Merge abstractions/crypto: allow read of more common crypto configuration files

Administrators might want to define global limits (e.g. disabling a particular feature) via configuration files, but to make that work all confined software needs to be allowed to read those files or otherwise the risk is to silently fall back to internal defaults. This adds the paths usually used by gnutls and openssl to improve these kind of use cases. Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2056739 Fixes: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/2056747 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1178 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-09-01 06:45:38 +00:00 · 2024-03-12 11:27:59 +00:00
parent d1d39d176e f27b1ef93a
commit 3d1dedfa7e
1 changed files with 7 additions and 0 deletions
--- a/profiles/apparmor.d/abstractions/crypto
+++ b/profiles/apparmor.d/abstractions/crypto
@@ -13,6 +13,9 @@

  abi <abi/4.0>,

+  # Global config of openssl
+  include <abstractions/openssl>
+
  @{etc_ro}/gcrypt/hwf.deny r,
  @{etc_ro}/gcrypt/random.conf r,
  @{PROC}/sys/crypto/fips_enabled r,
@@ -24,4 +27,8 @@
  /etc/crypto-policies/*/*.txt r,
  /usr/share/crypto-policies/*/*.txt r,

+  # Global gnutls config
+  @{etc_ro}/gnutls/config r,
+  @{etc_ro}/gnutls/pkcs11.conf r,
+
  include if exists <abstractions/crypto.d>