2.7.1 Release

(At least) openSUSE uses ~/.kde4 to store KDE4 settings.
This patch changes ~/.kde/ to ~/.kde{,4} in all abstractions.

The patch is mostly from Velery Valery, I only fixed a merge conflict 
and added the kmail{,2} part in private-files-strict.

References: https://bugzilla.novell.com/show_bug.cgi?id=741592

Acked-By: Steve Beattie <sbeattie@ubuntu.com> for both trunk and 2.7.

common/Version

@@ -1 +1 @@
-2.7.0
+2.7.1

profiles/Makefile

@@ -56,6 +56,7 @@ install: local
                           ${PROFILES_DEST}/program-chunks \
                           ${PROFILES_DEST}/tunables \
                           ${PROFILES_DEST}/tunables/home.d \
+                          ${PROFILES_DEST}/tunables/multiarch.d \
                           ${PROFILES_DEST}/local
 	install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST}
 	install -m 644 ${ABSTRACTIONS_TO_COPY} ${PROFILES_DEST}/abstractions

profiles/apparmor.d/abstractions/apache2-common

@@ -1,9 +1,20 @@
 # vim:syntax=apparmor
 
+# This file contains basic permissions for Apache and every vHost
+
+  #include <abstractions/nameservice>
+
   # Apache
   network inet stream,
+  network inet6 stream,
+  # apache manual, error pages and icons
   /usr/share/apache2/** r,
 
   # changehat itself
   /proc/*/attr/current                        w,
 
+  # htaccess files - for what ever it is worth
+  /**/.htaccess            r,
+
+  /dev/urandom            r,
+

profiles/apparmor.d/abstractions/aspell

@@ -2,7 +2,7 @@
 # aspell permissions
 
   # per-user settings and dictionaries
-  @{HOME}/.aspell.*.{pws,prepl} rk,
+  owner @{HOME}/.aspell.*.{pws,prepl} rwk,
 
   # system libraries and dictionaries
   /usr/lib/aspell/ r,

profiles/apparmor.d/abstractions/authentication

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
-#    Copyright (C) 2009-2011 Canonical Ltd
+#    Copyright (C) 2009-2012 Canonical Ltd
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -47,3 +47,5 @@
   # smbpass
   #include <abstractions/smbpass>
 
+  # p11-kit (PKCS#11 modules configuration)
+  #include <abstractions/p11-kit>

profiles/apparmor.d/abstractions/base

@@ -36,8 +36,8 @@
   /usr/lib{,32,64}/locale/**             mr,
   /usr/lib{,32,64}/gconv/*.so            mr,
   /usr/lib{,32,64}/gconv/gconv-modules*  mr,
-  /usr/lib/@{multiarch}/gconv/*.so          mr,
-  /usr/lib/@{multiarch}/gconv/gconv-modules mr,
+  /usr/lib/@{multiarch}/gconv/*.so           mr,
+  /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
 
   # used by glibc when binding to ephemeral ports
   /etc/bindresvport.blacklist    r,

profiles/apparmor.d/abstractions/cups-client

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2009-2012 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,3 +13,6 @@
   /etc/cups/client.conf   r,
   # client should be able to talk the local cupsd
   /{,var/}run/cups/cups.sock w,
+  # client should be able to read user-specified cups configuration
+  owner @{HOME}/.cups/client.conf r,
+  owner @{HOME}/.cups/lpoptions r,

profiles/apparmor.d/abstractions/enchant

@@ -52,5 +52,5 @@
   /usr/share/java/zemberek-tr-[0-9]*.jar           r,
 
   # per-user dictionaries
-  owner @{HOME}/.config/enchant/                   r,
+  owner @{HOME}/.config/enchant/                   rw,
   owner @{HOME}/.config/enchant/*                  rwk,

profiles/apparmor.d/abstractions/fonts

@@ -39,6 +39,8 @@
   @{HOME}/.fonts.cache-2               mr,
   @{HOME}/.fontconfig/                  r,
   @{HOME}/.fontconfig/**              mrl,
+  @{HOME}/.fonts.conf.d/                r,
+  @{HOME}/.fonts.conf.d/**              r,
 
   /usr/local/share/fonts/               r,
   /usr/local/share/fonts/**             r,

profiles/apparmor.d/abstractions/kde

@@ -25,8 +25,8 @@
 @{HOME}/.DCOPserver_* r,
 @{HOME}/.ICEauthority r,
 @{HOME}/.fonts.* lrw,
-@{HOME}/.kde/share/config/kdeglobals rw,
-@{HOME}/.kde/share/config/*.lock rwl,
+@{HOME}/.kde{,4}/share/config/kdeglobals rw,
+@{HOME}/.kde{,4}/share/config/*.lock rwl,
 @{HOME}/.qt/** rw,
 @{HOME}/.config/Trolltech.conf rwk,
 

profiles/apparmor.d/abstractions/p11-kit

@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  /etc/pkcs11/ r,
+  /etc/pkcs11/pkcs11.conf r,
+  /etc/pkcs11/modules/ r,
+  /etc/pkcs11/modules/* r,
+
+  /usr/lib{,32,64}/pkcs11/*.so mr,
+  /usr/lib/@{multiarch}/pkcs11/*.so mr,
+
+  # p11-kit also supports reading user configuration from ~/.pkcs11 depending
+  # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
+  # included in this abstraction.

profiles/apparmor.d/abstractions/private-files

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
-# privacy-violations contains rules for common files that you want to explicity
-# deny access
+# privacy-violations contains rules for common files that you want to
+# explicitly deny access
 
   # privacy violations (don't audit files under $HOME otherwise get a
   # lot of false positives when reading contents of directories)
@@ -15,7 +15,9 @@
   # special attention to (potentially) executable files
   audit deny @{HOME}/bin/** wl,
   audit deny @{HOME}/.config/autostart/** wl,
-  audit deny @{HOME}/.kde/Autostart/** wl,
+  audit deny @{HOME}/.kde{,4}/Autostart/** wl,
+  audit deny @{HOME}/.kde{,4}/env/** wl,
+  audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
 
   # don't allow reading/updating of run control files
   deny @{HOME}/.*rc mrk,

profiles/apparmor.d/abstractions/private-files-strict

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 # privacy-violations-strict contains additional rules for sensitive
-# files that you want to explicity deny access
+# files that you want to explicitly deny access
 
   #include <abstractions/private-files>
 
@@ -13,6 +13,6 @@
   audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
   audit deny @{HOME}/.evolution/** mrwkl,
   audit deny @{HOME}/.config/evolution/** mrwkl,
-  audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
-  audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/** mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
 

profiles/apparmor.d/abstractions/python

@@ -31,4 +31,7 @@
   /usr/lib/wx/python/*.pth r,
 
   # python build configuration and headers
-  /usr/include/python{2,3}.[0-7]*/pyconfig.h
+  /usr/include/python{2,3}.[0-7]*/pyconfig.h r,
+
+  # python setup script used by apport
+  /etc/python{2,3}.[0-7]*/sitecustomize.py r,

profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients

@@ -10,4 +10,4 @@
   /usr/bin/kget PUxr,
   /usr/bin/ktorrent PUxr,
   /usr/bin/qbittorrent PUxr,
-  /usr/bin/transmission PUxr,
+  /usr/bin/transmission{,-gtk,-qt,-cli} PUxr,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia

@@ -46,3 +46,11 @@
   /opt/google/talkplugin/lib/*.so mr,
   /opt/google/talkplugin/GoogleTalkPlugin ixr,
   owner @{HOME}/.config/google-googletalkplugin/** rw,
+
+  # If we allow the above, nvidia based systems will also need these
+  /dev/nvidactl rw,
+  /dev/nvidia0 rw,
+  @{PROC}/interrupts r,
+
+  # Virus scanners
+  /usr/bin/clamscan PUx,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors

@@ -8,3 +8,4 @@
   /usr/bin/vim.gnome PUxr,
   /usr/bin/leafpad PUxr,
   /usr/bin/mousepad PUxr,
+  /usr/bin/kate PUxr,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration

@@ -7,6 +7,7 @@
   /usr/bin/apturl PUxr,
   /usr/bin/gnome-codec-install PUxr,
   /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
+  /usr/share/software-center/software-center PUxr,
 
   # Input Methods
   /usr/bin/scim PUx,
@@ -14,10 +15,13 @@
 
   # File managers
   /usr/bin/nautilus PUxr,
-  /usr/bin/thunar PUxr,
+  /usr/bin/{t,T}hunar PUxr,
 
   # Themes
   /usr/bin/gnome-appearance-properties PUxr,
 
   # Kubuntu
   /usr/lib/mozilla/kmozillahelper PUxr,
+
+  # Exo-aware applications
+  /usr/bin/exo-open ixr,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files

@@ -11,7 +11,7 @@
   #include <abstractions/private-files>
   audit deny @{HOME}/.ssh/** mrwkl,
   audit deny @{HOME}/.gnome2_private/** mrwkl,
-  audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
 
   # Comment this out if using gpg plugin/addons
   audit deny @{HOME}/.gnupg/** mrwkl,

profiles/apparmor.d/abstractions/ubuntu-media-players

@@ -4,6 +4,7 @@
 #
   /usr/bin/amarok PUxr,
   /usr/bin/audacious2 PUxr,
+  /usr/bin/audacity PUxr,
   /usr/bin/bangarang PUxr,
   /usr/bin/banshee PUxr,
   /usr/bin/banshee-1 PUxr,

profiles/apparmor.d/sbin.syslog-ng

@@ -23,6 +23,7 @@
 
   capability chown,
   capability dac_override,
+  capability dac_read_search,
   capability fsetid,
   capability fowner,
   capability sys_tty_config,

profiles/apparmor.d/usr.lib.dovecot.deliver

@@ -8,7 +8,11 @@
   capability setgid,
   capability setuid,
 
+  # http://www.postfix.org/SASL_README.html#server_dovecot
+  /etc/dovecot/dovecot.conf r,
+  /etc/dovecot/{auth,conf}.d/*.conf r,
   /etc/dovecot/dovecot-postfix.conf r,
+
   @{HOME} r,
   @{HOME}/Maildir/ rw,
   @{HOME}/Maildir/** klrw,

profiles/apparmor.d/usr.sbin.avahi-daemon

@@ -2,6 +2,7 @@
 /usr/sbin/avahi-daemon {
   #include <abstractions/base>
   #include <abstractions/consoles>
+  #include <abstractions/dbus>
   #include <abstractions/nameservice>
 
   capability chown,
@@ -19,10 +20,10 @@
   /proc/*/fd/ r,
   /usr/sbin/avahi-daemon mr,
   /usr/share/avahi/introspection/*.introspect r,
+  /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
   /{,var/}run/avahi-daemon/ w,
   /{,var/}run/avahi-daemon/pid krw,
   /{,var/}run/avahi-daemon/socket w,
-  /{,var/}run/dbus/system_bus_socket w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.avahi-daemon>

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+@{TFTP_DIR}=/var/tftp
+
 #include <tunables/global>
 /usr/sbin/dnsmasq {
   #include <abstractions/base>
@@ -36,6 +38,10 @@
 
   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
 
+  # for the read-only TFTP server
+  @{TFTP_DIR}/ r,
+  @{TFTP_DIR}/** r,
+
   # libvirt lease and hosts files for dnsmasq
   /var/lib/libvirt/dnsmasq/            r,
   /var/lib/libvirt/dnsmasq/*.leases rw,

profiles/apparmor.d/usr.sbin.smbd

@@ -21,12 +21,17 @@
   capability sys_tty_config,
 
   /etc/mtab r,
+  /etc/netgroup r,
   /etc/printcap r,
+  /etc/samba/* rwk,
   /proc/*/mounts r,
   /proc/sys/kernel/core_pattern r,
   /usr/lib*/samba/vfs/*.so mr,
+  /usr/lib*/samba/charset/*.so mr,
+  /usr/lib*/samba/auth/script.so mr,
+  /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
   /usr/sbin/smbd mr,
-  /etc/samba/* rwk,
+  /usr/sbin/smbldap-useradd Px,
   /var/cache/samba/** rwk,
   /var/cache/samba/printing/printers.tdb mrw,
   /var/lib/samba/** rwk,

profiles/apparmor.d/usr.sbin.smbldap-useradd

@@ -0,0 +1,37 @@
+# Last Modified: Tue Jan  3 00:17:40 2012
+#include <tunables/global>
+
+/usr/sbin/smbldap-useradd {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+  #include <abstractions/nameservice>
+  #include <abstractions/perl>
+
+  /dev/tty rw,
+  /bin/bash ix,
+  /etc/init.d/nscd Cx,
+  /etc/shadow r,
+  /etc/smbldap-tools/smbldap.conf r,
+  /etc/smbldap-tools/smbldap_bind.conf r,
+  /usr/sbin/smbldap-useradd r,
+  /usr/sbin/smbldap_tools.pm r,
+  /var/log/samba/log.smbd w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.smbldap-useradd>
+
+  profile /etc/init.d/nscd {
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+
+    capability sys_ptrace,
+
+    /bin/bash r,
+    /bin/mountpoint rix,
+    /bin/systemctl rix,
+    /dev/tty rw,
+    /etc/init.d/nscd r,
+    /etc/rc.status r,
+
+  }
+}

profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork

@@ -12,6 +12,7 @@
 #include <tunables/global>
 
 /usr/sbin/httpd2-prefork {
+  #include <abstractions/apache2-common>
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/kerberosclient>
@@ -78,8 +79,6 @@
   /usr/local/tomcat/conf/mod_jk.conf r,
   /usr/local/tomcat/conf/workers-ajp12.properties r,
   /usr/sbin/httpd2-prefork r,
-  /usr/share/apache2/error/* r,
-  /usr/share/apache2/error/include/* r,
   /usr/share/misc/magic.mime r,
   /usr/share/snmp/mibs r,
   /usr/share/snmp/mibs/*.{txt,mib} r,
@@ -125,21 +124,20 @@
   /srv/www/icons/*.{gif,jpg,png}     r,
   /srv/www/vhosts                    r,
   /srv/www/vhosts/**                 r,
-  # SuSE location of the apache manual + error pages
-  /usr/share/apache2/**              r,
 
   # php session state
   /var/lib/php/sess_*                rwl,
 
 
   ^HANDLING_UNTRUSTED_INPUT {
-    #include <abstractions/nameservice>
+    #include <abstractions/apache2-common>
     /var/log/apache2/*     w,
-    /**.htaccess           r,
+    audit /.htaccess       r, # WARNING: .htaccess directly in / will be disallowed in future versions 
+                              # (.htaccess in subdirectories is and will stay allowed by abstractions/apache2-common)
   }
 
   ^DEFAULT_URI {
-    #include <abstractions/nameservice>
+    #include <abstractions/apache2-common>
     #include <abstractions/base>
 
     # Note that mod_perl, mod_php, mod_python, etc, allows in-apache
@@ -176,8 +174,6 @@
     /srv/www/icons/*.{gif,jpg,png}     r,
     /srv/www/vhosts                    r,
     /srv/www/vhosts/**                 r,
-    # SuSE location of the apache manual + error pages
-    /usr/share/apache2/**              r,
 
     # php session state
     /var/lib/php/sess_*                rwl,

profiles/apparmor/profiles/extras/usr.sbin.sshd

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2012 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -33,6 +34,7 @@
 
   /dev/ptmx rw,
   /dev/urandom r,
+  /etc/default/locale r,
   /etc/environment r,
   /etc/hosts.allow r,
   /etc/hosts.deny r,
@@ -55,10 +57,12 @@
   /bin/bash2 rUx,
   /bin/bsh rUx,
   /bin/csh rUx,
+  /bin/dash rUx,
   /bin/ksh rUx,
   /bin/sh rUx,
   /bin/tcsh rUx,
   /bin/zsh rUx,
+  /bin/zsh4 rUx,
   /sbin/nologin rUx,
 
 # Call passwd for password change when expired
@@ -74,6 +78,7 @@
 
 # duplicated from AUTHENTICATED
   /etc/motd r,
+  /{,var/}run/motd r,
   /tmp/ssh-*/agent.[0-9]* rwl,
 
   /tmp/ssh-*[0-9]*/ w,
@@ -89,10 +94,12 @@
     /bin/bash2 Ux,
     /bin/bsh Ux,
     /bin/csh Ux,
+    /bin/dash Ux,
     /bin/ksh Ux,
     /bin/sh Ux,
     /bin/tcsh Ux,
     /bin/zsh Ux,
+    /bin/zsh4 Ux,
     /sbin/nologin Ux,
 
 # for debugging
@@ -161,6 +168,7 @@
     /etc/localtime r,
     /etc/login.defs r,
     /etc/motd r,
+    /{,var/}run/motd r,
     /tmp/ssh-*/agent.[0-9]* rwl,
     /tmp/ssh-*[0-9]*/ w,
 

utils/Immunix/AppArmor.pm

@@ -770,12 +770,18 @@ sub create_new_profile($) {
         my $hashbang = head($fqdbin);
         if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
             my $interpreter = get_full_path($1);
+            $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= str_to_mode("r");
+            $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 0;
             $profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} |= str_to_mode("ix");
             $profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} |= 0;
             if ($interpreter =~ /perl/) {
                 $profile->{$fqdbin}{include}->{"abstractions/perl"} = 1;
             } elsif ($interpreter =~ m/\/bin\/(bash|sh)/) {
                 $profile->{$fqdbin}{include}->{"abstractions/bash"} = 1;
+            } elsif ($interpreter =~ m/python/) {
+                $profile->{$fqdbin}{include}->{"abstractions/python"} = 1;
+            } elsif ($interpreter =~ m/ruby/) {
+                $profile->{$fqdbin}{include}->{"abstractions/ruby"} = 1;
             }
             handle_binfmt($profile->{$fqdbin}, $interpreter);
         } else {