Merge Extend crypto and ssl_certs abstractions

- ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory - crypoto: allow reading /etc/gcrypt/hwf.deny I propose this patch for 3.0..master (2.13 doesn't have abstractions/crypto). MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/961 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit bb30df7843) d15bfa99 Extend crypto and ssl_certs abstractions
2025-08-31 22:35:35 +00:00 · 2023-01-24 21:38:19 +00:00
parent d2905d907a
commit ca6191d158
2 changed files with 2 additions and 1 deletions
--- a/profiles/apparmor.d/abstractions/crypto
+++ b/profiles/apparmor.d/abstractions/crypto
@@ -13,6 +13,7 @@

  abi <abi/3.0>,

+  @{etc_ro}/gcrypt/hwf.deny r,
  @{etc_ro}/gcrypt/random.conf r,
  @{PROC}/sys/crypto/fips_enabled r,

--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -17,7 +17,7 @@
  /etc/{,libre}ssl/certs/{,**} r,
  /{etc,usr/share}/pki/bl[ao]cklist/{,*} r,
  /{etc,usr/share}/pki/trust/{,*} r,
-  /{etc,usr/share}/pki/trust/anchors/{,**} r,
+  /{etc,usr/share}/pki/trust/{bl[oa]cklist,anchors}/{,**} r,
  /usr/share/ca-certificates/{,**} r,
  /usr/share/ssl/certs/ca-bundle.crt          r,
  /usr/local/share/ca-certificates/{,**} r,