Merge branch 'cboltz-gcrypt' into 'master'

add abstractions/crypto, allowing reading @{etc_ro}/gcrypt/random.conf r, and move several rules around See merge request apparmor/apparmor!772 Acked-by: John Johansen <john.johansen@canonical.com>
2025-08-22 10:07:12 +00:00 · 2021-07-13 21:52:25 +00:00 · 2021-07-13 21:52:25 +00:00 · f466e80d18
commit f466e80d18
parent 4e8ca5696e b5241282e8
4 changed files with 27 additions and 9 deletions
--- a/profiles/apparmor.d/abstractions/base
+++ b/profiles/apparmor.d/abstractions/base
@ -12,6 +12,7 @@

  abi <abi/3.0>,

+  include <abstractions/crypto>

  # (Note that the ldd profile has inlined this file; if you make
  # modifications here, please consider including them in the ldd
@ -104,9 +105,6 @@
  # glibc's *printf protections read the maps file
  @{PROC}/@{pid}/{maps,auxv,status} r,

-  # libgcrypt reads some flags from /proc
-  @{PROC}/sys/crypto/*           r,
-
  # some applications will display license information
  /usr/share/common-licenses/**  r,

--- a/profiles/apparmor.d/abstractions/crypto
+++ b/profiles/apparmor.d/abstractions/crypto
@ -0,0 +1,26 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2009-2011 Canonical Ltd.
+#    Copyright (C) 2021 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  abi <abi/3.0>,
+
+  @{etc_ro}/gcrypt/random.conf r,
+  @{PROC}/sys/crypto/fips_enabled r,
+
+  # libgcrypt reads some flags from /proc
+  @{PROC}/sys/crypto/* r,
+
+  # crypto policies used by various libraries
+  /etc/crypto-policies/*/*.txt r,
+  /usr/share/crypto-policies/*/*.txt r,
+
+  include if exists <abstractions/crypto.d>
--- a/profiles/apparmor.d/abstractions/openssl
+++ b/profiles/apparmor.d/abstractions/openssl
@ -12,8 +12,6 @@

  /etc/ssl/openssl.cnf r,
  /usr/share/ssl/openssl.cnf r,
-  @{PROC}/sys/crypto/fips_enabled r,
-

  # Include additions to the abstraction
  include if exists <abstractions/openssl.d>
--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
@ -41,9 +41,5 @@
  /etc/certbot/archive/*/chain*.pem r,
  /etc/certbot/archive/*/fullchain*.pem r,

-  # crypto policies used by various libraries
-  /etc/crypto-policies/*/*.txt r,
-  /usr/share/crypto-policies/*/*.txt r,
-
  # Include additions to the abstraction
  include if exists <abstractions/ssl_certs.d>