intrigeri has proposed merging lp:~intrigeri/apparmor/profile-backports-for-2.8
into lp:apparmor/2.8.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~intrigeri/apparmor/profile-backports-for-2.8/+merge/234547
I've looked at the abstractions log between 2.8 and master, and cherry-picked
the revisions that seemed relevant and unrisky enough. I'd like to nominate
these revisions for 2.8.4. I've not tested the result yet, and cannot easily
test all of these changes. If this is too much, I can prepare a subset of these
changes and test it.
--
https://code.launchpad.net/~intrigeri/apparmor/profile-backports-for-2.8/+merge/234547
Your team AppArmor Developers is requested to review the proposed merge of
lp:~intrigeri/apparmor/profile-backports-for-2.8 into lp:apparmor/2.8.
=== modified file 'profiles/apparmor.d/abstractions/audio'
--- profiles/apparmor.d/abstractions/audio 2013-04-09 13:17:39 +0000
+++ profiles/apparmor.d/abstractions/audio 2014-09-12 20:36:06 +0000
@@ -68,3 +68,6 @@
# openal
/etc/openal/alsoft.conf r,
owner @{HOME}/.alsoftrc r,
+
+# wildmidi
+/etc/wildmidi/wildmidi.cfg r,
=== modified file 'profiles/apparmor.d/abstractions/freedesktop.org'
--- profiles/apparmor.d/abstractions/freedesktop.org 2011-01-13 17:13:34 +0000
+++ profiles/apparmor.d/abstractions/freedesktop.org 2014-09-12 20:36:06 +0000
@@ -30,6 +30,7 @@
owner @{HOME}/.recently-used.xbel* rw,
owner @{HOME}/.local/share/recently-used.xbel* rw,
owner @{HOME}/.config/user-dirs.dirs r,
+ owner @{HOME}/.local/share/applications/ r,
owner @{HOME}/.local/share/applications/*.desktop r,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
=== modified file 'profiles/apparmor.d/abstractions/gnome'
--- profiles/apparmor.d/abstractions/gnome 2013-05-30 21:46:31 +0000
+++ profiles/apparmor.d/abstractions/gnome 2014-09-12 20:36:06 +0000
@@ -21,6 +21,7 @@
/etc/gtk/* r,
/usr/lib{,32,64}/gtk/** mr,
/usr/lib/@{multiarch}/gtk/** mr,
+ /usr/share/themes/ r,
/usr/share/themes/** r,
# for gnome 1 applications
@@ -82,4 +83,5 @@
# mime-types
/etc/gnome/defaults.list r,
+ /usr/share/gnome/applications/ r,
/usr/share/gnome/applications/mimeinfo.cache r,
=== modified file 'profiles/apparmor.d/abstractions/kde'
--- profiles/apparmor.d/abstractions/kde 2012-01-19 14:20:28 +0000
+++ profiles/apparmor.d/abstractions/kde 2014-09-12 20:36:06 +0000
@@ -22,6 +22,7 @@
/etc/kderc r,
/etc/kde3/* r,
/etc/kde4rc r,
+/etc/xdg/Trolltech.conf r,
@{HOME}/.DCOPserver_* r,
@{HOME}/.ICEauthority r,
=== modified file 'profiles/apparmor.d/abstractions/mysql'
--- profiles/apparmor.d/abstractions/mysql 2013-01-13 13:41:56 +0000
+++ profiles/apparmor.d/abstractions/mysql 2014-09-12 20:36:06 +0000
@@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
- /var/lib/mysql/mysql.sock rw,
- /{var/,}run/mysql/mysql.sock rw,
+ /var/lib/mysql{,d}/mysql{,d}.sock rw,
+ /{var/,}run/mysql{,d}/mysql{,d}.sock rw,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice 2014-07-09 08:18:54 +0000
+++ profiles/apparmor.d/abstractions/nameservice 2014-09-12 20:36:06 +0000
@@ -21,6 +21,11 @@
/etc/passwd r,
/etc/protocols r,
+ # When using libnss-extrausers, the passwd and group files are merged from
+ # an alternate path
+ /var/lib/extrausers/group r,
+ /var/lib/extrausers/passwd r,
+
/etc/resolv.conf r,
# on systems using resolvconf, /etc/resolv.conf is a symlink to
# /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
@@ -50,7 +55,7 @@
/etc/default/nss r,
# avahi-daemon is used for mdns4 resolution
- /{,var/}run/avahi-daemon/socket w,
+ /{,var/}run/avahi-daemon/socket rw,
# nis
#include <abstractions/nis>
=== modified file 'profiles/apparmor.d/abstractions/openssl'
--- profiles/apparmor.d/abstractions/openssl 2011-08-08 20:22:03 +0000
+++ profiles/apparmor.d/abstractions/openssl 2014-09-12 20:36:06 +0000
@@ -10,4 +10,5 @@
/etc/ssl/openssl.cnf r,
/usr/share/ssl/openssl.cnf r,
+ @{PROC}/sys/crypto/fips_enabled r,
=== modified file 'profiles/apparmor.d/abstractions/perl'
--- profiles/apparmor.d/abstractions/perl 2010-12-20 20:29:10 +0000
+++ profiles/apparmor.d/abstractions/perl 2014-09-12 20:36:06 +0000
@@ -13,8 +13,10 @@
/usr/bin/perl rmix,
/usr/bin/perl[0-9].[0-9].[0-9] rmix,
- /usr/lib{,32,64}/perl5/** r,
- /usr/lib{,32,64}/perl{,5}/**.so* mr,
+ /usr/lib{,32,64}/perl5/** r,
+ /usr/lib{,32,64}/perl{,5}/**.so* mr,
+ /usr/lib/@{multiarch}/perl{,5}/** r,
+ /usr/lib/@{multiarch}/perl{,5}/[0-9]*/**.so* mr,
/usr/share/perl/** r,
/usr/share/perl5/** r,
=== modified file 'profiles/apparmor.d/abstractions/python'
--- profiles/apparmor.d/abstractions/python 2012-01-06 16:38:06 +0000
+++ profiles/apparmor.d/abstractions/python 2014-09-12 20:36:06 +0000
@@ -10,28 +10,28 @@
#
# ------------------------------------------------------------------
- /usr/lib{,32,64}/python2.[4567]/**.{pyc,so} mr,
- /usr/lib{,32,64}/python2.[4567]/**.{egg,py,pth} r,
- /usr/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r,
+ /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mr,
+ /usr/lib{,32,64}/python{2,3}.[34567]/**.{egg,py,pth} r,
+ /usr/lib{,32,64}/python{2,3}.[34567]/{site,dist}-packages/ r,
+ /usr/lib{,32,64}/python3.[234]/lib-dynload/*.so mr,
- /usr/local/lib{,32,64}/python2.[4567]/**.{pyc,so} mr,
- /usr/local/lib{,32,64}/python2.[4567]/**.{egg,py,pth} r,
- /usr/local/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r,
+ /usr/local/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mr,
+ /usr/local/lib{,32,64}/python{2,3}.[34567]/**.{egg,py,pth} r,
+ /usr/local/lib{,32,64}/python{2,3}.[34567]/{site,dist}-packages/ r,
+ /usr/local/lib{,32,64}/python3.[234]/lib-dynload/*.so mr,
# Site-wide configuration
- /etc/python2.[4567]/** r,
+ /etc/python{2,3}.[34567]/** r,
# shared python paths
/usr/share/{pyshared,pycentral,python-support}/** r,
/{var,usr}/lib/{pyshared,pycentral,python-support}/** r,
/usr/lib/{pyshared,pycentral,python-support}/**.so mr,
/var/lib/{pyshared,pycentral,python-support}/**.pyc mr,
+ /usr/lib/python3/dist-packages/**.so mr,
# wx paths
/usr/lib/wx/python/*.pth r,
# python build configuration and headers
/usr/include/python{2,3}.[0-7]*/pyconfig.h r,
-
- # python setup script used by apport
- /etc/python{2,3}.[0-7]*/sitecustomize.py r,
=== modified file 'utils/logprof.conf'
--- utils/logprof.conf 2011-08-18 23:17:22 +0000
+++ utils/logprof.conf 2014-09-12 20:36:06 +0000
@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2004-2006 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -105,6 +106,7 @@
# if they use any perl modules, grant access to all
^/usr/lib/perl5/.+$ = /usr/lib/perl5/**
+ ^/usr/lib/[^\/]+/perl5?/.+$ = /usr/lib/@{multiarch}/perl{,5}/**
# locale foo
^/usr/lib/locale/.+$ = /usr/lib/locale/**
=== modified file 'utils/severity.db'
--- utils/severity.db 2014-07-22 05:56:11 +0000
+++ utils/severity.db 2014-09-12 20:36:06 +0000
@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -231,6 +232,8 @@
/usr/lib/lib*so* 3 8 4
/usr/lib/iptables/* 2 8 2
/usr/lib/perl5/** 4 10 6
+/usr/lib/*/perl/** 4 10 6
+/usr/lib/*/perl5/** 4 10 6
/usr/lib/gconv/* 4 7 4
/usr/lib/locale/** 4 8 0
/usr/lib/jvm/** 5 7 5
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
