mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 14:55:10 +00:00
Code Issues Releases Wiki Activity

Compare commits

base: mir:v3.0.1
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1
...
compare: mir:v2.6.1
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1

12 Commits
v3.0.1 ... v2.6.1

Author SHA1 Message Date
Steve Beattie
4158b5e095 Fix up the profiles make install target for the tunables/multiarch.d/ 
change.
 2011-03-23 16:07:55 -07:00
Steve Beattie
3706a9c31a Update version for release 2011-03-23 15:01:51 -07:00
Steve Beattie
6bd242fefc Merge from trunk rev 1700: fix typo in multi-arch comment. 2011-03-23 13:45:41 -07:00
Steve Beattie
2ef723e054 Merge from trunk rev 1699: This patch add multiarch support for common 
shared library locations, as well as a tunables file and directory
to ease adding additional multiarch paths.

Bug: https://launchpad.net/bugs/736870
 2011-03-23 12:27:16 -07:00
Steve Beattie
e268784406 Merge from trunk rev 1698: Update the toplevel README file to discuss 
the needed apparmor compatibility patches, mention the profile
consistency check, and remove some variables that no longer need to
be set at build time.
 2011-03-18 23:15:43 -07:00
Steve Beattie
be34a7e217 Merge from trunk rev 1697: disable the local include in the extras 
firefox profile; the build process does not generate local files
for things in extras, and even if it did, this one is named in a
non-standard fashion (usr.bin.firefox vs. usr.lib.firefox.firefox).
 2011-03-18 23:07:19 -07:00
Steve Beattie
d9832491bd Merge from trunk 1696: profiles/Makefile: fix 'check' target to 
iterate over the profiles in the extras directory as intended and
fail the make if a parse failure occurs. Also, set the default parser
and logprof to be the intree ones; the system ones can still be used
by setting environment variables.  Finally, have the 'all' target
generate the local files. Also, set the parser base directory to
the apparmor.d directory (rather than as an added include, to avoid
outside contamination from system profiles and includes).

With these changes, make && make check should verify the profile set
is compilable and mostly consistent. (Alas, the current profiles are
not quite consistent).

Nominated-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: John Johansen <john.johansen@canonical.com>
 2011-03-18 23:05:38 -07:00
Steve Beattie
2a031e3d71 prep for releasing a 2.6.1 release candidate 2011-03-18 15:56:09 -07:00
Steve Beattie
1ed68f67a9 Merge from trunk rev 1695: This fixes the apparmor apache2 module 
to link correctly against the built libapparmor, as well as working
around libtool so that the libapparmor library build directory does
not get added as an rpath to the module.

Nominated-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: John Johansen <john.johansen@canonical.com>

Bug: https://launchpad.net/bugs/737074
 2011-03-17 23:35:45 -07:00
Steve Beattie
ffcb113465 Merge from trunk rev 1694: reduce the number of network protocols 
filtered out of the parser at build time.

Bug: https://launchpad.net/bugs/732837
 2011-03-17 11:18:43 -07:00
Steve Beattie
613a449db6 Merge from trunk rev 1693: Fix from PLD/Arkadiusz Miskiewicz 
<arekm@maven.pl> to the initscript helper functions to correct some
log messages and to unload hats first, before their parents.

Nominated-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
 2011-03-17 10:24:25 -07:00
Steve Beattie
a14d06f8f6 Update repo url after branching 2.6 off of trunk, as well as adjust the 
version to indicate that the branch is working towards a 2.6.1 release.
 2011-03-10 10:08:24 -08:00
17 changed files with 132 additions and 33 deletions
Expand all files Collapse all files

2
Makefile
View File

@@ -16,7 +16,7 @@ DIRS=parser \
common \ common \
tests tests
REPO_URL?=lp:apparmor REPO_URL?=lp:apparmor/2.6
# alternate possibilities to export from # alternate possibilities to export from
#REPO_URL=. #REPO_URL=.
#REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/" #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"

35
README
View File

@@ -30,13 +30,26 @@ AppArmor consists of several different parts:
changehat/ source for using changehat with Apache, PAM and Tomcat changehat/ source for using changehat with Apache, PAM and Tomcat
common/ common makefile rules common/ common makefile rules
desktop/ empty desktop/ empty
kernel-patches/ patches for various kernel versions kernel-patches/ compatibility patches for various kernel versions
libraries/ libapparmor source and language bindings libraries/ libapparmor source and language bindings
parser/ source for parser/loader and corresponding documentation parser/ source for parser/loader and corresponding documentation
profiles/ configuration files, reference profiles and abstractions profiles/ configuration files, reference profiles and abstractions
tests/ regression and stress testsuites tests/ regression and stress testsuites
utils/ high-level utilities for working with AppArmor utils/ high-level utilities for working with AppArmor
--------------------------------------
Important note on AppArmor kernel code
--------------------------------------
While most of the kernel AppArmor code has been accepted in the
upstream Linux kernel, a few important pieces were not included. These
missing pieces unfortunately are important bits for AppArmor userspace
and kernel interaction; therefore we have included compatibility
patches in the kernel-patches/ subdirectory, versioned by upstream
kernel (2.6.37 patches should apply cleanly to 2.6.38 source).
Without these patches applied to the kernel, the AppArmor userspace
will not function correctly.
------------------------------------------ ------------------------------------------
Building and Installing AppArmor Userspace Building and Installing AppArmor Userspace
@@ -49,10 +62,14 @@ the following order.
libapparmor: libapparmor:
$ cd ./libraries/libapparmor $ cd ./libraries/libapparmor
$ sh ./autogen.sh $ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl $ sh ./configure --prefix=/usr --with-perl # see below
$ make $ make
$ make check $ make check
[optional arguments to libapparmor's configure include --with-python
and --with-ruby, to generate python and ruby bindings to libapparmor,
respectively.]
Utilities: Utilities:
$ cd utils $ cd utils
@@ -70,23 +87,23 @@ $ make install
Apache mod_apparmor: Apache mod_apparmor:
$ cd changehat/mod_apparmor $ cd changehat/mod_apparmor
$ LIBS="-lapparmor" make $ make # depends on libapparmor having been built first
$ make install $ make install
PAM AppArmor: PAM AppArmor:
$ cd changehat/pam_apparmor $ cd changehat/pam_apparmor
$ LIBS="-lapparmor -lpam" make $ make # depends on libapparmor having been built first
$ make install $ make install
Profiles: Profiles:
$ cd profiles $ cd profiles
$ make $ make
$ make check # depends on the parser having been built first
$ make install $ make install
------------------- -------------------
AppArmor Testsuites AppArmor Testsuites
------------------- -------------------
@@ -124,6 +141,14 @@ For details on structure and adding tests, see libraries/libapparmor/README.
$ cd libraries/libapparmor $ cd libraries/libapparmor
$ make check $ make check
Profile checks
--------------
A basic consistency check to ensure that the parser and aa-logprof parse
successfully the current set of shipped profiles. The system or other
parser and logprof can be passed in by overriding the PARSER and LOGPROF
variables.
$ cd profiles
$ make && make check
Stress Tests Stress Tests
------------ ------------

7
changehat/mod_apparmor/Makefile
View File

@@ -41,12 +41,15 @@ APXS:=$(shell if [ -x "/usr/sbin/apxs2" ] ; then \
fi ) fi )
APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR) APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR)
DESTDIR= DESTDIR=
LIBAPPARMOR_FLAGS="-I../../libraries/libapparmor/src -L../../libraries/libapparmor/src/.libs -lapparmor" # Need to pass -Wl twice here to get past both apxs2 and libtool, as
# libtool will add the path to the RPATH of the library if passed -L/some/path
LIBAPPARMOR_FLAGS=-I../../libraries/libapparmor/src -Wl,-Wl,-L../../libraries/libapparmor/src/.libs
LDLIBS=-lapparmor
all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES} all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
%.so: %.c %.so: %.c
${APXS} ${LIBAPPARMOR_FLAGS} -c $< ${APXS} ${LIBAPPARMOR_FLAGS} -c $< ${LDLIBS}
mv .libs/$@ . mv .libs/$@ .
.PHONY: install .PHONY: install

2
common/Version
View File

@@ -1 +1 @@
2.6.0 2.6.1

2
parser/Makefile
View File

@@ -196,7 +196,7 @@ parser_version.h: Makefile
# These are the families that it doesn't make sense for apparmor to mediate. # These are the families that it doesn't make sense for apparmor to mediate.
# We use PF_ here since that is what is required in bits/socket.h, but we will # We use PF_ here since that is what is required in bits/socket.h, but we will
# rewrite these as AF_. # rewrite these as AF_.
FILTER_FAMILIES=PF_RXRPC PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK PF_LLC PF_IUCV PF_TIPC PF_CAN PF_ISDN PF_PHONET FILTER_FAMILIES=PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g') __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')

8
parser/rc.apparmor.functions
View File

@@ -170,7 +170,7 @@ parse_profiles() {
exit 1 exit 1
;; ;;
esac esac
aa_log_action_begin "$PARSER_MSG" aa_log_action_start "$PARSER_MSG"
# run the parser on all of the apparmor profiles # run the parser on all of the apparmor profiles
if [ ! -f "$PARSER" ]; then if [ ! -f "$PARSER" ]; then
aa_log_failure_msg "AppArmor parser not found" aa_log_failure_msg "AppArmor parser not found"
@@ -409,9 +409,9 @@ remove_profiles() {
retval=0 retval=0
#the list of profiles isn't stable once we start adding or removing #the list of profiles isn't stable once we start adding or removing
#them so stor to tmp first #them so store to tmp first (in reverse order so hat profiles are removed first)
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX) MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST" sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort -r > "$MODULE_PLIST"
cat "$MODULE_PLIST" | while read profile ; do cat "$MODULE_PLIST" | while read profile ; do
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove" echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
rc=$? rc=$?
@@ -427,7 +427,7 @@ apparmor_stop() {
aa_log_daemon_msg "Unloading AppArmor profiles " aa_log_daemon_msg "Unloading AppArmor profiles "
remove_profiles remove_profiles
rc=$? rc=$?
log_end_msg $rc aa_log_end_msg $rc
return $rc return $rc
} }

22
profiles/Makefile
View File

@@ -20,7 +20,7 @@
# Makefile for LSM-based AppArmor profiles # Makefile for LSM-based AppArmor profiles
NAME=apparmor-profiles NAME=apparmor-profiles
ALL: ALL: local
COMMONDIR=../common/ COMMONDIR=../common/
include common/Make.rules include common/Make.rules
@@ -38,7 +38,7 @@ PROFILES_SOURCE=./apparmor.d
EXTRAS_SOURCE=./apparmor/profiles/extras/ EXTRAS_SOURCE=./apparmor/profiles/extras/
SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/apache2.d ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables ${PROFILES_SOURCE}/local SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/apache2.d ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables ${PROFILES_SOURCE}/local
PROFILES_TO_COPY=$(filter-out ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*)) PROFILES_TO_COPY=$(filter-out ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*))
TUNABLES_TO_COPY=$(filter-out ${PROFILES_SOURCE}/tunables/home.d, $(wildcard ${PROFILES_SOURCE}/tunables/*)) TUNABLES_TO_COPY=$(filter-out ${PROFILES_SOURCE}/tunables/home.d ${PROFILES_SOURCE}/tunables/multiarch.d, $(wildcard ${PROFILES_SOURCE}/tunables/*))
ABSTRACTIONS_TO_COPY=$(filter-out ${PROFILES_SOURCE}/abstractions/ubuntu-browsers.d, $(wildcard ${PROFILES_SOURCE}/abstractions/*)) ABSTRACTIONS_TO_COPY=$(filter-out ${PROFILES_SOURCE}/abstractions/ubuntu-browsers.d, $(wildcard ${PROFILES_SOURCE}/abstractions/*))
local: local:
@@ -64,6 +64,7 @@ install: local
install -m 644 ${PROFILES_SOURCE}/program-chunks/* ${PROFILES_DEST}/program-chunks install -m 644 ${PROFILES_SOURCE}/program-chunks/* ${PROFILES_DEST}/program-chunks
install -m 644 ${TUNABLES_TO_COPY} ${PROFILES_DEST}/tunables install -m 644 ${TUNABLES_TO_COPY} ${PROFILES_DEST}/tunables
install -m 644 ${PROFILES_SOURCE}/tunables/home.d/* ${PROFILES_DEST}/tunables/home.d install -m 644 ${PROFILES_SOURCE}/tunables/home.d/* ${PROFILES_DEST}/tunables/home.d
install -m 644 ${PROFILES_SOURCE}/tunables/multiarch.d/* ${PROFILES_DEST}/tunables/multiarch.d
install -m 755 -d ${EXTRAS_DEST} install -m 755 -d ${EXTRAS_DEST}
install -m 644 ${EXTRAS_SOURCE}/* ${EXTRAS_DEST} install -m 644 ${EXTRAS_SOURCE}/* ${EXTRAS_DEST}
install -m 644 ${PROFILES_SOURCE}/local/* ${PROFILES_DEST}/local install -m 644 ${PROFILES_SOURCE}/local/* ${PROFILES_DEST}/local
@@ -81,23 +82,22 @@ endif
ifndef PARSER ifndef PARSER
# use system parser # use system parser
PARSER=/sbin/apparmor_parser PARSER=../parser/apparmor_parser
endif endif
ifndef LOGPROF ifndef LOGPROF
# use system logprof # use ../utils logprof
LOGPROF=/usr/sbin/aa-logprof LOGPROF=perl -I../utils/ ../utils/aa-logprof
endif endif
EXTRAS_PATH=${EXTRAS_SOURCE}/profiles/extras IGNORE_FILES=${EXTRAS_SOURCE}/README
IGNORE_FILES=${EXTRAS_PATH}/README CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*))
CHECK_PROFILES=$(filter-out ${IGNORE_FILES}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_PATH}/*))
.PHONY: check .PHONY: check
check: check:
@echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_PATH} against apparmor_parser" @echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser"
$(Q)for profile in ${CHECK_PROFILES} ; do \ $(Q)for profile in ${CHECK_PROFILES} ; do \
${PARSER} -S -I ${PWD}/apparmor.d $${profile} > /dev/null ; \ ${PARSER} -S -b ${PWD}/apparmor.d $${profile} > /dev/null || exit 1; \
done done
@echo "*** Checking profiles from ${PROFILES_SOURCE} against logprof" @echo "*** Checking profiles from ${PROFILES_SOURCE} against logprof"
$(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null $(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null || exit 1

5
profiles/apparmor.d/abstractions/authentication
View File

@@ -1,7 +1,7 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd # Copyright (C) 2009-2011 Canonical Ltd
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
@@ -25,6 +25,9 @@
/lib{,32,64}/security/pam_filter/* mr, /lib{,32,64}/security/pam_filter/* mr,
/lib{,32,64}/security/pam_*.so mr, /lib{,32,64}/security/pam_*.so mr,
/lib{,32,64}/security/ r, /lib{,32,64}/security/ r,
/lib/@{multiarch}/security/pam_filter/* mr,
/lib/@{multiarch}/security/pam_*.so mr,
/lib/@{multiarch}/security/ r,
# kerberos # kerberos
#include <abstractions/kerberosclient> #include <abstractions/kerberosclient>

13
profiles/apparmor.d/abstractions/base
View File

@@ -2,7 +2,7 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd. # Copyright (C) 2009-2011 Canonical Ltd.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
@@ -36,6 +36,8 @@
/usr/lib{,32,64}/locale/** mr, /usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr, /usr/lib{,32,64}/gconv/*.so mr,
/usr/lib{,32,64}/gconv/gconv-modules* mr, /usr/lib{,32,64}/gconv/gconv-modules* mr,
/usr/lib/@{multiarch}/gconv/*.so mr,
/usr/lib/@{multiarch}/gconv/gconv-modules mr,
# used by glibc when binding to ephemeral ports # used by glibc when binding to ephemeral ports
/etc/bindresvport.blacklist r, /etc/bindresvport.blacklist r,
@@ -45,17 +47,26 @@
/etc/ld.so.cache mr, /etc/ld.so.cache mr,
/lib{,32,64}/ld{,32,64}-*.so mrix, /lib{,32,64}/ld{,32,64}-*.so mrix,
/lib{,32,64}/**/ld{,32,64}-*.so mrix, /lib{,32,64}/**/ld{,32,64}-*.so mrix,
/lib/@{multiarch}/ld{,32,64}-*.so mrix,
/lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix, /lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
/opt/*-linux-uclibc/lib/ld-uClibc*so* mrix, /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
# we might as well allow everything to use common libraries # we might as well allow everything to use common libraries
/lib{,32,64}/** r, /lib{,32,64}/** r,
/lib{,32,64}/lib*.so* mr, /lib{,32,64}/lib*.so* mr,
/lib{,32,64}/**/lib*.so* mr, /lib{,32,64}/**/lib*.so* mr,
/lib/@{multiarch}/** r,
/lib/@{multiarch}/lib*.so* mr,
/lib/@{multiarch}/**/lib*.so* mr,
/usr/lib{,32,64}/** r, /usr/lib{,32,64}/** r,
/usr/lib{,32,64}/*.so* mr, /usr/lib{,32,64}/*.so* mr,
/usr/lib{,32,64}/**/lib*.so* mr, /usr/lib{,32,64}/**/lib*.so* mr,
/usr/lib/@{multiarch}/** r,
/usr/lib/@{multiarch}/lib*.so* mr,
/usr/lib/@{multiarch}/**/lib*.so* mr,
/lib/tls/i686/{cmov,nosegneg}/lib*.so* mr, /lib/tls/i686/{cmov,nosegneg}/lib*.so* mr,
/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so* mr,
# /dev/null is pretty harmless and frequently used # /dev/null is pretty harmless and frequently used
/dev/null rw, /dev/null rw,

7
profiles/apparmor.d/abstractions/gnome
View File

@@ -2,7 +2,7 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2010 Canonical Ltd. # Copyright (C) 2009-2011 Canonical Ltd.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
@@ -19,6 +19,7 @@
/etc/gnome/gtkrc* r, /etc/gnome/gtkrc* r,
/etc/gtk/* r, /etc/gtk/* r,
/usr/lib{,32,64}/gtk/** mr, /usr/lib{,32,64}/gtk/** mr,
/usr/lib/@{multiarch}/gtk/** mr,
/usr/share/themes/** r, /usr/share/themes/** r,
# for gnome 1 applications # for gnome 1 applications
@@ -31,6 +32,9 @@
/usr/lib{,32,64}/pango/** mr, /usr/lib{,32,64}/pango/** mr,
/usr/lib{,32,64}/gtk-*/** mr, /usr/lib{,32,64}/gtk-*/** mr,
/usr/lib{,32,64}/gdk-pixbuf-*/** mr, /usr/lib{,32,64}/gdk-pixbuf-*/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/lib/@{multiarch}/gtk-*/** mr,
/usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
# per-user gtk configuration # per-user gtk configuration
@{HOME}/.gnome/Gnome r, @{HOME}/.gnome/Gnome r,
@@ -60,6 +64,7 @@
/etc/gnome-vfs-2.0/modules/ r, /etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/* r, /etc/gnome-vfs-2.0/modules/* r,
/usr/lib/gnome-vfs-2.0/modules/*.so mr, /usr/lib/gnome-vfs-2.0/modules/*.so mr,
/usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr,
# gvfs # gvfs
/usr/share/gvfs/remote-volume-monitors/ r, /usr/share/gvfs/remote-volume-monitors/ r,

14
profiles/apparmor.d/abstractions/kde
View File

@@ -1,7 +1,7 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009-2010 Canonical Ltd. # Copyright (C) 2009-2011 Canonical Ltd.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
@@ -38,10 +38,17 @@
/usr/lib*/kde3/plugins/styles/ r, /usr/lib*/kde3/plugins/styles/ r,
/usr/lib*/kde3/plugins/styles/* mr, /usr/lib*/kde3/plugins/styles/* mr,
/usr/lib*/kde3/lib*so* mr, /usr/lib*/kde3/lib*so* mr,
/usr/lib/@{multiarch}/kde3/plugins/styles/ r,
/usr/lib/@{multiarch}/kde3/plugins/styles/* mr,
/usr/lib/@{multiarch}/kde3/lib*so* mr,
/usr/lib*/qt3/lib*/lib*so* mr, /usr/lib*/qt3/lib*/lib*so* mr,
/usr/lib*/qt3/plugins/** mr, /usr/lib*/qt3/plugins/** mr,
/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr,
/usr/lib/@{multiarch}/qt3/plugins/** mr,
/usr/lib*/libqt-mt*so* mr, /usr/lib*/libqt-mt*so* mr,
/usr/lib*/libqui*so* mr, /usr/lib*/libqui*so* mr,
/usr/lib/@{multiarch}/libqt-mt*so* mr,
/usr/lib/@{multiarch}/libqui*so* mr,
/usr/share/qt3/lib*/libqt-mt*so* mr, /usr/share/qt3/lib*/libqt-mt*so* mr,
/usr/share/qt3/lib*/libqui*so* mr, /usr/share/qt3/lib*/libqui*so* mr,
@@ -49,6 +56,11 @@
/usr/lib*/kde4/plugins/*/*.so mr, /usr/lib*/kde4/plugins/*/*.so mr,
/usr/lib*/kde4/plugins/*/ r, /usr/lib*/kde4/plugins/*/ r,
/usr/lib*/kde4/lib*so* mr, /usr/lib*/kde4/lib*so* mr,
/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr,
/usr/lib/@{multiarch}/kde4/plugins/*/ r,
/usr/lib/@{multiarch}/kde4/lib*so* mr,
/usr/lib*/qt4/lib*/lib*so* mr, /usr/lib*/qt4/lib*/lib*so* mr,
/usr/lib*/qt4/plugins/** mr, /usr/lib*/qt4/plugins/** mr,
/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
/usr/lib/@{multiarch}/qt4/plugins/** mr,
/usr/share/qt4/** r, /usr/share/qt4/** r,

6
profiles/apparmor.d/abstractions/kerberosclient
View File

@@ -1,7 +1,7 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd. # Copyright (C) 2009-2011 Canonical Ltd.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
@@ -12,9 +12,13 @@
# files required by kerberos client programs # files required by kerberos client programs
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r, /usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr, /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r,
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr,
/usr/lib{,32,64}/krb5/plugins/preauth/ r, /usr/lib{,32,64}/krb5/plugins/preauth/ r,
/usr/lib{,32,64}/krb5/plugins/preauth/* mr, /usr/lib{,32,64}/krb5/plugins/preauth/* mr,
/usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
/usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
/etc/krb5.keytab r, /etc/krb5.keytab r,
/etc/krb5.conf r, /etc/krb5.conf r,

4
profiles/apparmor.d/abstractions/nameservice
View File

@@ -1,7 +1,7 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd. # Copyright (C) 2009-2011 Canonical Ltd.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
@@ -50,6 +50,8 @@
# they are available # they are available
/lib{,32,64}/libnss_*.so* mr, /lib{,32,64}/libnss_*.so* mr,
/usr/lib{,32,64}/libnss_*.so* mr, /usr/lib{,32,64}/libnss_*.so* mr,
/lib/@{multiarch}/libnss_*.so* mr,
/usr/lib/@{multiarch}/libnss_*.so* mr,
/etc/default/nss r, /etc/default/nss r,
# avahi-daemon is used for mdns4 resolution # avahi-daemon is used for mdns4 resolution

3
profiles/apparmor.d/tunables/global
View File

@@ -1,7 +1,7 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2006-2009 Novell/SUSE # Copyright (C) 2006-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd. # Copyright (C) 2010-2011 Canonical Ltd.
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
@@ -13,5 +13,6 @@
# should be included here # should be included here
#include <tunables/home> #include <tunables/home>
#include <tunables/multiarch>
#include <tunables/proc> #include <tunables/proc>
#include <tunables/alias> #include <tunables/alias>

17
profiles/apparmor.d/tunables/multiarch Normal file
View File

@@ -0,0 +1,17 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# @{multiarch} is the set of patterns matching multi-arch library
# install prefixes.
@{multiarch}=*-linux-gnu*
# Also, include files in tunables/multiarch.d for site and packaging
# specific adjustments to @{multiarch}.
#include <tunables/multiarch.d>

14
profiles/apparmor.d/tunables/multiarch.d/site.local Normal file
View File

@@ -0,0 +1,14 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# The following is a space-separated list of where additional multipath
# prefixes are stored, each should not have a trailing '/'. Directories
# added here are appended to @{multiarch}. See tunables/mutliarch for details. Eg:
#@{multiarch}+=*-freebsd* s390-hurd-zomg

4
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
View File

@@ -122,5 +122,7 @@
deny /usr/share/mozilla/ w, deny /usr/share/mozilla/ w,
# Site-specific additions and overrides. See local/README for details. # Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.firefox> # Local path is disabled, we only enable them for profiles we promote
# out of extras.
## include <local/usr.bin.firefox>
} }