mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 14:25:52 +00:00
Code Issues Releases Wiki Activity

Compare commits

base: mir:v4.1.0-beta4
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1
...
compare: mir:v3.1.3
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1

54 Commits
v4.1.0-bet ... v3.1.3

Author SHA1 Message Date
John Johansen
c8eefe440c Prepare for AppArmor 3.1.3 release 
- update version file
- update library version

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-27 17:24:32 -08:00
John Johansen
df3b9601de Merge [3.x] Update samba profiles 
samba-dcerpcd requires access to `/var/cache/samba/names.tdb`.

    audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0

See also https://bbs.archlinux.org/viewtopic.php?id=281411

Since `usr.sbin.winbindd` already has a rule for it, and `usr.sbin.nmbd`
has similar ones, simply add `/var/cache/samba/*.tdb rwk` to
`abstractions/samba`.

(cherry picked from commit 763c4ecd23,
with cleanup of now-superfluous rules in usr.sbin.nmbd and
usr.sbin.winbindd dropped)

Also allow access to samba pid files directly in /run/

This is a backport of !987, with the cleanup of now-superfluous rules removed.

I propose this patch for 3.x (also for 2.13 if it cleanly applies)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/988
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2023-02-27 19:52:17 +00:00
nl6720
a9fa20a456 profiles/apparmor.d/samba*: allow access to pid files directly in /run/ 
On Arch Linux, `samba-dcerpcd.pid` is in `/run/`, not `/run/samba/`.

   apparmor="DENIED" operation="mknod" profile="samba-dcerpcd" name="/run/samba-dcerpcd.pid" pid=80920 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

The same is true for `nmbd.pid`, `smbd.pid` and probably others too.

(cherry picked from commit 6f0d2ef7fe)
 2023-02-27 20:37:38 +01:00
nl6720
089064439d profiles/apparmor.d/abstractions/samba: allow modifying /var/cache/samba/*.tdb 
samba-dcerpcd requires access to `/var/cache/samba/names.tdb`.

    audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0

See also https://bbs.archlinux.org/viewtopic.php?id=281411

Since `usr.sbin.winbindd` already has a rule for it, and `usr.sbin.nmbd`
has similar ones, simply add `/var/cache/samba/*.tdb rwk` to
`abstractions/samba`.

(cherry picked from commit 763c4ecd23,
with cleanup of now-superfluous rules in usr.sbin.nmbd and
usr.sbin.winbindd dropped)
 2023-02-27 20:36:30 +01:00
John Johansen
1759c1bd24 Merge Add abstractions/groff with lots of groff/nroff helpers 
contributed by Werner Fink via
https://bugzilla.opensuse.org/show_bug.cgi?id=1065388 comment 25

Note that - compared to the file in bugzilla - I removed the `rix` rules
for /usr/bin/groff and /usr/bin/nroff so that people can choose to ix,
Px or Cx groff/nroff as they wish, and then include the abstraction
inside the target profile to allow executing all the helpers.

I also added `include if exists <abstractions/groff.d>`

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/973
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 238eb8150b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-26 13:57:12 -08:00
John Johansen
68de30cf76 Merge abstractions/openssl: allow reading /etc/ssl/openssl-*.cnf 
openSUSE Tumbleweed uses /etc/ssl/openssl-1_1.cnf to make the migration
to openssl 3 possible.

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1207911

I propose this patch for at least 3.1 and master, ideally for all branches (as long as it can easily be merged)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/984
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit f223ed063e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-25 17:06:33 -08:00
Christian Boltz
925ccfe482 Merge Backport Recent Python Bugfixes to 3.1 
This MR backports bugfixes from !985, bringing them from `master` to `apparmor-3.1`.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/986
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2023-02-24 20:21:00 +00:00
Georgia Garcia
dc4b38acf0 libapparmor: add support for class in logparsing 
We want to use the class field to identify operations such as
posix_mqueue

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 5cc7a26e78)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-24 04:09:12 -08:00
Georgia Garcia
9f25b5f6ff libapparmor: add support for requested and denied on logparsing 
In order to decrease the number of characters in the audit logs
from the kernel, we will drop the "_mask" from the fields
"requested_mask" and "denied_mask".

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit a05c9483f3)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-24 04:08:57 -08:00
Mark Grassi
6e2eabd424 Fix AttributeError caused by Python 3 migration 
(cherry picked from commit cc7f8fb4d6)
 2023-02-23 22:39:28 -05:00
Mark Grassi
c8ce78e00c Replace mutable default arguments in utils 
(cherry picked from commit 2742d1f1ee)
 2023-02-23 22:39:25 -05:00
Mark Grassi
7526ba4b0a Add missing comma to tuple 
(cherry picked from commit 2be41315e7)
 2023-02-23 22:39:21 -05:00
Mark Grassi
0eaf6d3649 Replace mutable default arguments in tests 
(cherry picked from commit 14e01b5d73)
 2023-02-23 22:39:17 -05:00
Christian Boltz
e44e9187ae Merge abstractioms/nvidia: add new cache directory 
Some applications (like Firefox or Steam, but for some reason not
glxgears) now writes to ~/.cache/nvidia/*:

```
type=AVC msg=audit(1676115846.764:605): apparmor="DENIED" operation="open" profile="firefox" name="/home/vincas/.cache/nvidia/GLCache/2c0cfcdab4d7b05f8130d8f
ba8838943/ec9a05ca3988cfd1/1fee83e04c0ea4d8.toc" pid=26827 comm="firefox" requested_mask="rac" denied_mask="rac" fsuid=1000 ouid=1000^]FSUID="vincas" OUID="v
incas"
```

```
type=AVC msg=audit(1676134465.264:2166): apparmor="DENIED" operation="open" profile="steam" name="/home/vincas/.cache/nvidia/GLCache/95f6d95b1adf9af310bc94af5f19e509/6b24ef0587ddc7e4/23b502f99abb563c.toc" pid=56082 comm="steam" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000^]FSUID="vincas" OUID="vincas"
```

Update nvidia abstraction to allow create caches in .cache subdirectory.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/982
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit d713f75086)

15b92cd2 abstractioms/nvidia: add new cache directory
 2023-02-16 17:41:49 +00:00
Christian Boltz
677051bd02 Merge nvidia_modprobe: update for driver families and /sys path 
Debian have split NVIDIA drivers into current, tesla and legacy:

```
$ apt-file search /etc/nvidia/ | grep -P -o -e
"(?<=/etc/nvidia/).[^/]*/" | sort -u
current/
current-open/
legacy-340xx/
legacy-390xx/
tesla/
tesla-418/
tesla-450/
tesla-460/
tesla-470/
tesla-510/
```

These paths are used by nvidia_modprobe -> kmod:

```
type=AVC msg=audit(1676135718.796:2592): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-blacklists-nouveau.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
type=AVC msg=audit(1676135718.796:2593): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-options.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
type=AVC msg=audit(1676135718.796:2594): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-modprobe.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
```

Also, additional /sys path is accessed:

```
type=AVC msg=audit(1676136251.680:2956): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/sys/module/drm/initstate" pid=63642 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
```

Update nvidia_modprobe profile to this these denials.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/983
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 94d2faab71)

8e50c351 nvidia_modprobe: update for driver families and /sys path
 2023-02-14 18:39:27 +00:00
John Johansen
21ca572de6 Merge postfix-tlsmgr: allow reading openssl.cnf 
Seen/needed on openSUSE Tumbleweed

I propose this patch for all branches.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/981
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 3e89b4aab2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-09 00:17:43 -08:00
John Johansen
6c240a473b Merge avahi-daemon needs attach_disconnected 
... for var/lib/nscd/passwd and var/lib/nscd/group

I propose this patch for all branches.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/960
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 2c72dd5541)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-03 21:27:10 -08:00
John Johansen
eec9086ecf Merge [3.1] firefox.sh: Adjust local include to match master 
The local include in firefox.sh was just added today. Change it to the
value we have in master (as soon as !975 gets accepted).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/976
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2023-02-02 18:16:03 +00:00
John Johansen
81d8af7c13 Merge nscd: allow using systemd-userdb 
If systemd-userdb is used to configure some users, nscd needs to read
the userdb files.

See also https://www.freedesktop.org/software/systemd/man/nss-systemd.html
for the list of possible filenames (and symlinks).

Fixes: http://bugzilla.opensuse.org/show_bug.cgi?id=1207698

I propose this patch for all branches.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/977
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 5df8da3c37)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-01 19:56:03 -08:00
John Johansen
a9bea8a377 Merge Fix mode not being printed when debugging AF_UNIX socket rules. 
This was due to the values being defined in both af_unix and af_rule leaving the latter values unset.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/979
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit da7d3a2101)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-01 19:50:55 -08:00
Georgia Garcia
3aa895073a Merge Fix spacing when printing out AF_UNIX addresses 
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/978
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 608560ee43)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-01 19:50:37 -08:00
Christian Boltz
dcf7e9a0d5 firefox.sh: Adjust local include to match master 
The local include in firefox.sh was just added today. Change it to the
value we have in master (as soon as MR 975 gets accepted).
 2023-01-30 12:11:21 +01:00
Christian Boltz
57fec9624d Merge Ensure all profiles in extras/ have optional local include + comment 
Recently got bitten by `usr.sbin.lighttpd` not having the local include, so I figured I'd bring all the `extras/` profiles up to parity.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/974
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 8895e00ef1)

d0e32a32 Ensure all profiles in extras/ have optional local include + comment
 2023-01-30 10:16:20 +00:00
John Johansen
aee9bf56c0 Merge libapparmor: add scanner support for dbus method 
In the [merge request that adds AppArmor support on D-Bus Broker](https://github.com/bus1/dbus-broker/pull/286), the word "method" is used instead of "member" on the auditing logs.
So we are adding support to parse "method" the same way as "member" on D-Bus audit logs.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/958
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit a96fa35bd5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-25 13:08:31 -08:00
John Johansen
0295fadab3 Merge add dbus-broker support on regression tests 
dbus-broker requires some modification of the test suite. In summary:

* refactor to support starting and stopping both dbus and dbus-broker.
* Make it so we can run the tests on each, where appropriate
* skip unrequested reply and eavesdrop tests for dbus broker because they are not supported.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/965
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 223036d952)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-24 16:39:44 -08:00
John Johansen
5bc35342ed Merge Fix: Opening links with Brave 
Resolves #292.

This fix is the same as !830 but for Brave.
Opening links in Brave now works as intended.

Note that now a separate denial is caused, related to WidevineCDM, is produced:
```
[ERROR:content_main_runner_impl.cc(415)] Unable to load CDM /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so: failed to map segment from shared object)
```

In the syslog:
```
audit: type=1400 audit(1671108748.090:117): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince//sanitized_helper" name="/home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=65765 comm="brave" requested_mask="m" denied_mask="m" fsuid=1000 ouid=100
```

I'm not sure if granting permission(s) for this is desirable. In either case, the potential relevant changes are out of the scope of this MR.

If I disable WidevineCDM in Brave, I get the following denial on cap sys_admin:
```
audit: type=1400 audit(1671112807.666:174): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=112098 comm="brave" capability=21  capname="sys_admin"
```
which is fine, as mentioned by @jjohansen [here](https://gitlab.com/apparmor/apparmor/-/merge_requests/830#note_831915024).

Closes #292
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/957
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 5fd8c25745)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-24 16:32:30 -08:00
John Johansen
6cc9160246 Merge Extend crypto and ssl_certs abstractions 
- ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory
- crypoto: allow reading /etc/gcrypt/hwf.deny

I propose this patch for 3.0..master (2.13 doesn't have abstractions/crypto).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/961
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit bb30df7843)

d15bfa99 Extend crypto and ssl_certs abstractions
 2023-01-24 23:10:21 +00:00
Christian Boltz
5452053f5b Merge Add pipewire client.conf to audio abstractions 
Fixes: https://bugs.launchpad.net/bugs/2003702

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/970
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit dedb5d94cb)

b5a7641d Add pipewire client.conf to audio abstractions
 2023-01-23 20:35:14 +00:00
Christian Boltz
da906cda8c Merge profiles: dnsmasq: add Waydroid pid file 
Waydroid uses LXC and some lxc-net equivalent scripts. Allow that.

b910c89174/data/scripts/waydroid-net.sh
https://web.archive.org/web/20221202141315/https://docs.waydro.id/debugging/known-issues

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/969
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit d61ccafcb3)

977e45c1 profiles: dnsmasq: add Waydroid pid file
 2023-01-22 18:11:28 +00:00
John Johansen
a19754f52f Merge regression tests: fix bogon patch characters in Makefile 
Commit 8cf3534a5 ("tests regression: fix failure on older versions of
Make") from https://gitlab.com/apparmor/apparmor/-/merge_requests/639
was incorrectly applied, including the `+` prefixes from the proposed
patch. This causes the sysctl syscall() checks to not correctly be
applied and results in a mismatch of expectations in the
syscall_sysctl.sh test script, causing it and the testsuite to fail.

Thus, remove the bogon `+` characters from the Makefile, to make
USE_SYSCTL be set correctly.

Fixes: 8cf3534a5 ("tests regression: fix failure on older versions of Make")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/963
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit f0bc1a89a4)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-04 16:45:22 -08:00
John Johansen
379a486b87 Merge aa-status: Fix malformed json output with unconfined processes 
As reported in issue #295, the json output from aa-status would be invalid if
there were profiles defined for processes that were unconfined. Fix this by
ensuring the json for the processes array is closed properly.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/964
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit dfc9847f89)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-04 09:33:59 -08:00
Georgia Garcia
5ad91d482d Merge log parsing fixes 
small fixes on log parsing

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/959
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 4f2d2a8cab)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2022-12-16 16:55:31 -03:00
John Johansen
19bbc5dfc3 Merge parser: Fix invalid reference to transitions when building the chfa 
States are not guaranteed to have transitions, but when inserting
a state into the chfa table there is an unconditional dereference
to the states first transition.

This will result in a bad reference and could result in an OOB
flag being set on the state when it shouldn't be.

Fixes: 16b67ddbd ("add ability to use out of band transitions"
Closes: https://gitlab.com/apparmor/apparmor/-/issues/290
Reported-by: Nobel Barakat <nobelbarakat@google.com>
Reported-by: Oleksandr Tymoshenko <ovt@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

Closes #290
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/956
Approved-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit a7bce9be98)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-12-09 23:03:54 -08:00
John Johansen
66cb0ed739 Merge smbd: allow reading /var/lib/nscd/netgroup 
(reported on the opensuse-factory mailinglist)

I propose this patch for 2.13..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/948
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ba01d479e2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-11-29 12:56:21 -08:00
Christian Boltz
d179a704e7 Merge abstractions/nvidia: allow reading @{pid}/comm 
On Debian Sid, NVIDIA driver spams log with:

```
type=AVC msg=audit(1669542108.552:11855): apparmor="DENIED"
operation="open" profile="qtox" name="/proc/21222/comm" pid=21222
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000FSUID="vincas" OUID="vincas"
```

```
type=AVC msg=audit(1669541506.703:11329): apparmor="DENIED"
operation="open" profile="skypeforlinux" name="/proc/19851/comm"
pid=19851 comm="skypeforlinux" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
```

Read is initiated within libnvidia-glcore.so:

```
Thread 1 "qtox" hit Catchpoint 1 (call to syscall openat), 0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41
41	in ../sysdeps/unix/sysv/linux/open64.c
$27 = 0x7fb742adbb50 "/proc/self/comm"
0  0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41
1  0x00007fb797aa0862 in __GI__IO_file_open (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", posix_mode=<optimized out>, prot=prot@entry=438, read_write=8, is32not64=<optimized out>) at ./libio/fileops.c:188
2  0x00007fb797aa0a1b in _IO_new_file_fopen (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", mode=<optimized out>, mode@entry=0x7fb7428effe2 "r", is32not64=is32not64@entry=1) at ./libio/fileops.c:280
3  0x00007fb797a950f9 in __fopen_internal (filename=0x7fb742adbb50 "/proc/self/comm", mode=0x7fb7428effe2 "r", is32=1) at ./libio/iofopen.c:75
4  0x00007fb7423d791f in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
5  0x00007fb7423d4515 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
6  0x00007fb7423d0226 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
7  0x00007fb7423e1961 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
8  0x00007fb74824bc79 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
9  0x00007fb7482b1c56 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
10 0x000000000000001d in ?? ()
11 0x00005579518975f0 in ?? ()
12 0x0000000000000001 in ?? ()
13 0x00007fb74824b1eb in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
14 0x00005579518975f0 in ?? ()
15 0x00007fb79b2dda79 in call_init (env=0x7ffd92d7aac8, argv=0x7ffd92d7aab8, argc=-1831363648, l=0x7fb748516f70) at ./elf/dl-init.c:56
16 call_init (l=0x7fb748516f70, argc=-1831363648, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:26
17 0x00007fb79b2ddba4 in _dl_init (main_map=0x5579518975f0, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:117
18 0x00007fb797b6def4 in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:182
19 0x00007fb79b2e430e in dl_open_worker (a=a@entry=0x7ffd92d79f20) at ./elf/dl-open.c:808
20 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208
21 0x00007fb79b2e46a8 in _dl_open (file=0x557951888020 "libGLX_nvidia.so.0", mode=<optimized out>, caller_dlopen=0x7fb78d7d4d27, nsid=<optimized out>, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-open.c:884
22 0x00007fb797aa42d8 in dlopen_doit (a=a@entry=0x7ffd92d7a190) at ./dlfcn/dlopen.c:56
23 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=exception@entry=0x7ffd92d7a0f0, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208
24 0x00007fb797b6df4f in __GI__dl_catch_error (objname=0x7ffd92d7a148, errstring=0x7ffd92d7a150, mallocedp=0x7ffd92d7a147, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:227
25 0x00007fb797aa3dc7 in _dlerror_run (operate=operate@entry=0x7fb797aa4280 <dlopen_doit>, args=args@entry=0x7ffd92d7a190) at ./dlfcn/dlerror.c:138
26 0x00007fb797aa4389 in dlopen_implementation (dl_caller=<optimized out>, mode=<optimized out>, file=<optimized out>) at ./dlfcn/dlopen.c:71
27 ___dlopen (file=<optimized out>, mode=<optimized out>) at ./dlfcn/dlopen.c:81
28 0x00007fb78d7d4d27 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0
29 0x00007fb78d7d6335 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0
30 0x00007fb78d7cf9f8 in glXChooseFBConfig () from /lib/x86_64-linux-gnu/libGLX.so.0
31 0x00007fb748646f6a in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
32 0x00007fb748644450 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
33 0x00007fb7486421b7 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
34 0x00007fb79838262d in QOpenGLContext::create() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5
35 0x00007fb74bb4303c in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so
36 0x00007fb797eb7aaf in qt_call_pre_routines () at kernel/qcoreapplication.cpp:317
37 QCoreApplicationPrivate::init (this=<optimized out>) at kernel/qcoreapplication.cpp:849
38 0x00007fb7983379dc in QGuiApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5
39 0x00007fb798b684c9 in QApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Widgets.so.5
40 0x0000557950f1d597 in main ()
```

Add read rule to allow reading @{pid}/comm.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/954
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 2597fd5db8)

948cbb56 abstractions/nvidia: allow reading @{pid}/comm
 2022-11-27 13:06:48 +00:00
Christian Boltz
4244737f65 Merge lsb_release: allow cat and cut 
lsb_release fails on Debian Sid:

```
$ sudo aa-exec -p lsb_release lsb_release
/usr/bin/lsb_release: 70: cut: Permission denied
/usr/bin/lsb_release: 70: cut: Permission denied
```

```
$ sudo aa-exec -p lsb_release lsb_release -h
/usr/bin/lsb_release: 11: cat: Permission denied
```

```
type=AVC msg=audit(1669540199.087:2680): apparmor="DENIED"
operation="exec" profile="lsb_release" name="/usr/bin/cut" pid=17419
comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0
ouid=0FSUID="root" OUID="root"
```

```
type=AVC msg=audit(1669540392.244:2944): apparmor="DENIED"
operation="exec" profile="lsb_release" name="/usr/bin/cat" pid=17847
comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0
ouid=0FSUID="root" OUID="root"
```

Update profile to allow lsb_release script to invoke required
executables.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/953
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 495f68c797)

f596a176 lsb_release: allow cat and cut
 2022-11-27 13:00:19 +00:00
Christian Boltz
e617f04681 Merge Include profile name in error message on directory exec 
... to make the error message more helpful.

Inspired by https://gitlab.com/apparmor/apparmor/-/issues/285

I propose this patch for 3.1 and master.
(3.0 uses a different variable name - if we want it there, it needs a slightly different patch.)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/949
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit dd5a6c2e0a)

ef5c4b50 Include profile name in error message on directory exec
 2022-11-21 12:59:51 +00:00
Christian Boltz
9d826aae65 Merge Catch PermissionError when trying to write a profile 
... and re-raise it as AppArmorException so that only the actual error
(without a backtrace) gets displayed.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/282

I propose this patch for 3.0..master.

Closes #282
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/946
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 50074a3c01)

d0ec2aca Catch PermissionError when trying to write a profile
 2022-11-15 20:46:12 +00:00
Christian Ehrhardt
465c861b02 Allow access to possible cpus for glibc-2.36 
Glibc in 2.36 and later will [1] access sysfs at
/sys/devices/system/cpu/possible when usig sysconf
for _SC_NPROCESSORS_CONF.

That will make a lot of different code, for example
anything linked against libnuma, trigger this apparmor
denial.

  apparmor="DENIED" operation="open" class="file" ...
  name="/sys/devices/system/cpu/possible" ...
  requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This entry seems rather safe, and it follows others
that are already in place. Instead of fixing each
software individually this should go into the base
profile as well.

Initially reported via
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
MR: none - ML
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit c159d0925a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-11-14 21:47:18 -08:00
John Johansen
dc85d04805 Merge Adds WSL programmatic management of /etc/resolv.conf. 
When WSL automatically generates a resolv.conf for an instance, the /etc/resolv.conf file is a symlink to /mnt/wsl/resolv.conf. This patch adds an entry for this to the other policies to handle such management.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/935
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit 8fa77e9e6c)

5232eaa2 Adds /mnt/wsl/resolv.conf to nameservices.
 2022-11-08 18:13:57 +00:00
John Johansen
a40923006c Merge Allow reading /sys/devices/system/cpu/possible 
... in the dnsmasq//libvirt_leaseshelper profile

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202849

I propose this patch for 3.0, 3.1 and master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/917
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit 37f0f77425)

ace8e044 Allow reading /sys/devices/system/cpu/possible
 2022-11-08 18:11:23 +00:00
John Johansen
1fe80c0f85 Prepare for AppArmor 3.1.2 release 
- update version file
- update library version

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-11-07 10:44:48 -08:00
John Johansen
8043dda3f6 Merge Hardcode and check the expected libapparmor.so name/number 
... to prevent wrong/unexpected numbering (like
https://gitlab.com/apparmor/apparmor/-/issues/266) in future releases.

I propose this patch for master and 3.1.

Backporting to 3.0 and 2.x might also make sense, but of course needs a different .so number.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/915
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit bed1471144)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-10-29 03:08:56 -07:00
John Johansen
e95080e140 Merge libapparmor: allow parsing of logs with 0x1d + uppercase items 
audit.log lines on Arch have an additional FSUID="username" OUID="username",
separated from the previous part of the log line with 0x1d.

Extend the log parsing to accept 0x1d as whitespace, and to recognize
(and ignore) FSUID and OUID.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/271

Also add one of the log lines from #271 as test_multi test case.

I propose this patch for 3.0..master.

Closes #271
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/940
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 0d61139e2a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-10-29 03:06:30 -07:00
John Johansen
45125cedd3 Merge syslog-ng: allow reading *.journal in flatter directory structure 
On openSUSE Leap 15.4 (and probably also 15.3), the journal lives in
/var/log/journal/*.journal - without an additional subdirectory level.

I propose this patch for 2.13..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/932
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2022-10-28 05:56:57 -07:00
Christian Boltz
969a8f7618 Merge samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/ 
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572

I propose this fix for 3.0..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/937
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit fab4b4e762)

6920daea samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/
 2022-10-27 22:34:12 +00:00
Christian Boltz
770b8f1e88 Merge abstactions/kde: update for kwinrc, kdedefaults/* files 
GUI applications such as KDE dragon player, qTox, LibreOffice tries to
access .config/kwinrc, .config/kdedefaults/kwinrc and
.config/kdedefaults/kdeglobals.

Update abstractions/kde to fix denials for applications running under
KDE.

Some examples:
```
type=AVC msg=audit(1666458796.112:5561): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666458796.204:5683): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kwinrc" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"

```
```
type=AVC msg=audit(1666462415.255:3640): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666462415.343:3641): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kwinrc" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
```

```
type=AVC msg=audit(1666459466.968:5852): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666459467.076:6057): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666459467.076:6058): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"

```

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/936
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 18d1b06b0c)

d9dc0b61 abstactions/kde: update for kwinrc, kdedefaults/* files
 2022-10-22 19:28:38 +00:00
Christian Boltz
3345250f72 Merge parser: fix DISTRO variable in Makefile 
A single '$()' results in variable expansion, which makes
"$(rpm --eval ..)" always an empty string.

Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/928
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 05d7bdd655)

1df547ee parser: fix DISTRO variable in Makefile
 2022-10-07 19:54:08 +00:00
John Johansen
51cf0848c7 Merge profiles/apparmor.d: Update samba profile 
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990692
Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/926
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit e1cc90f3a2)

96aff5a5 profiles/apparmor.d: Update samba profile
 2022-10-01 10:20:32 +00:00
Christian Boltz
e0c0a6a6a5 Merge Prevent crash on log entries for non-existing profile 
If audit.log contains entries for a profile that doesn't exist (for
example when working with a log file from another system), skip these
log entries instead of crashing.

Reproducer (crashes without this patch):

    aa-logprof -f <(echo 'type=AVC msg=audit(1661739121.578:77893): apparmor="DENIED" operation="open" profile="no_such_profile" name="/run/" pid=33099 comm="no" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0')

I propose this patch for 3.1 and master. (3.0 and older are not affected and do not need this fix.)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/919
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit f5594fbb7c)

94c7c79c Prevent crash on log entries for non-existing profile
 2022-08-29 19:56:17 +00:00
Steve Beattie
ea127f13cd common/Version: bump version for 3.1.1 release 
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
 2022-08-26 23:35:24 -07:00
Christian Boltz
480cb56553 Merge profiles: permit php-fpm pid files directly under run/ 
The upstream php-fpm.conf file carries the following pid file example
path:
  [global]
  ; Pid file
  ; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@
  ; Default Value: none
  ;pid = run/php-fpm.pid

Add this path to profiles/apparmor.d/php-fpm, alongside the current
nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267

Suggested-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: David Disseldorp <ddiss@suse.de>

Closes #267
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/914
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit d024100efe)

d8533ec8 profiles: permit php-fpm pid files directly under run/
 2022-08-26 10:36:11 +00:00
Georgia Garcia
075c69a4eb Merge [3.1] libapparmor: fix mistaken SO version bump 
In commit 7c7224004 ("Prepare for AppArmor 3.1 release"), as preperation
for the AppArmor 3.1.0 release, the SO versioning information was
adjusted, using a more significant bump to give prior AppArmor releases
room to address bugs in libapparmor without ending up with conflicting
SO versions. Unfortunately, that process was untested and because
AA_LIB_AGE was not incremented by the same amount as AA_LIB_CURRENT,
this resulted in an accidental major SO versions bump with the library
SO version being:

  libapparmor.so.4.9.0

This commit increments AA_LIB_AGE by the same amount, resulting in a
library versioned as:

  libapparmor.so.1.12.0

and adds a note to mention that AA_LIB_AGE needs to be incremented
in the same way as AA_LIB_CURRENT. This fix is intended to address
this for the 3.1 branch; I'd like to find a better approach for
the development branch that can be used in future AppArmor primary
releases.

In general, thanks to symbol versioning (see
`libraries/libapparmor/src/libapparmor.map`) we should not need to
ever bump the SO version except in an extreme case.

Fixes: 7c7224004 ("Prepare for AppArmor 3.1 release")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/-/issues/266

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/913
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
 2022-08-25 20:10:30 +00:00
Steve Beattie
f9dbaa38ec [3.1] libapparmor: fix mistaken SO version bump 
In commit 7c7224004 ("Prepare for AppArmor 3.1 release"), as preperation
for the AppArmor 3.1.0 release, the SO versioning information was
adjusted, using a more significant bump to give prior AppArmor releases
room to address bugs in libapparmor without ending up with conflicting
SO versions. Unfortunately, that process was untested and because
AA_LIB_AGE was not incremented by the same amount as AA_LIB_CURRENT,
this resulted in an accidental major SO versions bump with the library
SO version being:

  libapparmor.so.4.9.0

This commit increments AA_LIB_AGE by the same amount, resulting in a
library versioned as:

  libapparmor.so.1.12.0

and adds a note to mention that AA_LIB_AGE needs to be incremented
in the same way as AA_LIB_CURRENT. This fix is intended to address
this for the 3.1 branch; I'd like to find a better approach for
the development branch that can be used in future AppArmor primary
releases.

In general, thanks to symbol versioning (see
`libraries/libapparmor/src/libapparmor.map`) we should not need to
ever bump the SO version except in an extreme case.

Fixes: 7c7224004 ("Prepare for AppArmor 3.1 release")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/-/issues/266
 2022-08-25 11:55:42 -07:00
164 changed files with 943 additions and 278 deletions
Expand all files Collapse all files

7
binutils/aa_status.c
View File

@@ -534,16 +534,19 @@ static int detailed_output(FILE *json) {
} else {
fprintf(json, "%s\"%s\": [{\"profile\": \"%s\", \"pid\": \"%s\", \"status\": \"%s\"}",
// first element will be a unique executable
i == 0 && j == 0 ? "" : "], ",
j == 0 ? "" : "], ",
filtered[j].exe, filtered[j].profile, filtered[j].pid, filtered[j].mode);
}
}
if (j > 0) {
fprintf(json, "]");
}
}
free_processes(filtered, nfiltered);
}
if (json) {
fprintf(json, "%s}}\n", nprocesses > 0 ? "]" : "");
fprintf(json, "}}\n");
}
exit:

2
common/Version
View File

@@ -1 +1 @@
3.1.0
3.1.3

2
libraries/libapparmor/include/aalogparse.h
View File

@@ -159,6 +159,8 @@ typedef struct
char *fs_type;
char *flags;
char *src_name;
char *class;
} aa_log_record;
/**

14
libraries/libapparmor/src/Makefile.am
View File

@@ -16,7 +16,8 @@ INCLUDES = $(all_includes)
# problems in the unlikely event where an interface has to break.
# - set AA_LIB_REVISION to 0.
# 4. If any interfaces have been added since the last public release, then
# - increment AA_LIB_AGE.
# - increment AA_LIB_AGE by the same amount that AA_LIB_CURRENT was
# incremented.
# 5. If any interfaces have been removed or changed since the last public
# release, then
# - set AA_LIB_AGE to 0.
@@ -29,9 +30,12 @@ INCLUDES = $(all_includes)
# For more information, see:
# http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
#
# After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
AA_LIB_CURRENT = 13
AA_LIB_REVISION = 0
AA_LIB_AGE = 9
AA_LIB_REVISION = 2
AA_LIB_AGE = 12
EXPECTED_SO_NAME = libapparmor.so.1.12.2
SUFFIXES = .pc.in .pc
@@ -80,4 +84,8 @@ tst_kernel_LDFLAGS = -pthread
check_PROGRAMS = tst_aalogmisc tst_features tst_kernel
TESTS = $(check_PROGRAMS)
.PHONY: check-local
check-local:
test -f ./.libs/$(EXPECTED_SO_NAME) || { echo '*** unexpected .so name/number for libapparmor (expected $(EXPECTED_SO_NAME), the actual filename is shown below) ***' ; ls -l ./.libs/libapparmor.so.*.* ; exit 1; }
EXTRA_DIST = grammar.y scanner.l libapparmor.map libapparmor.pc

9
libraries/libapparmor/src/grammar.y
View File

@@ -159,7 +159,9 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_KEY_NAMESPACE
%token TOK_KEY_ERROR
%token TOK_KEY_FSUID
%token TOK_KEY_FSUID_UPPER
%token TOK_KEY_OUID
%token TOK_KEY_OUID_UPPER
%token TOK_KEY_UID
%token TOK_KEY_AUID
%token TOK_KEY_SAUID
@@ -185,6 +187,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_KEY_FSTYPE
%token TOK_KEY_FLAGS
%token TOK_KEY_SRCNAME
%token TOK_KEY_CLASS
%token TOK_SOCKLOGD_KERNEL
%token TOK_SYSLOG_KERNEL
@@ -351,6 +354,10 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->fsuid = $3;}
| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
{ ret_record->ouid = $3;}
| TOK_KEY_FSUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
{ free($3);} /* Ignore - fsuid username */
| TOK_KEY_OUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
{ free($3);} /* Ignore - ouid username */
| TOK_KEY_SAUID TOK_EQUALS TOK_DIGITS
{ /* Ignore - Source audit ID from user AVC messages */ }
| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
@@ -425,6 +432,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
ret_record->event = AA_RECORD_INVALID;
ret_record->info = $1;
}
| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->class = $3; }
;
apparmor_event:

2
libraries/libapparmor/src/libaalogparse.c
View File

@@ -103,6 +103,8 @@ void free_record(aa_log_record *record)
free(record->flags);
if (record->src_name != NULL)
free(record->src_name);
if (record->class != NULL)
free(record->class);
free(record);
}

14
libraries/libapparmor/src/scanner.l
View File

@@ -72,7 +72,7 @@ void string_buf_append(unsigned int length, char *text)
%}
ws [ \t\r\n]
ws [ \t\r\n\x1d]
equals "="
digit [[:digit:]]
@@ -121,6 +121,8 @@ key_namespace "namespace"
key_mask "mask"
key_denied_mask "denied_mask"
key_requested_mask "requested_mask"
key_denied "denied"
key_requested "requested"
key_attribute "attribute"
key_task "task"
key_parent "parent"
@@ -138,7 +140,9 @@ key_sock_type "sock_type"
key_protocol "protocol"
key_error "error"
key_fsuid "fsuid"
key_fsuid_upper "FSUID"
key_ouid "ouid"
key_ouid_upper "OUID"
key_uid "uid"
key_auid "auid"
key_sauid "sauid"
@@ -161,11 +165,13 @@ key_dest "dest"
key_path "path"
key_interface "interface"
key_member "member"
key_method "method"
key_signal "signal"
key_peer "peer"
key_fstype "fstype"
key_flags "flags"
key_srcname "srcname"
key_class "class"
audit "audit"
/* network addrs */
@@ -307,6 +313,8 @@ yy_flex_debug = 0;
{key_mask} { return(TOK_KEY_MASK); }
{key_denied_mask} { return(TOK_KEY_DENIED_MASK); }
{key_requested_mask} { return(TOK_KEY_REQUESTED_MASK); }
{key_denied} { return(TOK_KEY_DENIED_MASK); }
{key_requested} { return(TOK_KEY_REQUESTED_MASK); }
{key_attribute} { BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
{key_task} { return(TOK_KEY_TASK); }
{key_parent} { return(TOK_KEY_PARENT); }
@@ -324,7 +332,9 @@ yy_flex_debug = 0;
{key_protocol} { return(TOK_KEY_PROTOCOL); }
{key_error} { return(TOK_KEY_ERROR); }
{key_fsuid} { return(TOK_KEY_FSUID); }
{key_fsuid_upper} { return(TOK_KEY_FSUID_UPPER); }
{key_ouid} { return(TOK_KEY_OUID); }
{key_ouid_upper} { return(TOK_KEY_OUID_UPPER); }
{key_uid} { return(TOK_KEY_UID); }
{key_auid} { return(TOK_KEY_AUID); }
{key_sauid} { return(TOK_KEY_SAUID); }
@@ -346,11 +356,13 @@ yy_flex_debug = 0;
{key_path} { return(TOK_KEY_PATH); }
{key_interface} { return(TOK_KEY_INTERFACE); }
{key_member} { return(TOK_KEY_MEMBER); }
{key_method} { return(TOK_KEY_MEMBER); }
{key_signal} { BEGIN(sub_id); return(TOK_KEY_SIGNAL); }
{key_peer} { BEGIN(safe_string); return(TOK_KEY_PEER); }
{key_fstype} { return(TOK_KEY_FSTYPE); }
{key_flags} { BEGIN(safe_string); return(TOK_KEY_FLAGS); }
{key_srcname} { BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
{key_class} { BEGIN(safe_string); return(TOK_KEY_CLASS); }
{socklogd_kernel} { BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }

3
libraries/libapparmor/swig/python/test/test_python.py.in
View File

@@ -35,6 +35,7 @@ OUTPUT_MAP = {
'Local port': 'net_local_port',
'Foreign port': 'net_foreign_port',
'Audit subid': 'audit_sub_id',
'Class': '_class',
}
# FIXME: pull this automatically out of LibAppArmor, but swig
@@ -109,7 +110,7 @@ class AAPythonBindingsTests(unittest.TestCase):
"""parse the swig created record and construct a dict from it"""
new_record = dict()
for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:
for key in [x for x in dir(record) if not (x.startswith('__') or x == 'this')]:
value = getattr(record, key)
if key == "event" and value in EVENT_MAP:
new_record[key] = EVENT_MAP[value]

2
libraries/libapparmor/testsuite/test_multi.c
View File

@@ -134,6 +134,8 @@ int print_results(aa_log_record *record)
print_string("Flags", record->flags);
print_string("Src name", record->src_name);
print_string("Class", record->class);
print_long("Epoch", record->epoch, 0);
print_long("Audit subid", (long) record->audit_sub_id, 0);
return(0);

0
libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.in Normal file
View File

@@ -0,0 +1 @@
type=AVC msg=audit(1661734785.992:270): apparmor="ALLOWED" operation="open" profile="/usr/bin/dolphin" name="/home/otis/.config/kdedefaults/kdeglobals" pid=3483 comm="dolphin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="otis" OUID="root"

15
libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.out Normal file
View File

@@ -0,0 +1,15 @@
START
File: 0x1d-uppercase-FSUID-OUID.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1661734785.992:270
Operation: open
Mask: r
Denied Mask: r
fsuid: 1000
ouid: 0
Profile: /usr/bin/dolphin
Name: /home/otis/.config/kdedefaults/kdeglobals
Command: dolphin
PID: 3483
Epoch: 1661734785
Audit subid: 270

4
libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.profile Normal file
View File

@@ -0,0 +1,4 @@
/usr/bin/dolphin {
/home/otis/.config/kdedefaults/kdeglobals r,
}

0
libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.err Normal file
View File

1
libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.in Normal file
View File

@@ -0,0 +1 @@
Dec 15 17:32:17 kinetic kernel: [4835959.046111] audit: type=1107 audit(1671125537.724:209): pid=7308 uid=0 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" method="Hello" mask="send" label="/tmp/apparmor/tests/regression/apparmor/dbus_message" peer_label="unconfined" exe="/usr/local/bin/dbus-broker" sauid=0 hostname=? addr=? terminal=?'

15
libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.out Normal file
View File

@@ -0,0 +1,15 @@
START
File: testcase_dbus_11.in
Event type: AA_RECORD_DENIED
Audit ID: 1671125537.724:209
Operation: dbus_method_call
Denied Mask: send
Profile: /tmp/apparmor/tests/regression/apparmor/dbus_message
Peer profile: unconfined
Command: /usr/local/bin/dbus-broker
DBus bus: session
DBus path: /org/freedesktop/DBus
DBus interface: org.freedesktop.DBus
DBus member: Hello
Epoch: 1671125537
Audit subid: 209

4
libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.profile Normal file
View File

@@ -0,0 +1,4 @@
/tmp/apparmor/tests/regression/apparmor/dbus_message {
dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(label=unconfined),
}

6
parser/Makefile
View File

@@ -386,11 +386,11 @@ DISTRO=$(shell if [ -f /etc/slackware-version ] ; then \
elif [ -f /etc/debian_version ] ; then \
echo debian ;\
elif which rpm > /dev/null ; then \
if [ "$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
if [ "$$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
echo suse ;\
elif [ "$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
elif [ "$$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
echo rhel4 ;\
elif [ "$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
elif [ "$$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
echo rhel4 ;\
else \
echo unknown ;\

7
parser/af_unix.cc
View File

@@ -111,8 +111,7 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
struct cond_entry *peer_conds):
af_rule("unix"), addr(NULL), peer_addr(NULL),
audit(0), deny(0)
af_rule("unix"), addr(NULL), peer_addr(NULL)
{
move_conditionals(conds);
move_peer_conditionals(peer_conds);
@@ -136,7 +135,7 @@ ostream &unix_rule::dump_local(ostream &os)
{
af_rule::dump_local(os);
if (addr)
os << "addr='" << addr << "'";
os << " addr='" << addr << "'";
return os;
}
@@ -144,7 +143,7 @@ ostream &unix_rule::dump_peer(ostream &os)
{
af_rule::dump_peer(os);
if (peer_addr)
os << "addr='" << peer_addr << "'";
os << " addr='" << peer_addr << "'";
return os;
}

3
parser/af_unix.h
View File

@@ -36,9 +36,6 @@ class unix_rule: public af_rule {
public:
char *addr;
char *peer_addr;
int mode;
int audit;
bool deny;
unix_rule(unsigned int type_p, bool audit_p, bool denied);
unix_rule(int mode, struct cond_entry *conds,

14
parser/libapparmor_re/chfa.cc
View File

@@ -193,9 +193,8 @@ void CHFA::insert_state(vector<pair<size_t, size_t> > &free_list,
State *default_state = dfa.nonmatching;
ssize_t base = 0;
int resize;
StateTrans &trans = from->trans;
ssize_t c = trans.begin()->first.c;
ssize_t c;
ssize_t prev = 0;
ssize_t x = first_free;
@@ -204,6 +203,7 @@ void CHFA::insert_state(vector<pair<size_t, size_t> > &free_list,
if (trans.empty())
goto do_insert;
c = trans.begin()->first.c;
repeat:
resize = 0;
/* get the first free entry that won't underflow */
@@ -251,10 +251,18 @@ repeat:
first_free = next;
}
do_insert:
/* these flags will only be set on states that have transitions */
if (c < 0) {
base |= MATCH_FLAG_OOB_TRANSITION;
}
do_insert:
/* While a state without transitions could have the diff encode
* flag set, it would be pointless resulting in just an extra
* state transition in the encoding chain, and so it should be
* considered an error
* TODO: add check that state without transitions isn't being
* given a diffencode flag
*/
if (from->flags & DiffEncodeFlag)
base |= DiffEncodeBit32;
default_base.push_back(make_pair(default_state, base));

2
parser/tst/gen-xtrans.py
View File

@@ -27,7 +27,7 @@ trans_modifiers = {
targets = ("", "target", "target2")
# null_target uses "_" instead of "" because "" gets skipped in some for loops. Replace with "" when actually using the value.
null_target = ("_")
null_target = ("_",)
named_trans = {
"p": targets,

3
profiles/apparmor.d/abstractions/audio
View File

@@ -85,5 +85,8 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r,
# wildmidi
/etc/wildmidi/wildmidi.cfg r,
# pipewire
/usr/share/pipewire/client.conf r,
# Include additions to the abstraction
include if exists <abstractions/audio.d>

1
profiles/apparmor.d/abstractions/base
View File

@@ -101,6 +101,7 @@
@{PROC}/cpuinfo r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
@{sys}/devices/system/cpu/possible r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r,

1
profiles/apparmor.d/abstractions/crypto
View File

@@ -13,6 +13,7 @@
abi <abi/3.0>,
@{etc_ro}/gcrypt/hwf.deny r,
@{etc_ro}/gcrypt/random.conf r,
@{PROC}/sys/crypto/fips_enabled r,

67
profiles/apparmor.d/abstractions/groff Normal file
View File

@@ -0,0 +1,67 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
# Copyright (C) 2023 SUSE LLC
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Note: executing groff and nroff themself is not included in this abstraction
# so that you can choose to ix, Px or Cx them in your profile
# groff/nroff helpers, preprocessors, and postprocessors
/usr/bin/addftinfo mrix,
/usr/bin/afmtodit mrix,
/usr/bin/chem mrix,
/usr/bin/eqn mrix,
/usr/bin/eqn2graph mrix,
/usr/bin/gdiffmk mrix,
/usr/bin/geqn mrix,
/usr/bin/grap2graph mrix,
/usr/bin/grn mrix,
/usr/bin/grodvi mrix,
/usr/bin/groffer mrix,
/usr/bin/grog mrix,
/usr/bin/grolbp mrix,
/usr/bin/grolj4 mrix,
/usr/bin/gropdf mrix,
/usr/bin/grops mrix,
/usr/bin/grotty mrix,
/usr/bin/gtbl mrix,
/usr/bin/hpftodit mrix,
/usr/bin/indxbib mrix,
/usr/bin/lkbib mrix,
/usr/bin/lookbib mrix,
/usr/bin/mmroff mrix,
/usr/bin/neqn mrix,
/usr/bin/pdfmom mrix,
/usr/bin/pdfroff mrix,
/usr/bin/pfbtops mrix,
/usr/bin/pic mrix,
/usr/bin/pic2graph mrix,
/usr/bin/post-grohtml mrix,
/usr/bin/pre-grohtml mrix,
/usr/bin/preconv mrix,
/usr/bin/refer mrix,
/usr/bin/roff2dvi mrix,
/usr/bin/roff2html mrix,
/usr/bin/roff2pdf mrix,
/usr/bin/roff2ps mrix,
/usr/bin/roff2text mrix,
/usr/bin/roff2x mrix,
/usr/bin/soelim mrix,
/usr/bin/tbl mrix,
/usr/bin/tfmtodit mrix,
/usr/bin/troff mrix,
/usr/bin/xtotroff mrix,
# at least its macros and fonts
/usr/libexec/groff/** r,
/usr/share/groff/** r,
# Include additions to the abstraction
include if exists <abstractions/groff.d>

3
profiles/apparmor.d/abstractions/kde
View File

@@ -41,8 +41,11 @@ owner @{HOME}/.config/Trolltech.conf rwk,
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
owner @{HOME}/.config/kdedefaults/kdeglobals r, # QPlatformThemeFactory::create() -> KDEPlasmaPlatformTheme.so
owner @{HOME}/.config/kdedefaults/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
owner @{HOME}/.config/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
owner @{HOME}/.config/trashrc r, # Used by KFileWidget
/usr/share/X11/XKeysymDB r,

1
profiles/apparmor.d/abstractions/nameservice
View File

@@ -44,6 +44,7 @@
@{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
@{etc_ro}/resolvconf/run/resolv.conf r,
@{run}/systemd/resolve/stub-resolv.conf r,
/mnt/wsl/resolv.conf r,
@{etc_ro}/samba/lmhosts r,
@{etc_ro}/services r,

4
profiles/apparmor.d/abstractions/nvidia
View File

@@ -23,9 +23,13 @@
@{sys}/devices/system/memory/block_size_bytes r,
owner @{HOME}/.cache/nvidia/ w,
owner @{HOME}/.cache/nvidia/GLCache/ rw,
owner @{HOME}/.cache/nvidia/GLCache/** rwk,
owner @{HOME}/.nv/ w,
owner @{HOME}/.nv/GLCache/ rw,
owner @{HOME}/.nv/GLCache/** rwk,
owner @{PROC}/@{pid}/comm r, # somehwere in libnvidia-glcore.so
unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),

1
profiles/apparmor.d/abstractions/openssl
View File

@@ -11,6 +11,7 @@
abi <abi/3.0>,
/etc/ssl/openssl.cnf r,
/etc/ssl/openssl-*.cnf r,
/etc/ssl/{engdef,engines}.d/ r,
/etc/ssl/{engdef,engines}.d/*.cnf r,
/usr/share/ssl/openssl.cnf r,

7
profiles/apparmor.d/abstractions/samba
View File

@@ -25,9 +25,10 @@
/var/log/samba/cores/** rw,
/var/log/samba/* w,
@{run}/{,lock/}samba/ w,
@{run}/{,lock/}samba/*.tdb rw,
@{run}/{,lock/}samba/msg.lock/ rwk,
@{run}/{,lock/}samba/msg.lock/[0-9]* rwk,
@{run}/{,lock/}samba/*.tdb rwk,
@{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
@{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
/var/cache/samba/*.tdb rwk,
/var/cache/samba/msg.lock/ rwk,
/var/cache/samba/msg.lock/[0-9]* rwk,

2
profiles/apparmor.d/abstractions/ssl_certs
View File

@@ -17,7 +17,7 @@
/etc/{,libre}ssl/certs/{,**} r,
/{etc,usr/share}/pki/bl[ao]cklist/{,*} r,
/{etc,usr/share}/pki/trust/{,*} r,
/{etc,usr/share}/pki/trust/anchors/{,**} r,
/{etc,usr/share}/pki/trust/{bl[oa]cklist,anchors}/{,**} r,
/usr/share/ca-certificates/{,**} r,
/usr/share/ssl/certs/ca-bundle.crt r,
/usr/local/share/ca-certificates/{,**} r,

1
profiles/apparmor.d/abstractions/ubuntu-helpers
View File

@@ -80,6 +80,7 @@ profile sanitized_helper {
/opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
/opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
/opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
/opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr,
/opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
# Full access

2
profiles/apparmor.d/lsb_release
View File

@@ -30,6 +30,8 @@ profile lsb_release {
/{usr/,}bin/dash ixr,
/usr/bin/basename ixr,
/usr/bin/dpkg-query ixr,
/usr/bin/cat ixr,
/usr/bin/cut ixr,
/usr/bin/getopt ixr,
/usr/bin/sed ixr,
/usr/bin/tr ixr,

4
profiles/apparmor.d/nvidia_modprobe
View File

@@ -54,10 +54,10 @@ profile nvidia_modprobe {
# System files
/etc/modprobe.d/{,*.conf} r,
/etc/nvidia/current/*.conf r,
/etc/nvidia/{current,legacy*,tesla*}/*.conf r,
@{sys}/module/ipmi_devintf/initstate r,
@{sys}/module/ipmi_msghandler/initstate r,
@{sys}/module/nvidia/initstate r,
@{sys}/module/{drm,nvidia}/initstate r,
@{PROC}/cmdline r,
}

1
profiles/apparmor.d/php-fpm
View File

@@ -35,6 +35,7 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
# we need to be able to create all sockets
@{run}/php{,-fpm}/php*-fpm.pid rw,
@{run}/php*-fpm.pid rw,
@{run}/php{,-fpm}/php*-fpm.sock rwlk,
# to reload

5
profiles/apparmor.d/samba-bgqd
View File

@@ -14,9 +14,10 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/fd/ r,
@{run}/samba/samba-bgqd.pid wk,
@{run}/{,samba/}samba-bgqd.pid rwk,
/usr/lib*/samba/{,samba/}samba-bgqd m,
/usr/lib*/samba/{,samba/}samba-bgqd mr,
/var/cache/samba/printing/*.tdb rwk,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/samba-bgqd>

5
profiles/apparmor.d/samba-dcerpcd
View File

@@ -16,10 +16,11 @@ include <tunables/global>
profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {
include <abstractions/samba-rpcd>
@{run}/samba/samba-dcerpcd.pid wk,
@{run}/{,samba/}samba-dcerpcd.pid rwk,
/usr/lib*/samba/{,samba/}samba-dcerpcd m,
/usr/lib*/samba/{,samba/}samba-dcerpcd mr,
/usr/lib*/samba/ r,
/usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
/usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic,
/usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss,

5
profiles/apparmor.d/samba-rpcd
View File

@@ -15,7 +15,10 @@ include <tunables/global>
profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
include <abstractions/samba-rpcd>
/usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} m,
/usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
@{run}/samba/ncalrpc/np/winreg wr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/samba-rpcd>
}

2
profiles/apparmor.d/samba-rpcd-classic
View File

@@ -17,7 +17,7 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
include <abstractions/samba-rpcd>
include <abstractions/wutmp>
/usr/lib*/samba/{,samba/}rpcd_classic m,
/usr/lib*/samba/{,samba/}rpcd_classic mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/samba-rpcd-classic>

10
profiles/apparmor.d/samba-rpcd-spoolss
View File

@@ -16,8 +16,16 @@ include <tunables/global>
profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss {
include <abstractions/samba-rpcd>
/usr/lib*/samba/{,samba/}rpcd_spoolss m,
/usr/lib*/samba/{,samba/}rpcd_spoolss mr,
/usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
/var/cache/samba/printing/ w,
/var/cache/samba/printing/*.tdb rwk,
@{run}/{,samba/}samba-bgqd.pid rk,
/dev/urandom rw,
@{run}/samba/ncalrpc/ rw,
@{run}/samba/ncalrpc/** rw,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/samba-rpcd-spoolss>

1
profiles/apparmor.d/sbin.syslog-ng
View File

@@ -61,6 +61,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
/{var,var/run,run}/log/journal/ r,
/{var,var/run,run}/log/journal/*/ r,
/{var,var/run,run}/log/journal/*/*.journal r,
/{var,var/run,run}/log/journal/*.journal r,
@{run}/syslog-ng.ctl a,
@{run}/syslog-ng/additional-log-sockets.conf r,

2
profiles/apparmor.d/usr.sbin.avahi-daemon
View File

@@ -1,7 +1,7 @@
abi <abi/3.0>,
include <tunables/global>
profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus>

4
profiles/apparmor.d/usr.sbin.dnsmasq
View File

@@ -115,6 +115,9 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
owner @{run}/user/*/containers/cni/dnsname/*/addnhosts r,
owner @{run}/user/*/containers/cni/dnsname/*/pidfile rw,
# waydroid lxc-net pid file
@{run}/waydroid-lxc/dnsmasq.pid rw,
profile libvirt_leaseshelper {
include <abstractions/base>
@@ -127,6 +130,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
owner @{PROC}/@{pid}/status r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/*/meminfo r,

4
profiles/apparmor.d/usr.sbin.nscd
View File

@@ -41,6 +41,10 @@ profile nscd /usr/{bin,sbin}/nscd {
@{PROC}/@{pid}/fd/* r,
@{PROC}/@{pid}/mounts r,
# systemd-userdb
/{etc,run,run/host,/usr/lib}/userdb/ r,
/{etc,run,run/host,/usr/lib}/userdb/*.{user,user-privileged,group,group-privileged} r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.nscd>
}

4
profiles/apparmor.d/usr.sbin.smbd
View File

@@ -49,14 +49,14 @@ profile smbd /usr/{bin,sbin}/smbd {
/usr/{bin,sbin}/smbldap-useradd Px,
/var/cache/samba/** rwk,
/var/{cache,lib}/samba/printing/printers.tdb mrw,
/var/lib/nscd/netgroup r,
/var/lib/samba/** rwk,
/var/lib/sss/pubconf/kdcinfo.* r,
@{run}/dbus/system_bus_socket rw,
@{run}/smbd.pid rwk,
@{run}/{,samba/}smbd.pid rwk,
@{run}/samba/** rk,
@{run}/samba/ncalrpc/ rw,
@{run}/samba/ncalrpc/** rw,
@{run}/samba/smbd.pid rw,
/var/spool/samba/** rw,
@{HOMEDIRS}/** lrwk,

3
profiles/apparmor/profiles/extras/bin.netstat
View File

@@ -46,4 +46,7 @@ profile netstat /{usr/,}bin/netstat {
@{PROC}/@{pid}/net/udplite r,
@{PROC}/@{pid}/net/udplit6 r,
@{PROC}/@{pid}/net/unix r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/bin.netstat>
}

3
profiles/apparmor/profiles/extras/etc.cron.daily.logrotate
View File

@@ -74,4 +74,7 @@ include <tunables/global>
/var/spool/slrnpull/ wr,
/var/spool/slrnpull/log* wrl,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/etc.cron.daily.logrotate>
}

3
profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron
View File

@@ -25,4 +25,7 @@ include <tunables/global>
/usr/bin/slocate mixr,
/usr/bin/renice mixr,
/** r ,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/etc.cron.daily.slocate.cron>
}

3
profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch
View File

@@ -22,4 +22,7 @@ include <tunables/global>
/var/cache/man*/** r,
/var/tmp r,
/var/tmp/** rwl,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/etc.cron.daily.tmpwatch>
}

3
profiles/apparmor/profiles/extras/postfix-anvil
View File

@@ -23,4 +23,7 @@ profile postfix-anvil /usr/lib/postfix/{bin/,sbin/,}anvil {
/etc/postfix/main.cf r,
/{var/spool/postfix/,}private/anvil rw,
/{var/spool/postfix/,}pid/unix.anvil rwk,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-anvil>
}

3
profiles/apparmor/profiles/extras/postfix-bounce
View File

@@ -47,4 +47,7 @@ profile postfix-bounce /usr/lib/postfix/{bin/,sbin/,}bounce {
/{var/spool/postfix/,}pid/unix.bounce rwk,
/{var/spool/postfix/,}pid/unix.defer rwk,
/{var/spool/postfix/,}pid/unix.trace rwk,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-bounce>
}

3
profiles/apparmor/profiles/extras/postfix-cleanup
View File

@@ -38,4 +38,7 @@ profile postfix-cleanup /usr/lib/postfix/{bin/,sbin/,}cleanup {
/etc/{m,fs}tab r,
/etc/postfix/* r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-cleanup>
}

3
profiles/apparmor/profiles/extras/postfix-discard
View File

@@ -18,4 +18,7 @@ profile postfix-discard /usr/lib/postfix/{bin/,sbin/,}discard {
include <abstractions/base>
/usr/lib/postfix/{bin/,sbin/,}discard mrix,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-discard>
}

3
profiles/apparmor/profiles/extras/postfix-dnsblog
View File

@@ -19,4 +19,7 @@ profile postfix-dnsblog /usr/lib/postfix/{bin/,sbin/,}dnsblog {
/usr/lib/postfix/{bin/,sbin/,}dnsblog mrix,
/var/spool/postfix/private/dnsblog rw,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-dnsblog>
}

2
profiles/apparmor/profiles/extras/postfix-error
View File

@@ -26,4 +26,6 @@ profile postfix-error /usr/lib/postfix/{bin/,sbin/,}error {
/var/spool/postfix/pid/unix.retry rwk,
owner /var/spool/postfix/private/defer w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-error>
}

2
profiles/apparmor/profiles/extras/postfix-flush
View File

@@ -40,4 +40,6 @@ profile postfix-flush /usr/lib/postfix/{bin/,sbin/,}flush {
@{HOME}/.forward r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-flush>
}

2
profiles/apparmor/profiles/extras/postfix-lmtp
View File

@@ -24,4 +24,6 @@ profile postfix-lmtp /usr/lib/postfix/{bin/,sbin/,}lmtp {
/var/spool/postfix/active/* rwk,
/var/spool/postfix/pid/unix.lmtp rwk,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-lmtp>
}

3
profiles/apparmor/profiles/extras/postfix-local
View File

@@ -44,4 +44,7 @@ profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local {
/{var/spool/postfix/,}public/{cleanup,flush} rw,
# deliver mail
/var/mail/* wk,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-local>
}

3
profiles/apparmor/profiles/extras/postfix-master
View File

@@ -58,4 +58,7 @@ profile postfix-master /usr/lib/postfix/{bin/,sbin/,}master {
/usr/lib/postfix/{bin/,sbin/,}trivial-rewrite Px,
owner /var/lib/postfix/master.lock rwk,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-master>
}

3
profiles/apparmor/profiles/extras/postfix-nqmgr
View File

@@ -45,4 +45,7 @@ profile postfix-nqmgr /usr/lib/postfix/{bin/,sbin/,}nqmgr {
/{var/spool/postfix/,}private/local w,
/{var/spool/postfix/,}public/flush w,
/{var/spool/postfix/,}public/qmgr r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-nqmgr>
}

3
profiles/apparmor/profiles/extras/postfix-oqmgr
View File

@@ -20,4 +20,7 @@ profile postfix-oqmgr /usr/lib/postfix/{bin/,sbin/,}oqmgr {
include <abstractions/postfix-common>
/usr/lib/postfix/{bin/,sbin/,}oqmgr mrix,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-oqmgr>
}

3
profiles/apparmor/profiles/extras/postfix-pickup
View File

@@ -24,4 +24,7 @@ profile postfix-pickup /usr/lib/postfix/{bin/,sbin/,}pickup {
/{var/spool/postfix/,}public/pickup r,
/{var/spool/postfix/,}maildrop/ r,
/{var/spool/postfix/,}maildrop/* rwl,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-pickup>
}

2
profiles/apparmor/profiles/extras/postfix-pipe
View File

@@ -27,4 +27,6 @@ profile postfix-pipe /usr/lib/postfix/{bin/,sbin/,}pipe {
/var/spool/postfix/private/rewrite w,
/var/spool/postfix/private/trace w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-pipe>
}

3
profiles/apparmor/profiles/extras/postfix-postscreen
View File

@@ -16,4 +16,7 @@ profile postfix-postscreen /usr/lib/postfix/{bin/,sbin/,}postscreen {
include <abstractions/base>
/usr/lib/postfix/{bin/,sbin/,}postscreen mrix,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-postscreen>
}

3
profiles/apparmor/profiles/extras/postfix-proxymap
View File

@@ -23,4 +23,7 @@ profile postfix-proxymap /usr/lib/postfix/{bin/,sbin/,}proxymap {
/etc/my.cnf r,
/usr/lib/postfix/{bin/,sbin/,}proxymap mrix,
/{var/spool/postfix/,}private/proxymap rw,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-proxymap>
}

3
profiles/apparmor/profiles/extras/postfix-qmgr
View File

@@ -51,4 +51,7 @@ profile postfix-qmgr /usr/lib/postfix/{bin/,sbin/,}qmgr {
/{var/spool/postfix/,}private/smtp w,
/{var/spool/postfix/,}private/trace w,
/{var/spool/postfix/,}private/uucp w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-qmgr>
}

3
profiles/apparmor/profiles/extras/postfix-qmqpd
View File

@@ -19,4 +19,7 @@ profile postfix-qmqpd /usr/lib/postfix/{bin/,sbin/,}qmqpd {
include <abstractions/postfix-common>
/usr/lib/postfix/{bin/,sbin/,}qmqpd mrix,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-qmqpd>
}

3
profiles/apparmor/profiles/extras/postfix-scache
View File

@@ -21,4 +21,7 @@ profile postfix-scache /usr/lib/postfix/{bin/,sbin/,}scache {
include <abstractions/postfix-common>
/usr/lib/postfix/{bin/,sbin/,}scache mrix,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-scache>
}

3
profiles/apparmor/profiles/extras/postfix-showq
View File

@@ -48,4 +48,7 @@ profile postfix-showq /usr/lib/postfix/{bin/,sbin/,}showq {
/{var/spool/postfix/,}pid/unix.showq rwk,
owner /{var/spool/postfix,}/defer/[0-9A-F]/[0-9A-F]* r,
owner /{var/spool/postfix,}/deferred/[0-9A-F]/[0-9A-F]* r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-showq>
}

3
profiles/apparmor/profiles/extras/postfix-smtp
View File

@@ -45,4 +45,7 @@ profile postfix-smtp /usr/lib/postfix/{bin/,sbin/,}smtp {
/etc/postfix/prng_exch rw,
/usr/share/ssl/certs/ca-bundle.crt r,
/etc/mtab r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-smtp>
}

3
profiles/apparmor/profiles/extras/postfix-smtpd
View File

@@ -52,4 +52,7 @@ profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd {
/{var/spool/postfix/,}public/cleanup rw,
/{,var/}run/sasl2/mux w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-smtpd>
}

3
profiles/apparmor/profiles/extras/postfix-spawn
View File

@@ -19,4 +19,7 @@ profile postfix-spawn /usr/lib/postfix/{bin/,sbin/,}spawn {
include <abstractions/postfix-common>
/usr/lib/postfix/{bin/,sbin/,}spawn mrix,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-spawn>
}

4
profiles/apparmor/profiles/extras/postfix-tlsmgr
View File

@@ -17,6 +17,7 @@ include <tunables/global>
profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/postfix-common>
/usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix,
@@ -28,4 +29,7 @@ profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
/{,var/}run/smtpd_tls_session_cache.db rw,
/var/lib/postfix/smtpd_scache.db rwk,
/var/lib/postfix/smtp_scache.db rwk,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-tlsmgr>
}

3
profiles/apparmor/profiles/extras/postfix-trivial-rewrite
View File

@@ -26,4 +26,7 @@ profile postfix-trivial-rewrite /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite {
/etc/{m,fs}tab r,
/var/spool/postfix/pid/unix.rewrite rw,
/{var/spool/postfix/,}private/rewrite rw,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-trivial-rewrite>
}

3
profiles/apparmor/profiles/extras/postfix-verify
View File

@@ -19,4 +19,7 @@ profile postfix-verify /usr/lib/postfix/{bin/,sbin/,}verify {
include <abstractions/postfix-common>
/usr/lib/postfix/{bin/,sbin/,}verify mrix,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-verify>
}

3
profiles/apparmor/profiles/extras/postfix-virtual
View File

@@ -23,4 +23,7 @@ profile postfix-virtual /usr/lib/postfix/{bin/,sbin/,}virtual {
/var/spool/postfix/active/* rw,
/var/spool/postfix/pid/unix.virtual rw,
/var/spool/postfix/private/bounce w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/postfix-virtual>
}

1
profiles/apparmor/profiles/extras/sbin.dhclient
View File

@@ -87,5 +87,6 @@ profile dhclient /{usr/,}sbin/dhclient {
/var/lib/dhcp/* rw,
/{,var/}run/nm-dhclient-*.conf r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/sbin.dhclient>
}

1
profiles/apparmor/profiles/extras/sbin.dhclient-script
View File

@@ -27,5 +27,6 @@ profile dhclient-script /{usr/,}sbin/dhclient-script {
/{usr/,}sbin/ip rix,
/{usr/,}sbin/resolvconf rPUx,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/sbin.dhclient-script>
}

3
profiles/apparmor/profiles/extras/sbin.dhcpcd
View File

@@ -44,4 +44,7 @@ profile dhcpcd /{usr/,}sbin/dhcpcd {
/var/lib/dhcpcd/dhcpcd-*.info rw,
/var/lib/dhcpcd/dhcpcd-*.info.old rw,
/{,var/}run/dhcpcd-*.pid rwl,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/sbin.dhcpcd>
}

3
profiles/apparmor/profiles/extras/sbin.portmap
View File

@@ -23,4 +23,7 @@ profile portmap /{usr/,}sbin/portmap {
/etc/bindresvport.blacklist r,
/{usr/,}sbin/portmap rmix,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/sbin.portmap>
}

3
profiles/apparmor/profiles/extras/sbin.resmgrd
View File

@@ -31,4 +31,7 @@ profile resmgrd /{usr/,}sbin/resmgrd {
/{,var/}run/fence* lrw,
/{,var/}run/resmgr/classes/** wl,
/{run,var}/lock/LCK* lrw,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/sbin.resmgrd>
}

3
profiles/apparmor/profiles/extras/sbin.rpc.lockd
View File

@@ -15,4 +15,7 @@ include <tunables/global>
profile rpc.lockd /{usr/,}sbin/rpc.lockd {
include <abstractions/base>
/{usr/,}sbin/rpc.lockd rmix,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/sbin.rpc.lockd>
}

3
profiles/apparmor/profiles/extras/sbin.rpc.statd
View File

@@ -53,4 +53,7 @@ profile rpc.statd /{usr/,}sbin/rpc.statd {
@{run}/rpc.statd.pid w,
@{run}/rpcbind.sock rw,
@{run}/sm-notify.pid w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/sbin.rpc.statd>
}

3
profiles/apparmor/profiles/extras/usr.NX.bin.nxclient
View File

@@ -36,4 +36,7 @@ include <tunables/global>
@{HOME}/.Xauthority-l rwl,
@{HOME}/.ssh/config r,
@{HOME}/.ssh/known_hosts rw,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.NX.bin.nxclient>
}

3
profiles/apparmor/profiles/extras/usr.bin.acroread
View File

@@ -59,4 +59,7 @@ include <tunables/global>
/usr/lib/jvm/java-*/jre/lib/fonts/** r,
/usr/lib/ooo-*/share/fonts/** r,
/usr/share/icons r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.acroread>
}

3
profiles/apparmor/profiles/extras/usr.bin.apropos
View File

@@ -25,4 +25,7 @@ include <tunables/global>
/usr/bin/tr mixr,
/var/cache/man/whatis r,
/var/cache/man/** r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.apropos>
}

3
profiles/apparmor/profiles/extras/usr.bin.dumpcap
View File

@@ -38,4 +38,7 @@ include <tunables/global>
owner /tmp/*pcap{,ng} rw,
owner @{HOME}/**pcap{,ng} rw,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.dumpcap>
}

3
profiles/apparmor/profiles/extras/usr.bin.evolution-2.10
View File

@@ -155,4 +155,7 @@ include <tunables/global>
/usr/X11R6/lib/Acrobat7/Resource/Font r,
/usr/X11R6/lib/Acrobat7/Resource/Font/** r,
/var/tmp r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.evolution-2.10>
}

3
profiles/apparmor/profiles/extras/usr.bin.fam
View File

@@ -21,4 +21,7 @@ include <tunables/global>
# it makes some level of sense for FAM to read all files on the
# filesystem, even if this is a little unfortunate.
/** r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.fam>
}

1
profiles/apparmor/profiles/extras/usr.bin.freshclam
View File

@@ -28,5 +28,6 @@ include <tunables/global>
/var/lib/clamav/** rw,
owner /run/clamav/freshclam.pid w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.freshclam>
}

3
profiles/apparmor/profiles/extras/usr.bin.gaim
View File

@@ -66,4 +66,7 @@ include <tunables/global>
/usr/share/icons r,
/usr/share/tcl/tcl*/encoding/* r,
/{,var/}run/.resmgr_socket w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.gaim>
}

2
profiles/apparmor/profiles/extras/usr.bin.man
View File

@@ -26,4 +26,6 @@ include <tunables/global>
/usr/bin/man r,
/usr/lib/man-db/man Px,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.man>
}

3
profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce
View File

@@ -39,4 +39,7 @@ include <tunables/global>
/usr/share/mlmmj/text.skel/*/* r,
/var/spool/mlmmj/*/control/* r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.mlmmj-bounce>
}

2
profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd
View File

@@ -51,4 +51,6 @@ include <tunables/global>
/usr/share/mlmmj/text.skel/*/digest r,
/var/spool/mlmmj/*/mlmmj.operation.log rwk,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.mlmmj-maintd>
}

3
profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh
View File

@@ -43,4 +43,7 @@ include <tunables/global>
/var/spool r,
/var/spool/mlmmj rw,
/var/spool/mlmmj/** w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.mlmmj-make-ml.sh>
}

2
profiles/apparmor/profiles/extras/usr.bin.mlmmj-process
View File

@@ -45,4 +45,6 @@ include <tunables/global>
/var/spool/mlmmj/*/moderation/* rw,
/etc/mlmmj/text/*/* r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.mlmmj-process>
}

3
profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive
View File

@@ -21,4 +21,7 @@ include <tunables/global>
/usr/bin/mlmmj-receive mr,
/var/spool/mlmmj/*/incoming/ rw,
/var/spool/mlmmj/*/incoming/* rw,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.mlmmj-receive>
}

3
profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve
View File

@@ -23,4 +23,7 @@ include <tunables/global>
/usr/bin/mlmmj-process Px,
/usr/bin/mlmmj-recieve mr,
/var/spool/mlmmj/*/incoming/* w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.mlmmj-recieve>
}

2
profiles/apparmor/profiles/extras/usr.bin.mlmmj-send
View File

@@ -31,4 +31,6 @@ include <tunables/global>
/var/spool/mlmmj/*/moderation/* rwk,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.mlmmj-send>
}

Some files were not shown because too many files have changed in this diff Show More