[2.10..2.13] Add for Certbot on openSUSE Leap
See merge request apparmor/apparmor!398
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..2.13
The default path is /etc/certbot/archive/{some domain}/{file name}.pem
See merge request apparmor/apparmor!397
This is a manual cherry-pick of 4d275bab696f58e1431d26da642e82adbe092526
and 3016ffb3367e03ee2129401472d44d5eea4c1fb2
[2.13] parser: allow using a custom sbin & usr/sbin dir
This is especially handy if your distro doesn't split sbin and bin
and only wants to install into bin (so that the sbin directory doesn't
clash with the sbin -> bin symlink)
[Per feedback, added USR_SBINDIR as a toggle for the install location
of aa-teardown -- @smb]
Signed-off-by: Rasmus Thomsen <cogitri@exherbo.org>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/111/
(cherry picked from commit 7c86a2acaf33ac9abd5548216e49dcfd3eb6196c)
Cherry-pick requested in https://gitlab.com/apparmor/apparmor/issues/38
See merge request apparmor/apparmor!393
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The mult_mount test creates a small disk image, formats it, and mounts
it in multiple locations in preparation for the tests. However, the
created raw file (80KB) is too small to make a working file system if
4K blocks are used by mkfs. In Ubuntu 19.10, the default was recently
changed for mkfs to default to always using 4K blocks, causing the
script to fail.
We could force mkfs to use 1K blocks, but instead, in case some future
version of mkfs decides not to support 1K blocks at all, we bump up the
size of the disk image to 512KB; large enough to work with 4K blocks
yet small enough to be workable in small scale test environments.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1834192
MR: https://gitlab.com/apparmor/apparmor/merge_requests/396
(cherry picked from commit 7c7a4bc5311d983f2c4316252b830c52a5a0930b)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
This is especially handy if your distro doesn't split sbin and bin
and only wants to install into bin (so that the sbin directory doesn't
clash with the sbin -> bin symlink)
[Per feedback, added USR_SBINDIR as a toggle for the install location
of aa-teardown -- @smb]
Signed-off-by: Rasmus Thomsen <cogitri@exherbo.org>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/111/
(cherry picked from commit 7c86a2acaf33ac9abd5548216e49dcfd3eb6196c)
Found this path is used by gtk_compose_hash_get_cache_path() in
gtkcomposetable.c.
(cherry picked from commit 6da7ed2a781d3a650c5f8dd239d54aeeea974eed)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This addresses https://launchpad.net/bugs/1575438 and also the case of
applications accessing the socket directly (due to NSS config).
(cherry picked from commit ac1d0545f458b11728f2bcb4a7de0567538fa94a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add file rule to allow reading application profiles for NVIDIA
Linux graphics driver.
(cherry picked from commit f2e0fdc72bfa972cfd0a5caeb697dba1cbcdbe20)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When dc010bc0340fe8b7159db5c3c2e01f7e27749ea8 was
backported to the apparmor-2.13 branch (in commit
75236d62e2bcbed36cccf84212d1ac92d2b6ae0b), it did not take into
account cb8c3377babfed4600446d1f60d53d8e2a581578, which creates the
common/list_af_names.sh script as used in the test case, was not also
backported to the apparmor-2.13 branch.
Change the test case to get the list of network AF names via the same
make invocation taken by the utils/vim/create-apparmor.vim.py script
before the common/list_af_names.sh existed.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/391
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Omnibus collection of translations updates.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from merge commit 3ee468864dae51a6b0286c2c89d51d3935ac5fc2
plus following translation fix.)
The translated action character for Deny conflicted with the
untranslated action character for Finish in the Swedish translation.
Remote it, and hope for more action translations.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 03c08cf9893c51a52a6c4361035772a6fca1fa0f)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 9d226f5887fc554294f2693c341d1e74b965635b)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 01656486ef1fa803e8d1c2fed227114c7b910b4d)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 90a4b301bd569b7b6c325473d6cee7d1d36702d0)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 3b1c320cfc28ce6591095683c4e2c0986a329dee)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 5a62c6874351acc01395247fe3caab7a2bc516df)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 78c09e4337ca17483b021e0355c078d449437bae)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 2c614d441358565e135f2af57f0d01cc07e7f5a0)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit d14723b78c5fea6c8c08c3bd2d81531ee492ff99)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit fe2faeb24f8d3a37f4f6e2c457d44c77115002aa)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 9650201928a1129ae0d952dff8b550d5b00e2fb4)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 2b936e25a81565151a2d2ef4ac2374da27eee3a6)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 02ba8523c6018b81360b8b6bb31af10d81c2b46a)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 72bcf23c5d495625d21c787afc6ce389ff58b949)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 9f9294b48bedbdfb8263e556ebd5a50db2538b6e)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 41b5fecbcf95227ad241b9bf312d0972feec7d75)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit dc98e8ff554f478cab4321b9623f2ef8596c057b)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit ba3dc9fc85a246126d3f9f0711fe41d7d4470248)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 42b43d58d0d37b1d587a596330ff83b1db8873bb)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 301857ef5d1213f24323718d55c8a708b807f579)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 303deea3a816e88bdbf5661cce46cc79ea2ab8cb)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 894c6cd6d2340415c23083db65eeaeafbc561cc2)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit eb38db595330be59120b7c874c7c86fedfd4e277)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 5cc8718965a2ed59bc36c522e56c2ef7f6bbd4f6)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
The parser currently skips the cache if optimizations are specified
because it can not determine if the cached policy was compiled
with the specified optimization. However this causes cache misses
even if policy is cached with those options, and distros are setting
some optimizations by default.
Instead of skipping reading the cache if optimizations are set, users
can force overwriting the cache if needed, until the parser can
store aditional meta info in the cache.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/385
BugLink: http://bugs.launchpad.net/bugs/1820068
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit f6cd5c01c1a5bca947516055543144870f1476b0)
This is a partial backport of bc36daa264b0f0067deeb1de893a27b25bc5e4e4
(without the abstractions/nameservice removal in
usr.lib.dovecot.pop3-login)
Original commmit message:
dovecot: align {pop3,managesieve}-login to imap-login
Those 3 login daemons should have similiar needs and thus similar
profiles. IMAP is likely the most tested one so let's align the
other 2 with it. Unix and TCP sockets rules were added to pop3-login
after the removal of abstractions/nameservice that included them
implicitly.
Signed-off-by: Simon Deziel <simon@sdeziel.info>
[2.12+2.13] make abstractions/postfix-common compatible with latest postfix profiles
See merge request apparmor/apparmor!387
Seth Arnold <seth.arnold@canonical.com>
Even if we don't backport the latest postfix profiles (in extras) to
2.12 and 2.13, making the abstraction compatible with them (by adding
peer=postfix-master rules in addition to the path-based ones) makes
things much easier for people who want to use the latest profiles.
When building with swig 4 we are seeing the error
AttributeError: 'aa_log_record' object has no attribute '__getattr__'
Which forces swig to use modern classes which do not generate __getattr__
methods.
issue: https://gitlab.com/apparmor/apparmor/issues/33
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a6ac6f4cfcc3d4fe1064087389004c3cc8b41207)
looping through the first 16 loop devices to find a free device will
fail if those mount devices are taken, and unfortunately there are
now services that use an excessive amount of loop devices causing
the regression test to fail.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/379
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
(cherry picked from commit ab0f2af1da2bcab0d4898e2140c736121c528737)
[2.11..2.13] handle_children: Fix denying of adding a hat
See merge request apparmor/apparmor!378
Acked-by: John Johansen <john.johansen@canonical.com>
