profiles: rw file perms are now needed on AF_UNIX socket files

The AppArmor kernel now checks for both read and write permissions when
a process calls connect() on a UNIX domain socket.

The patch updates four abstractions that were found to be needing
changes after the change in AF_UNIX kernel mediation.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

profiles/apparmor.d/abstractions/cups-client

@@ -12,7 +12,7 @@
   # discoverable system configuration for non-local cupsd
   /etc/cups/client.conf   r,
   # client should be able to talk the local cupsd
-  /{,var/}run/cups/cups.sock w,
+  /{,var/}run/cups/cups.sock rw,
   # client should be able to read user-specified cups configuration
   owner @{HOME}/.cups/client.conf r,
   owner @{HOME}/.cups/lpoptions r,

profiles/apparmor.d/abstractions/dbus

@@ -10,5 +10,5 @@
 # ------------------------------------------------------------------
 
   # System socket. Be careful when including this abstraction.
-  /{,var/}run/dbus/system_bus_socket w,
+  /{,var/}run/dbus/system_bus_socket rw,
   dbus bus=system,

profiles/apparmor.d/abstractions/p11-kit

@@ -19,6 +19,9 @@
   /usr/share/p11-kit/modules/  r,
   /usr/share/p11-kit/modules/* r,
 
+  # gnome-keyring pkcs11 module
+  owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
+
   # p11-kit also supports reading user configuration from ~/.pkcs11 depending
   # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
   # included in this abstraction.

profiles/apparmor.d/abstractions/private-files-strict

@@ -9,6 +9,8 @@
   audit deny @{HOME}/.ssh/** mrwkl,
   audit deny @{HOME}/.gnome2_private/** mrwkl,
   audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
+  # don't allow access to any gnome-keyring modules
+  audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
   audit deny @{HOME}/.mozilla/** mrwkl,
   audit deny @{HOME}/.config/chromium/** mrwkl,
   audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,