On 09/18/2015 12:54 PM, Christian Boltz wrote: > Hello, > > oftc_ftw reported on IRC that Arch Linux has a symlink /bin -> /usr/bin. > This means we have to update paths for /bin/ in several profiles to also > allow /usr/bin/ > > I propose this patch for trunk and 2.9. > > So for these types of things I prefer a var to the use of alias. I really don't like how alias hides things. It has its place but I think of it more as a site specific solution than something that should be shipped in policy.
While I would like to see this little regex moved to a var, I think this is fine the way it is and can go in now Acked-by: John Johansen <[email protected]> > [ profiles-usrmove-bin.diff ] > > === modified file > ./profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common > --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common > 2013-07-05 20:40:57.568842000 +0200 > +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common > 2015-09-18 21:44:06.939854258 +0200 > @@ -5,10 +5,10 @@ > # > @{PROC}/@{pid}/fd/ r, > /usr/lib/** rm, > - /bin/bash ixr, > - /bin/dash ixr, > - /bin/grep ixr, > - /bin/sed ixr, > + /{,usr/}bin/bash ixr, > + /{,usr/}bin/dash ixr, > + /{,usr/}bin/grep ixr, > + /{,usr/}bin/sed ixr, > /usr/bin/m4 ixr, > > # Since all the ubuntu-browsers.d abstractions need this, just include it > === modified file ./profiles/apparmor.d/apache2.d/phpsysinfo > --- profiles/apparmor.d/apache2.d/phpsysinfo 2014-10-15 20:19:34.705810000 > +0200 > +++ profiles/apparmor.d/apache2.d/phpsysinfo 2015-09-18 21:41:48.387810179 > +0200 > @@ -8,10 +8,10 @@ > #include <abstractions/php5> > #include <abstractions/python> > > - /bin/dash ixr, > - /bin/df ixr, > - /bin/mount ixr, > - /bin/uname ixr, > + /{,usr/}bin/dash ixr, > + /{,usr/}bin/df ixr, > + /{,usr/}bin/mount ixr, > + /{,usr/}bin/uname ixr, > /dev/bus/usb/ r, > /dev/bus/usb/** r, > /etc/debian_version r, > === modified file ./profiles/apparmor.d/bin.ping > --- profiles/apparmor.d/bin.ping 2013-07-05 20:40:57.568842000 +0200 > +++ profiles/apparmor.d/bin.ping 2015-09-18 21:42:14.850290670 +0200 > @@ -19,7 +19,7 @@ > capability setuid, > network inet raw, > > - /bin/ping mixr, > + /{,usr/}bin/ping mixr, > /etc/modules.conf r, > > # Site-specific additions and overrides. See local/README for details. > === modified file ./profiles/apparmor.d/usr.sbin.dnsmasq > --- profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-18 19:19:23.099960000 > +0200 > +++ profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-18 21:41:04.976302904 > +0200 > @@ -47,7 +47,7 @@ > > /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage > > - /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument > + /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument > > # access to iface mtu needed for Router Advertisement messages in IPv6 > # Neighbor Discovery protocol (RFC 2461) > === modified file ./profiles/apparmor.d/usr.sbin.smbldap-useradd > --- profiles/apparmor.d/usr.sbin.smbldap-useradd 2013-07-05 > 20:40:57.568842000 +0200 > +++ profiles/apparmor.d/usr.sbin.smbldap-useradd 2015-09-18 > 21:42:52.370136220 +0200 > @@ -8,7 +8,7 @@ > #include <abstractions/perl> > > /dev/tty rw, > - /bin/bash ix, > + /{,usr/}bin/bash ix, > /etc/init.d/nscd Cx, > /etc/shadow r, > /etc/smbldap-tools/smbldap.conf r, > @@ -26,9 +26,9 @@ > > capability sys_ptrace, > > - /bin/bash r, > - /bin/mountpoint rix, > - /bin/systemctl rix, > + /{,usr/}bin/bash r, > + /{,usr/}bin/mountpoint rix, > + /{,usr/}bin/systemctl rix, > /dev/tty rw, > /etc/init.d/nscd r, > /etc/rc.status r, > > > Regards, > > Christian Boltz > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
