Merge from trunk rev 2037:

The m4 shipped to handle Python was incorrectly clearing
$CPPFLAGS. Additionally, do not repeat compiler flags for automake
targets that already include them, and pass more flags to the Perl build.

Signed-off-by: Kees Cook <kees@ubuntu.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>

Makefile

@@ -12,7 +12,7 @@ DIRS=parser \
      changehat/pam_apparmor \
      tests
 
-REPO_URL?=lp:apparmor
+REPO_URL?=lp:apparmor/2.7
 # alternate possibilities to export from
 #REPO_URL=.
 #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"

common/Version

@@ -1 +1 @@
-2.7.0
+2.7.2

libraries/libapparmor/m4/ac_python_devel.m4

@@ -158,6 +158,8 @@ $ac_distutils_result])
         AC_MSG_CHECKING([consistency of all components of python development environment])
         AC_LANG_PUSH([C])
         # save current global flags
+        ac_save_LIBS="$LIBS"
+        ac_save_CPPFLAGS="$CPPFLAGS"
         LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
         CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
         AC_TRY_LINK([

libraries/libapparmor/src/Makefile.am

@@ -3,7 +3,8 @@ INCLUDES = $(all_includes)
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
 AM_YFLAGS = -d -p aalogparse_
-AM_CFLAGS = @CFLAGS@ -D_GNU_SOURCE -Wall
+AM_CFLAGS = -Wall
+AM_CPPFLAGS = -D_GNU_SOURCE
 scanner.h: scanner.l
 	$(LEX) -v $<
 

libraries/libapparmor/src/aalogparse.h

@@ -141,6 +141,10 @@ typedef struct
 	char *net_family;
 	char *net_protocol;
 	char *net_sock_type;
+	char *net_local_addr;
+	unsigned long net_local_port;
+	char *net_foreign_addr;
+	unsigned long net_foreign_port;
 } aa_log_record;
 
 /**

libraries/libapparmor/src/grammar.y

@@ -83,6 +83,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
 %token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
 %token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
+%token <t_str> TOK_IP_ADDR
 
 %token TOK_EQUALS
 %token TOK_COLON
@@ -133,6 +134,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_CAPNAME
 %token TOK_KEY_OFFSET
 %token TOK_KEY_TARGET
+%token TOK_KEY_LADDR
+%token TOK_KEY_FADDR
+%token TOK_KEY_LPORT
+%token TOK_KEY_FPORT
 
 %token TOK_SYSLOG_KERNEL
 
@@ -268,6 +273,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ /* target was always name2 in the past */
 	  ret_record->name2 = $3;
 	}
+	| TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
+	{ ret_record->net_local_addr = $3;}
+	| TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
+	{ ret_record->net_foreign_addr = $3;}
+	| TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
+	{ ret_record->net_local_port = $3;}
+	| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
+	{ ret_record->net_foreign_port = $3;}
 	| TOK_MSG_REST
 	{
 		ret_record->event = AA_RECORD_INVALID;

libraries/libapparmor/src/scanner.l

@@ -133,8 +133,15 @@ key_capability		"capability"
 key_capname		"capname"
 key_offset		"offset"
 key_target		"target"
+key_laddr		"laddr"
+key_faddr		"faddr"
+key_lport		"lport"
+key_fport		"fport"
 audit			"audit"
 
+/* network addrs */
+ip_addr			[a-f[:digit:].:]{3,}
+
 /* syslog tokens */
 syslog_kernel		kernel{colon}
 syslog_month 		Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
@@ -149,6 +156,7 @@ dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
 %x dmesg_timestamp
 %x safe_string
 %x audit_types
+%x ip_addr
 %x other_audit
 %x unknown_message
 
@@ -201,6 +209,12 @@ yy_flex_debug = 0;
 	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
 	}
 
+<ip_addr>{
+	{ip_addr}	{ yylval->t_str = strdup(yytext); yy_pop_state(yyscanner); return(TOK_IP_ADDR); }
+	{equals}	{ return(TOK_EQUALS); }
+	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
+	}
+
 <audit_types>{
 	{equals}	{ return(TOK_EQUALS); }
 	{digits}	{ yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
@@ -270,6 +284,10 @@ yy_flex_debug = 0;
 {key_capname}		{ return(TOK_KEY_CAPNAME); }
 {key_offset}		{ return(TOK_KEY_OFFSET); }
 {key_target}		{ return(TOK_KEY_TARGET); }
+{key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
+{key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
+{key_lport}		{ return(TOK_KEY_LPORT); }
+{key_fport}		{ return(TOK_KEY_FPORT); }
 
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
 {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }

libraries/libapparmor/swig/perl/Makefile.PL.in

@@ -10,7 +10,7 @@ WriteMakefile(
 	'FIRST_MAKEFILE' => 'Makefile.perl',
 	'ABSTRACT' => q[Perl interface to AppArmor] ,
 	'VERSION' => q[@VERSION@],
-	'INC' => q[-I@top_srcdir@/src @CFLAGS@],
+	'INC' => q[@CPPFLAGS@ -I@top_srcdir@/src @CFLAGS@],
 	'LIBS' => q[-L@top_builddir@/src/.libs/ -lapparmor @LIBS@],
 	'OBJECT' => 'libapparmor_wrap.o', # $(OBJ_EXT)
 ) ;

libraries/libapparmor/testsuite/Makefile.am

@@ -10,8 +10,7 @@ AM_CFLAGS = -Wall
 noinst_PROGRAMS = test_multi.multi
 
 test_multi_multi_SOURCES	= test_multi.c
-test_multi_multi_CFLAGS		= $(CFLAGS) -Wall
-test_multi_multi_LDFLAGS	= $(LDFLAGS)
+test_multi_multi_CFLAGS		= -Wall
 test_multi_multi_LDADD		= -L../src/.libs -lapparmor
 
 clean-local:

libraries/libapparmor/testsuite/test_multi.c

@@ -51,6 +51,18 @@ int main(int argc, char **argv)
 	return ret;
 }
 
+#define print_string(description, var) \
+	if ((var) != NULL) { \
+		printf("%s: %s\n", (description), (var)); \
+	}
+
+/* unset is the value that the library sets to the var to indicate
+   that it is unset */
+#define print_long(description, var, unset) \
+	if ((var) != (unsigned long) (unset)) { \
+		printf("%s: %ld\n", (description), (var)); \
+	}
+
 int print_results(aa_log_record *record)
 {
 		printf("Event type: ");
@@ -185,6 +197,11 @@ int print_results(aa_log_record *record)
 		{
 			printf("Protocol: %s\n", record->net_protocol);
 		}
+		print_string("Local addr", record->net_local_addr);
+		print_string("Foreign addr", record->net_foreign_addr);
+		print_long("Local port", record->net_local_port, 0);
+		print_long("Foreign port", record->net_foreign_port, 0);
+
 		printf("Epoch: %lu\n", record->epoch);
 		printf("Audit subid: %u\n", record->audit_sub_id);
 	return(0);

libraries/libapparmor/testsuite/test_multi/testcase_network_01.in

@@ -0,0 +1 @@
+Apr  5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_01.out

@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local addr: 192.168.66.150
+Foreign addr: 192.168.66.200
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704

libraries/libapparmor/testsuite/test_multi/testcase_network_02.in

@@ -0,0 +1 @@
+Apr  5 19:31:04 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" lport=765 fport=2049 family="inet" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_02.out

@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_network_02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704

libraries/libapparmor/testsuite/test_multi/testcase_network_03.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_03.out

@@ -0,0 +1,15 @@
+START
+File: test_multi/testcase_network_03.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1333648169.009:11707146
+Operation: accept
+Profile: /usr/lib/dovecot/imap-login
+Command: imap-login
+Parent: 25932
+PID: 5049
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local port: 143
+Epoch: 1333648169
+Audit subid: 11707146

libraries/libapparmor/testsuite/test_multi/testcase_network_04.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1333697181.284:273901): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1056 comm="nc" laddr=::1 lport=2048 faddr=::1 fport=33986 family="inet6" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_04.out

@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_04.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1333697181.284:273901
+Operation: recvmsg
+Profile: /home/ubuntu/tmp/nc
+Command: nc
+Parent: 1596
+PID: 1056
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local addr: ::1
+Foreign addr: ::1
+Local port: 2048
+Foreign port: 33986
+Epoch: 1333697181
+Audit subid: 273901

libraries/libapparmor/testsuite/test_multi/testcase_network_05.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_05.out

@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_05.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1333698107.128:273917
+Operation: recvmsg
+Profile: /home/ubuntu/tmp/nc
+Command: nc
+Parent: 1596
+PID: 1875
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local addr: ::ffff:127.0.0.1
+Foreign addr: ::ffff:127.0.0.1
+Local port: 2048
+Foreign port: 59180
+Epoch: 1333698107
+Audit subid: 273917

profiles/Makefile

@@ -56,6 +56,7 @@ install: local
                           ${PROFILES_DEST}/program-chunks \
                           ${PROFILES_DEST}/tunables \
                           ${PROFILES_DEST}/tunables/home.d \
+                          ${PROFILES_DEST}/tunables/multiarch.d \
                           ${PROFILES_DEST}/local
 	install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST}
 	install -m 644 ${ABSTRACTIONS_TO_COPY} ${PROFILES_DEST}/abstractions

profiles/apparmor.d/abstractions/X

@@ -17,7 +17,7 @@
 
   # .Xauthority files required for X connections, per user
   @{HOME}/.Xauthority           r,
-  owner /{,var/}run/gdm/*/database r,
+  owner /{,var/}run/gdm{,3}/*/database r,
   owner /{,var/}run/lightdm/authority/[0-9]* r,
 
   # the unix socket to use to connect to the display

profiles/apparmor.d/abstractions/apache2-common

@@ -1,9 +1,20 @@
 # vim:syntax=apparmor
 
+# This file contains basic permissions for Apache and every vHost
+
+  #include <abstractions/nameservice>
+
   # Apache
   network inet stream,
+  network inet6 stream,
+  # apache manual, error pages and icons
   /usr/share/apache2/** r,
 
   # changehat itself
   /proc/*/attr/current                        w,
 
+  # htaccess files - for what ever it is worth
+  /**/.htaccess            r,
+
+  /dev/urandom            r,
+

profiles/apparmor.d/abstractions/aspell

@@ -2,7 +2,7 @@
 # aspell permissions
 
   # per-user settings and dictionaries
-  @{HOME}/.aspell.*.{pws,prepl} rk,
+  owner @{HOME}/.aspell.*.{pws,prepl} rwk,
 
   # system libraries and dictionaries
   /usr/lib/aspell/ r,

profiles/apparmor.d/abstractions/authentication

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
-#    Copyright (C) 2009-2011 Canonical Ltd
+#    Copyright (C) 2009-2012 Canonical Ltd
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -47,3 +47,5 @@
   # smbpass
   #include <abstractions/smbpass>
 
+  # p11-kit (PKCS#11 modules configuration)
+  #include <abstractions/p11-kit>

profiles/apparmor.d/abstractions/base

@@ -36,8 +36,8 @@
   /usr/lib{,32,64}/locale/**             mr,
   /usr/lib{,32,64}/gconv/*.so            mr,
   /usr/lib{,32,64}/gconv/gconv-modules*  mr,
-  /usr/lib/@{multiarch}/gconv/*.so          mr,
-  /usr/lib/@{multiarch}/gconv/gconv-modules mr,
+  /usr/lib/@{multiarch}/gconv/*.so           mr,
+  /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
 
   # used by glibc when binding to ephemeral ports
   /etc/bindresvport.blacklist    r,
@@ -86,6 +86,7 @@
   @{PROC}/meminfo                r,
   @{PROC}/stat                   r,
   @{PROC}/cpuinfo                r,
+  /sys/devices/system/cpu/online r,
 
   # glibc's *printf protections read the maps file
   @{PROC}/*/maps                 r,

profiles/apparmor.d/abstractions/cups-client

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2009-2012 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,3 +13,6 @@
   /etc/cups/client.conf   r,
   # client should be able to talk the local cupsd
   /{,var/}run/cups/cups.sock w,
+  # client should be able to read user-specified cups configuration
+  owner @{HOME}/.cups/client.conf r,
+  owner @{HOME}/.cups/lpoptions r,

profiles/apparmor.d/abstractions/enchant

@@ -52,5 +52,5 @@
   /usr/share/java/zemberek-tr-[0-9]*.jar           r,
 
   # per-user dictionaries
-  owner @{HOME}/.config/enchant/                   r,
+  owner @{HOME}/.config/enchant/                   rw,
   owner @{HOME}/.config/enchant/*                  rwk,

profiles/apparmor.d/abstractions/fonts

@@ -39,6 +39,8 @@
   @{HOME}/.fonts.cache-2               mr,
   @{HOME}/.fontconfig/                  r,
   @{HOME}/.fontconfig/**              mrl,
+  @{HOME}/.fonts.conf.d/                r,
+  @{HOME}/.fonts.conf.d/**              r,
 
   /usr/local/share/fonts/               r,
   /usr/local/share/fonts/**             r,

profiles/apparmor.d/abstractions/kde

@@ -25,8 +25,8 @@
 @{HOME}/.DCOPserver_* r,
 @{HOME}/.ICEauthority r,
 @{HOME}/.fonts.* lrw,
-@{HOME}/.kde/share/config/kdeglobals rw,
-@{HOME}/.kde/share/config/*.lock rwl,
+@{HOME}/.kde{,4}/share/config/kdeglobals rw,
+@{HOME}/.kde{,4}/share/config/*.lock rwl,
 @{HOME}/.qt/** rw,
 @{HOME}/.config/Trolltech.conf rwk,
 

profiles/apparmor.d/abstractions/p11-kit

@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  /etc/pkcs11/ r,
+  /etc/pkcs11/pkcs11.conf r,
+  /etc/pkcs11/modules/ r,
+  /etc/pkcs11/modules/* r,
+
+  /usr/lib{,32,64}/pkcs11/*.so mr,
+  /usr/lib/@{multiarch}/pkcs11/*.so mr,
+
+  # p11-kit also supports reading user configuration from ~/.pkcs11 depending
+  # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
+  # included in this abstraction.

profiles/apparmor.d/abstractions/private-files

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
-# privacy-violations contains rules for common files that you want to explicity
-# deny access
+# privacy-violations contains rules for common files that you want to
+# explicitly deny access
 
   # privacy violations (don't audit files under $HOME otherwise get a
   # lot of false positives when reading contents of directories)
@@ -15,7 +15,9 @@
   # special attention to (potentially) executable files
   audit deny @{HOME}/bin/** wl,
   audit deny @{HOME}/.config/autostart/** wl,
-  audit deny @{HOME}/.kde/Autostart/** wl,
+  audit deny @{HOME}/.kde{,4}/Autostart/** wl,
+  audit deny @{HOME}/.kde{,4}/env/** wl,
+  audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
 
   # don't allow reading/updating of run control files
   deny @{HOME}/.*rc mrk,

profiles/apparmor.d/abstractions/private-files-strict

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 # privacy-violations-strict contains additional rules for sensitive
-# files that you want to explicity deny access
+# files that you want to explicitly deny access
 
   #include <abstractions/private-files>
 
@@ -13,6 +13,6 @@
   audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
   audit deny @{HOME}/.evolution/** mrwkl,
   audit deny @{HOME}/.config/evolution/** mrwkl,
-  audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
-  audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/** mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
 

profiles/apparmor.d/abstractions/python

@@ -31,4 +31,7 @@
   /usr/lib/wx/python/*.pth r,
 
   # python build configuration and headers
-  /usr/include/python{2,3}.[0-7]*/pyconfig.h
+  /usr/include/python{2,3}.[0-7]*/pyconfig.h r,
+
+  # python setup script used by apport
+  /etc/python{2,3}.[0-7]*/sitecustomize.py r,

profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients

@@ -10,4 +10,4 @@
   /usr/bin/kget PUxr,
   /usr/bin/ktorrent PUxr,
   /usr/bin/qbittorrent PUxr,
-  /usr/bin/transmission PUxr,
+  /usr/bin/transmission{,-gtk,-qt,-cli} PUxr,

profiles/apparmor.d/abstractions/ubuntu-browsers

@@ -28,6 +28,10 @@
   # and abrowser)
   /usr/lib/firefox-*/firefox.sh PUx,
 
+  # Iceweasel
+  /usr/bin/iceweasel PUx,
+  /usr/lib/iceweasel/iceweasel PUx,
+
   # some unpackaged, but popular browsers
   /usr/lib/icecat-*/icecat PUx,
   /usr/bin/opera PUx,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia

@@ -46,3 +46,11 @@
   /opt/google/talkplugin/lib/*.so mr,
   /opt/google/talkplugin/GoogleTalkPlugin ixr,
   owner @{HOME}/.config/google-googletalkplugin/** rw,
+
+  # If we allow the above, nvidia based systems will also need these
+  /dev/nvidactl rw,
+  /dev/nvidia0 rw,
+  @{PROC}/interrupts r,
+
+  # Virus scanners
+  /usr/bin/clamscan PUx,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors

@@ -8,3 +8,4 @@
   /usr/bin/vim.gnome PUxr,
   /usr/bin/leafpad PUxr,
   /usr/bin/mousepad PUxr,
+  /usr/bin/kate PUxr,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration

@@ -7,6 +7,7 @@
   /usr/bin/apturl PUxr,
   /usr/bin/gnome-codec-install PUxr,
   /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
+  /usr/share/software-center/software-center PUxr,
 
   # Input Methods
   /usr/bin/scim PUx,
@@ -14,10 +15,13 @@
 
   # File managers
   /usr/bin/nautilus PUxr,
-  /usr/bin/thunar PUxr,
+  /usr/bin/{t,T}hunar PUxr,
 
   # Themes
   /usr/bin/gnome-appearance-properties PUxr,
 
   # Kubuntu
   /usr/lib/mozilla/kmozillahelper PUxr,
+
+  # Exo-aware applications
+  /usr/bin/exo-open ixr,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files

@@ -11,7 +11,7 @@
   #include <abstractions/private-files>
   audit deny @{HOME}/.ssh/** mrwkl,
   audit deny @{HOME}/.gnome2_private/** mrwkl,
-  audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
 
   # Comment this out if using gpg plugin/addons
   audit deny @{HOME}/.gnupg/** mrwkl,

profiles/apparmor.d/abstractions/ubuntu-media-players

@@ -4,6 +4,7 @@
 #
   /usr/bin/amarok PUxr,
   /usr/bin/audacious2 PUxr,
+  /usr/bin/audacity PUxr,
   /usr/bin/bangarang PUxr,
   /usr/bin/banshee PUxr,
   /usr/bin/banshee-1 PUxr,

profiles/apparmor.d/sbin.syslog-ng

@@ -23,6 +23,7 @@
 
   capability chown,
   capability dac_override,
+  capability dac_read_search,
   capability fsetid,
   capability fowner,
   capability sys_tty_config,

profiles/apparmor.d/usr.lib.dovecot.deliver

@@ -8,7 +8,11 @@
   capability setgid,
   capability setuid,
 
+  # http://www.postfix.org/SASL_README.html#server_dovecot
+  /etc/dovecot/dovecot.conf r,
+  /etc/dovecot/{auth,conf}.d/*.conf r,
   /etc/dovecot/dovecot-postfix.conf r,
+
   @{HOME} r,
   @{HOME}/Maildir/ rw,
   @{HOME}/Maildir/** klrw,

profiles/apparmor.d/usr.lib.dovecot.imap-login

@@ -11,6 +11,7 @@
   capability sys_chroot,
 
   network inet stream,
+  network inet6 stream,
 
   /usr/lib/dovecot/imap-login mr,
   /{,var/}run/dovecot/login/ r,

profiles/apparmor.d/usr.sbin.avahi-daemon

@@ -2,6 +2,7 @@
 /usr/sbin/avahi-daemon {
   #include <abstractions/base>
   #include <abstractions/consoles>
+  #include <abstractions/dbus>
   #include <abstractions/nameservice>
 
   capability chown,
@@ -19,10 +20,10 @@
   /proc/*/fd/ r,
   /usr/sbin/avahi-daemon mr,
   /usr/share/avahi/introspection/*.introspect r,
+  /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
   /{,var/}run/avahi-daemon/ w,
   /{,var/}run/avahi-daemon/pid krw,
   /{,var/}run/avahi-daemon/socket w,
-  /{,var/}run/dbus/system_bus_socket w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.avahi-daemon>

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+@{TFTP_DIR}=/var/tftp /srv/tftpboot
+
 #include <tunables/global>
 /usr/sbin/dnsmasq {
   #include <abstractions/base>
@@ -36,6 +38,10 @@
 
   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
 
+  # for the read-only TFTP server
+  @{TFTP_DIR}/ r,
+  @{TFTP_DIR}/** r,
+
   # libvirt lease and hosts files for dnsmasq
   /var/lib/libvirt/dnsmasq/            r,
   /var/lib/libvirt/dnsmasq/*.leases rw,

profiles/apparmor.d/usr.sbin.smbd

@@ -21,12 +21,17 @@
   capability sys_tty_config,
 
   /etc/mtab r,
+  /etc/netgroup r,
   /etc/printcap r,
+  /etc/samba/* rwk,
   /proc/*/mounts r,
   /proc/sys/kernel/core_pattern r,
   /usr/lib*/samba/vfs/*.so mr,
+  /usr/lib*/samba/charset/*.so mr,
+  /usr/lib*/samba/auth/script.so mr,
+  /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
   /usr/sbin/smbd mr,
-  /etc/samba/* rwk,
+  /usr/sbin/smbldap-useradd Px,
   /var/cache/samba/** rwk,
   /var/cache/samba/printing/printers.tdb mrw,
   /var/lib/samba/** rwk,

profiles/apparmor.d/usr.sbin.smbldap-useradd

@@ -0,0 +1,37 @@
+# Last Modified: Tue Jan  3 00:17:40 2012
+#include <tunables/global>
+
+/usr/sbin/smbldap-useradd {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+  #include <abstractions/nameservice>
+  #include <abstractions/perl>
+
+  /dev/tty rw,
+  /bin/bash ix,
+  /etc/init.d/nscd Cx,
+  /etc/shadow r,
+  /etc/smbldap-tools/smbldap.conf r,
+  /etc/smbldap-tools/smbldap_bind.conf r,
+  /usr/sbin/smbldap-useradd r,
+  /usr/sbin/smbldap_tools.pm r,
+  /var/log/samba/log.smbd w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.smbldap-useradd>
+
+  profile /etc/init.d/nscd {
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+
+    capability sys_ptrace,
+
+    /bin/bash r,
+    /bin/mountpoint rix,
+    /bin/systemctl rix,
+    /dev/tty rw,
+    /etc/init.d/nscd r,
+    /etc/rc.status r,
+
+  }
+}

profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork

@@ -12,6 +12,7 @@
 #include <tunables/global>
 
 /usr/sbin/httpd2-prefork {
+  #include <abstractions/apache2-common>
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/kerberosclient>
@@ -78,8 +79,6 @@
   /usr/local/tomcat/conf/mod_jk.conf r,
   /usr/local/tomcat/conf/workers-ajp12.properties r,
   /usr/sbin/httpd2-prefork r,
-  /usr/share/apache2/error/* r,
-  /usr/share/apache2/error/include/* r,
   /usr/share/misc/magic.mime r,
   /usr/share/snmp/mibs r,
   /usr/share/snmp/mibs/*.{txt,mib} r,
@@ -125,21 +124,20 @@
   /srv/www/icons/*.{gif,jpg,png}     r,
   /srv/www/vhosts                    r,
   /srv/www/vhosts/**                 r,
-  # SuSE location of the apache manual + error pages
-  /usr/share/apache2/**              r,
 
   # php session state
   /var/lib/php/sess_*                rwl,
 
 
   ^HANDLING_UNTRUSTED_INPUT {
-    #include <abstractions/nameservice>
+    #include <abstractions/apache2-common>
     /var/log/apache2/*     w,
-    /**.htaccess           r,
+    audit /.htaccess       r, # WARNING: .htaccess directly in / will be disallowed in future versions 
+                              # (.htaccess in subdirectories is and will stay allowed by abstractions/apache2-common)
   }
 
   ^DEFAULT_URI {
-    #include <abstractions/nameservice>
+    #include <abstractions/apache2-common>
     #include <abstractions/base>
 
     # Note that mod_perl, mod_php, mod_python, etc, allows in-apache
@@ -176,8 +174,6 @@
     /srv/www/icons/*.{gif,jpg,png}     r,
     /srv/www/vhosts                    r,
     /srv/www/vhosts/**                 r,
-    # SuSE location of the apache manual + error pages
-    /usr/share/apache2/**              r,
 
     # php session state
     /var/lib/php/sess_*                rwl,

profiles/apparmor/profiles/extras/usr.sbin.sshd

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2012 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -33,6 +34,7 @@
 
   /dev/ptmx rw,
   /dev/urandom r,
+  /etc/default/locale r,
   /etc/environment r,
   /etc/hosts.allow r,
   /etc/hosts.deny r,
@@ -55,10 +57,12 @@
   /bin/bash2 rUx,
   /bin/bsh rUx,
   /bin/csh rUx,
+  /bin/dash rUx,
   /bin/ksh rUx,
   /bin/sh rUx,
   /bin/tcsh rUx,
   /bin/zsh rUx,
+  /bin/zsh4 rUx,
   /sbin/nologin rUx,
 
 # Call passwd for password change when expired
@@ -74,6 +78,7 @@
 
 # duplicated from AUTHENTICATED
   /etc/motd r,
+  /{,var/}run/motd r,
   /tmp/ssh-*/agent.[0-9]* rwl,
 
   /tmp/ssh-*[0-9]*/ w,
@@ -89,10 +94,12 @@
     /bin/bash2 Ux,
     /bin/bsh Ux,
     /bin/csh Ux,
+    /bin/dash Ux,
     /bin/ksh Ux,
     /bin/sh Ux,
     /bin/tcsh Ux,
     /bin/zsh Ux,
+    /bin/zsh4 Ux,
     /sbin/nologin Ux,
 
 # for debugging
@@ -161,6 +168,7 @@
     /etc/localtime r,
     /etc/login.defs r,
     /etc/motd r,
+    /{,var/}run/motd r,
     /tmp/ssh-*/agent.[0-9]* rwl,
     /tmp/ssh-*[0-9]*/ w,
 

profiles/apparmor/profiles/extras/usr.sbin.userdel

@@ -28,7 +28,7 @@
   /bin/cat rmix,
   /bin/bash rmix,
   /dev/log w,
-  /etc/.pwd.lock rw,
+  /etc/.pwd.lock rwk,
   /etc/cron.deny r,
   /etc/default/useradd r,
   /etc/group* rwl,

utils/Immunix/AppArmor.pm

@@ -770,12 +770,18 @@ sub create_new_profile($) {
         my $hashbang = head($fqdbin);
         if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
             my $interpreter = get_full_path($1);
+            $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= str_to_mode("r");
+            $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 0;
             $profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} |= str_to_mode("ix");
             $profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} |= 0;
             if ($interpreter =~ /perl/) {
                 $profile->{$fqdbin}{include}->{"abstractions/perl"} = 1;
             } elsif ($interpreter =~ m/\/bin\/(bash|sh)/) {
                 $profile->{$fqdbin}{include}->{"abstractions/bash"} = 1;
+            } elsif ($interpreter =~ m/python/) {
+                $profile->{$fqdbin}{include}->{"abstractions/python"} = 1;
+            } elsif ($interpreter =~ m/ruby/) {
+                $profile->{$fqdbin}{include}->{"abstractions/ruby"} = 1;
             }
             handle_binfmt($profile->{$fqdbin}, $interpreter);
         } else {
@@ -4791,13 +4797,9 @@ sub sub_mode_to_str($) {
     $str .= "a" if ($mode & $AA_MAY_APPEND);
     $str .= "l" if ($mode & $AA_MAY_LINK);
     $str .= "k" if ($mode & $AA_MAY_LOCK);
-    if ($mode & $AA_EXEC_UNCONFINED) {
-	if ($mode & $AA_EXEC_UNSAFE) {
-	    $str .= "u";
-	} else {
-	    $str .= "U";
-	}
-    }
+
+    # modes P and C *must* come before I and U; otherwise syntactically
+    # invalid profiles result
     if ($mode & ($AA_EXEC_PROFILE | $AA_EXEC_NT)) {
 	if ($mode & $AA_EXEC_UNSAFE) {
 	    $str .= "p";
@@ -4812,7 +4814,18 @@ sub sub_mode_to_str($) {
 	    $str .= "C";
 	}
     }
+
+    # modes P and C *must* come before I and U; otherwise syntactically
+    # invalid profiles result
+    if ($mode & $AA_EXEC_UNCONFINED) {
+	if ($mode & $AA_EXEC_UNSAFE) {
+	    $str .= "u";
+	} else {
+	    $str .= "U";
+	}
+    }
     $str .= "i" if ($mode & $AA_EXEC_INHERIT);
+
     $str .= "x" if ($mode & $AA_MAY_EXEC);
 
     return $str;