 22:46:53 +02:00
samba-rpcd-classic profiles: add fixes for samba from issue #386 2024-04-22 23:46:44 +00:00
samba-rpcd-spoolss policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
sbin.klogd policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
sbin.syslog-ng Clean superfluous openssl abstraction includes 2024-03-12 14:54:01 +01:00
sbin.syslogd policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
sbuild profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-abort profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-adduser profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-apt profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-checkpackages profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-clean profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-createchroot profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-destroychroot profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-distupgrade profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-hold profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-shell profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-unhold profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-update profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
sbuild-upgrade profiles: fix sbuild to work with the unprivileged_unshare profile 2025-02-19 16:05:57 -08:00
scide profiles: Add more unconfined profiles 2024-03-17 00:16:37 -07:00
signal-desktop profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
slack profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
slirp4netns profiles: slirp4netns: allow pivot_root 2024-08-14 17:29:13 +09:00
staticd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
steam add profiles for applications that create user namespaces 2024-02-02 10:51:06 -03:00
stress-ng profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
surfshark add profiles for applications that create user namespaces 2024-02-02 10:51:06 -03:00
systemd-coredump add profiles for applications that create user namespaces 2024-02-02 10:51:06 -03:00
tar profiles: add missing fowner capability to the tar profile 2025-02-18 17:11:55 -08:00
thunderbird profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
tinyproxy profiles/apparmor.d/tinyproxy: allow capability set[ug]id 2025-02-06 18:52:32 +10:30
tnftp apply suggestions from @georgiag 2024-11-06 11:29:14 +01:00
toybox profiles: attach toybox profile to /usr/bin/toybox 2025-01-21 11:16:24 +01:00
transmission profiles: transmission-gtk needs attach_disconnected 2024-12-17 09:32:18 -03:00
trinity profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
tshark add tshark profile 2025-02-07 07:32:32 +00:00
tup profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
tuxedo-control-center profiles: add unconfined profile for tuxedo-control-center 2024-03-18 09:17:51 -03:00
unix-chkpwd Allow pam_unix to execute unix_chkpwd 2024-03-13 23:13:19 +01:00
unprivileged_userns add special unprivileged_userns profile 2024-02-02 10:52:26 -03:00
userbindmount profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
usr.lib.apache2.mpm-prefork.apache2 policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
usr.lib.dovecot.anvil profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.lib.dovecot.auth Clean superfluous openssl abstraction includes 2024-03-12 14:54:01 +01:00
usr.lib.dovecot.config profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.lib.dovecot.deliver profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.lib.dovecot.dict Clean superfluous openssl abstraction includes 2024-03-12 14:54:01 +01:00
usr.lib.dovecot.director Check if all profiles and abstractions contain abi/4.0 2024-10-06 12:07:58 +02:00
usr.lib.dovecot.doveadm-server Check if all profiles and abstractions contain abi/4.0 2024-10-06 12:07:58 +02:00
usr.lib.dovecot.dovecot-auth profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.lib.dovecot.dovecot-lda profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.lib.dovecot.imap profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.lib.dovecot.imap-login Clean superfluous openssl abstraction includes 2024-03-12 14:54:01 +01:00
usr.lib.dovecot.lmtp Clean superfluous openssl abstraction includes 2024-03-12 14:54:01 +01:00
usr.lib.dovecot.log profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.lib.dovecot.managesieve profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.lib.dovecot.managesieve-login Clean superfluous openssl abstraction includes 2024-03-12 14:54:01 +01:00
usr.lib.dovecot.pop3 profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.lib.dovecot.pop3-login Clean superfluous openssl abstraction includes 2024-03-12 14:54:01 +01:00
usr.lib.dovecot.replicator Check if all profiles and abstractions contain abi/4.0 2024-10-06 12:07:58 +02:00
usr.lib.dovecot.script-login profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.lib.dovecot.ssl-params profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.lib.dovecot.stats profiles: allow for the default dovecot libexecdir 2023-08-03 01:30:42 -04:00
usr.sbin.apache2 policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
usr.sbin.avahi-daemon policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
usr.sbin.dnsmasq policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
usr.sbin.dovecot Dovecot profile: Allow reading of /proc/sys/kernel/core_pattern 2024-11-21 16:21:17 +02:00
usr.sbin.identd policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
usr.sbin.mdnsd policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
usr.sbin.nmbd profiles: add fixes for samba from issue #386 2024-04-22 23:46:44 +00:00
usr.sbin.nscd policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
usr.sbin.ntpd Clean superfluous openssl abstraction includes 2024-03-12 14:54:01 +01:00
usr.sbin.smbd smbd: allow capability chown 2024-12-09 20:45:42 +01:00
usr.sbin.smbldap-useradd policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
usr.sbin.traceroute policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
usr.sbin.winbindd policy: update to use 4.0 abi 2023-06-30 23:36:12 -07:00
uwsgi-core profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
vdens profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
virtiofsd profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
vivaldi-bin profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
vpnns profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
vrrpd profiles/*frr*: update profiles name 2024-11-07 11:47:42 +01:00
wg profiles/apparmor.d: add wireguard profile 2025-02-07 07:34:53 +00:00
wg-quick profiles/apparmor.d: add wireguard profile 2025-02-07 07:34:53 +00:00
wike profiles: fix wike profile location to apparmor.d 2024-05-02 08:56:32 -03:00
wpa_supplicant profiles: add wpa_supplicant 2025-02-07 18:46:55 +05:30
wpcom profiles: convert local include to match profile name 2023-11-24 18:53:51 -08:00
Xorg Xorg: Bump ABI to 4.0, and document access needed on non-KMS systems 2024-05-08 03:48:32 -04:00
zgrep Merge zgrep: deny passwd access 2024-10-29 13:50:06 +00:00
znc Add a profile for ZNC 2024-10-16 09:44:07 -07:00