intrigeri has proposed merging lp:~intrigeri/apparmor/usrmerge into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~intrigeri/apparmor/usrmerge/+merge/312409
FWIW, the resulting policy sitll compiles (using apparmor_parser --add
--abort-on-error --skip-cache --skip-kernel-load -I apparmor/profiles/extras -I
apparmor.d). I didn't try loading it into the kernel though. If that's not
enough testing in your opinion, please let me know.
--
Your team AppArmor Developers is requested to review the proposed merge of
lp:~intrigeri/apparmor/usrmerge into lp:apparmor.
=== modified file 'profiles/apparmor.d/abstractions/authentication'
--- profiles/apparmor.d/abstractions/authentication 2012-01-06 17:46:52 +0000
+++ profiles/apparmor.d/abstractions/authentication 2016-12-03 10:03:35 +0000
@@ -22,12 +22,12 @@
/etc/gshadow r,
/etc/pwdb.conf r,
- /lib{,32,64}/security/pam_filter/* mr,
- /lib{,32,64}/security/pam_*.so mr,
- /lib{,32,64}/security/ r,
- /lib/@{multiarch}/security/pam_filter/* mr,
- /lib/@{multiarch}/security/pam_*.so mr,
- /lib/@{multiarch}/security/ r,
+ /{usr/,}lib{,32,64}/security/pam_filter/* mr,
+ /{usr/,}lib{,32,64}/security/pam_*.so mr,
+ /{usr/,}lib{,32,64}/security/ r,
+ /{usr/,}lib/@{multiarch}/security/pam_filter/* mr,
+ /{usr/,}lib/@{multiarch}/security/pam_*.so mr,
+ /{usr/,}lib/@{multiarch}/security/ r,
# kerberos
#include <abstractions/kerberosclient>
=== modified file 'profiles/apparmor.d/abstractions/base'
--- profiles/apparmor.d/abstractions/base 2016-07-29 18:44:17 +0000
+++ profiles/apparmor.d/abstractions/base 2016-12-03 10:03:35 +0000
@@ -48,28 +48,22 @@
# available everywhere
/etc/ld.so.cache mr,
/etc/ld.so.preload r,
- /lib{,32,64}/ld{,32,64}-*.so mrix,
- /lib{,32,64}/**/ld{,32,64}-*.so mrix,
- /lib/@{multiarch}/ld{,32,64}-*.so mrix,
- /lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
- /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
+ /{usr/,}lib{,32,64}/ld{,32,64}-*.so mrix,
+ /{usr/,}lib{,32,64}/**/ld{,32,64}-*.so mrix,
+ /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mrix,
+ /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
+ /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
/opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
# we might as well allow everything to use common libraries
- /lib{,32,64}/** r,
- /lib{,32,64}/lib*.so* mr,
- /lib{,32,64}/**/lib*.so* mr,
- /lib/@{multiarch}/** r,
- /lib/@{multiarch}/lib*.so* mr,
- /lib/@{multiarch}/**/lib*.so* mr,
- /usr/lib{,32,64}/** r,
- /usr/lib{,32,64}/*.so* mr,
- /usr/lib{,32,64}/**/lib*.so* mr,
- /usr/lib/@{multiarch}/** r,
- /usr/lib/@{multiarch}/lib*.so* mr,
- /usr/lib/@{multiarch}/**/lib*.so* mr,
- /lib/tls/i686/{cmov,nosegneg}/lib*.so* mr,
- /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so* mr,
+ /{usr/,}lib{,32,64}/** r,
+ /{usr/,}lib{,32,64}/lib*.so* mr,
+ /{usr/,}lib{,32,64}/**/lib*.so* mr,
+ /{usr/,}lib/@{multiarch}/** r,
+ /{usr/,}lib/@{multiarch}/lib*.so* mr,
+ /{usr/,}lib/@{multiarch}/**/lib*.so* mr,
+ /{usr/,}lib/tls/i686/{cmov,nosegneg}/lib*.so* mr,
+ /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so* mr,
# /dev/null is pretty harmless and frequently used
/dev/null rw,
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice 2016-11-18 19:17:43 +0000
+++ profiles/apparmor.d/abstractions/nameservice 2016-12-03 10:03:35 +0000
@@ -53,10 +53,8 @@
# The nss libraries are sometimes used in addition to PAM; make sure
# they are available
- /lib{,32,64}/libnss_*.so* mr,
- /usr/lib{,32,64}/libnss_*.so* mr,
- /lib/@{multiarch}/libnss_*.so* mr,
- /usr/lib/@{multiarch}/libnss_*.so* mr,
+ /{usr/,}lib{,32,64}/libnss_*.so* mr,
+ /{usr/,}lib/@{multiarch}/libnss_*.so* mr,
/etc/default/nss r,
# avahi-daemon is used for mdns4 resolution
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-helpers'
--- profiles/apparmor.d/abstractions/ubuntu-helpers 2015-04-10 16:14:48 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-helpers 2016-12-03 10:03:35 +0000
@@ -46,11 +46,9 @@
# Allow exec of anything, but under this profile. Allow transition
# to other profiles if they exist.
- /bin/* Pixr,
- /sbin/* Pixr,
- /usr/bin/* Pixr,
+ /{usr/,}bin/* Pixr,
+ /{usr/,}sbin/* Pixr,
/usr/local/bin/* Pixr,
- /usr/sbin/* Pixr,
# Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
/usr/{,local/}lib*/{,**/}* Pixr,
=== modified file 'profiles/apparmor.d/bin.ping'
--- profiles/apparmor.d/bin.ping 2016-05-18 19:18:10 +0000
+++ profiles/apparmor.d/bin.ping 2016-12-03 10:03:35 +0000
@@ -10,7 +10,7 @@
# ------------------------------------------------------------------
#include <tunables/global>
-/{usr/,}bin/ping {
+profile ping /{usr/,}bin/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
=== modified file 'profiles/apparmor/profiles/extras/bin.netstat'
--- profiles/apparmor/profiles/extras/bin.netstat 2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/bin.netstat 2016-12-03 10:03:35 +0000
@@ -14,7 +14,7 @@
#include <tunables/global>
-/bin/netstat {
+profile netstat /{usr/,}bin/netstat {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
@@ -23,7 +23,7 @@
capability dac_read_search,
deny capability sys_ptrace,
- /bin/netstat rmix,
+ /{usr/,}bin/netstat rmix,
/etc/networks r,
@{PROC} r,
@{PROC}/@{pids}/cmdline r,
=== modified file 'profiles/apparmor/profiles/extras/etc.cron.daily.logrotate'
--- profiles/apparmor/profiles/extras/etc.cron.daily.logrotate 2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/etc.cron.daily.logrotate 2016-12-03 10:03:35 +0000
@@ -16,12 +16,12 @@
#include <abstractions/bash>
#include <abstractions/nameservice>
- /bin/bash mixr,
- /bin/cat mixr,
- /bin/gzip mixr,
- /bin/kill mixr,
- /bin/logger mixr,
- /bin/true mixr,
+ /{usr/,}bin/bash mixr,
+ /{usr/,}bin/cat mixr,
+ /{usr/,}bin/gzip mixr,
+ /{usr/,}bin/kill mixr,
+ /{usr/,}bin/logger mixr,
+ /{usr/,}bin/true mixr,
/etc/init.d/* mixr,
/usr/bin/killall mixr,
/usr/sbin/logrotate mixr,
=== modified file 'profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron'
--- profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron 2016-12-03 10:03:35 +0000
@@ -16,7 +16,7 @@
/etc/cron.daily/slocate.cron {
#include <abstractions/base>
- /bin/bash mixr,
+ /{usr/,}bin/bash mixr,
/dev/tty wr ,
/etc/cron.daily/slocate.cron r ,
/etc/mtab r ,
=== modified file 'profiles/apparmor/profiles/extras/sbin.dhclient'
--- profiles/apparmor/profiles/extras/sbin.dhclient 2015-09-08 22:00:23 +0000
+++ profiles/apparmor/profiles/extras/sbin.dhclient 2016-12-03 10:03:35 +0000
@@ -21,7 +21,7 @@
#include <tunables/global>
-/sbin/dhclient {
+profile dhclient /{usr/,}sbin/dhclient {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
@@ -31,12 +31,12 @@
network packet packet,
network packet raw,
- /sbin/dhclient mrix,
+ /{usr/,}sbin/dhclient mrix,
- /bin/bash mrix,
- /bin/df mrix,
- /bin/netstat Px,
- /bin/ps mrix,
+ /{usr/,}bin/bash mrix,
+ /{usr/,}bin/df mrix,
+ /{usr/,}bin/netstat Px,
+ /{usr/,}bin/ps mrix,
/dev/random r,
/etc/dhclient.conf r,
@{PROC}/ r,
@@ -45,7 +45,7 @@
@{PROC}/rtc r,
# following rule shouldn't work, self is a symlink
@{PROC}/self/status r,
- /sbin/arp mrix,
+ /{usr/,}sbin/arp mrix,
/usr/bin/dig mrix,
/usr/bin/uptime mrix,
/usr/bin/vmstat mrix,
@@ -65,14 +65,14 @@
/var/spool/mail r,
# This one will need to be fleshed out depending on what the user is doing
- /sbin/dhclient-script mrpix,
+ /{usr/,}sbin/dhclient-script mrpix,
- /bin/grep mrix,
- /bin/sleep mrix,
+ /{usr/,}bin/grep mrix,
+ /{usr/,}bin/sleep mrix,
/etc/sysconfig/network/dhcp r,
/etc/sysconfig/network/scripts/functions.common r,
/etc/sysconfig/network/scripts/functions r,
- /sbin/ip mrix,
+ /{usr/,}sbin/ip mrix,
/usr/lib/NetworkManager/nm-dhcp-client.action mrix,
/var/lib/dhcp/* rw,
/{,var/}run/nm-dhclient-*.conf r,
=== modified file 'profiles/apparmor/profiles/extras/sbin.dhclient-script'
--- profiles/apparmor/profiles/extras/sbin.dhclient-script 2011-08-08 20:54:23 +0000
+++ profiles/apparmor/profiles/extras/sbin.dhclient-script 2016-12-03 10:03:35 +0000
@@ -4,18 +4,18 @@
# dhclient-script will call plugins from /etc/netconfig.d, so this
# will need to be extended on a per-site basis.
-/sbin/dhclient-script {
+profile dhclient-script /{usr/,}sbin/dhclient-script {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
- /bin/bash rix,
- /bin/grep rix,
- /bin/sleep rix,
- /bin/touch rix,
+ /{usr/,}bin/bash rix,
+ /{usr/,}bin/grep rix,
+ /{usr/,}bin/sleep rix,
+ /{usr/,}bin/touch rix,
/dev/.sysconfig/network/** r,
/etc/netconfig.d/* mrix,
/etc/sysconfig/network/** r,
- /sbin/dhclient-script r,
- /sbin/ip rix,
+ /{usr/,}sbin/dhclient-script r,
+ /{usr/,}sbin/ip rix,
}
=== modified file 'profiles/apparmor/profiles/extras/sbin.dhcpcd'
--- profiles/apparmor/profiles/extras/sbin.dhcpcd 2011-07-14 12:57:57 +0000
+++ profiles/apparmor/profiles/extras/sbin.dhcpcd 2016-12-03 10:03:35 +0000
@@ -18,7 +18,7 @@
#include <tunables/global>
-/sbin/dhcpcd {
+profile dhcpcd /{usr/,}sbin/dhcpcd {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -26,8 +26,8 @@
capability net_admin,
capability sys_admin,
- /bin/bash rmix,
- /bin/touch rmix,
+ /{usr/,}bin/bash rmix,
+ /{usr/,}bin/touch rmix,
/dev/tty rw,
/etc/dhcpc/* rwl,
/etc/init.d/syslog Ux, # fixme
@@ -35,9 +35,9 @@
/etc/ntp.conf{,.sv} rwl,
/etc/sysconfig/network/scripts/dhcpcd-hook rmix,
/etc/yp.conf{,.sv} rwl,
- /sbin/dhcpcd rmix,
- /sbin/ifup Ux, # fixme
- /sbin/modify_resolvconf rmix,
+ /{usr/,}sbin/dhcpcd rmix,
+ /{usr/,}sbin/ifup Ux, # fixme
+ /{usr/,}sbin/modify_resolvconf rmix,
/var/lib/dhcpcd/dhcpcd-*.cache rw,
/var/lib/dhcpcd/dhcpcd-*.info rw,
/var/lib/dhcpcd/dhcpcd-*.info.old rw,
=== modified file 'profiles/apparmor/profiles/extras/sbin.portmap'
--- profiles/apparmor/profiles/extras/sbin.portmap 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/sbin.portmap 2016-12-03 10:03:35 +0000
@@ -10,7 +10,7 @@
#include <tunables/global>
-/sbin/portmap {
+profile portmap /{usr/,}sbin/portmap {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -21,5 +21,5 @@
/etc/bindresvport.blacklist r,
/etc/hosts.allow r,
/etc/hosts.deny r,
- /sbin/portmap rmix,
+ /{usr/,}sbin/portmap rmix,
}
=== modified file 'profiles/apparmor/profiles/extras/sbin.resmgrd'
--- profiles/apparmor/profiles/extras/sbin.resmgrd 2011-07-14 13:09:19 +0000
+++ profiles/apparmor/profiles/extras/sbin.resmgrd 2016-12-03 10:03:35 +0000
@@ -12,7 +12,7 @@
#include <tunables/global>
-/sbin/resmgrd {
+profile resmgrd /{usr/,}sbin/resmgrd {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -23,7 +23,7 @@
/etc/resmgr.conf r,
/etc/resmgr.conf.d/ r,
/etc/resmgr.conf.d/*.conf r,
- /sbin/resmgrd r,
+ /{usr/,}sbin/resmgrd r,
/{,var/}run/.resmgr_socket lrw,
/{,var/}run/resmgr.pid lrw,
/{,var/}run/fence* lrw,
=== modified file 'profiles/apparmor/profiles/extras/sbin.rpc.lockd'
--- profiles/apparmor/profiles/extras/sbin.rpc.lockd 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/sbin.rpc.lockd 2016-12-03 10:03:35 +0000
@@ -10,7 +10,7 @@
#include <tunables/global>
-/sbin/rpc.lockd {
+profile rpc.lockd /{usr/,}sbin/rpc.lockd {
#include <abstractions/base>
- /sbin/rpc.lockd rmix,
+ /{usr/,}sbin/rpc.lockd rmix,
}
=== modified file 'profiles/apparmor/profiles/extras/sbin.rpc.statd'
--- profiles/apparmor/profiles/extras/sbin.rpc.statd 2011-07-14 12:57:57 +0000
+++ profiles/apparmor/profiles/extras/sbin.rpc.statd 2016-12-03 10:03:35 +0000
@@ -10,11 +10,11 @@
#include <tunables/global>
-/sbin/rpc.statd {
+profile rpc.statd /{usr/,}sbin/rpc.statd {
#include <abstractions/base>
#include <abstractions/nameservice>
/etc/rpc r,
- /sbin/rpc.statd rmix,
+ /{usr/,}sbin/rpc.statd rmix,
/sm rw,
/sm.bak rw,
/state rw,
=== modified file 'profiles/apparmor/profiles/extras/usr.NX.bin.nxclient'
--- profiles/apparmor/profiles/extras/usr.NX.bin.nxclient 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.NX.bin.nxclient 2016-12-03 10:03:35 +0000
@@ -19,7 +19,7 @@
#include <abstractions/kde>
#include <abstractions/X>
- /bin/bash mix,
+ /{usr/,}bin/bash mix,
/usr/bin/cut mix,
/usr/NX/bin/nxclient rmix,
/usr/NX/bin/nxssh mix,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.acroread'
--- profiles/apparmor/profiles/extras/usr.bin.acroread 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.acroread 2016-12-03 10:03:35 +0000
@@ -24,11 +24,11 @@
capability dac_override,
- /bin/basename mixr,
- /bin/bash mix,
- /bin/cat mixr,
- /bin/grep mixr,
- /bin/uname mixr,
+ /{usr/,}bin/basename mixr,
+ /{usr/,}bin/bash mix,
+ /{usr/,}bin/cat mixr,
+ /{usr/,}bin/grep mixr,
+ /{usr/,}bin/uname mixr,
/etc/** r,
@{HOME}/.adobe/** rw,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.apropos'
--- profiles/apparmor/profiles/extras/usr.bin.apropos 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.apropos 2016-12-03 10:03:35 +0000
@@ -14,9 +14,9 @@
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
- /bin/basename mixr,
- /bin/bash mixr,
- /bin/grep mixr,
+ /{usr/,}bin/basename mixr,
+ /{usr/,}bin/bash mixr,
+ /{usr/,}bin/grep mixr,
/etc/manpath.config r,
/usr/bin/apropos rmix,
/usr/bin/man Px,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.evolution-2.10'
--- profiles/apparmor/profiles/extras/usr.bin.evolution-2.10 2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.evolution-2.10 2016-12-03 10:03:35 +0000
@@ -55,10 +55,10 @@
capability ipc_lock,
capability setuid,
- /bin/basename mixr,
- /bin/bash mix,
- /bin/grep mixr,
- /bin/netstat mixr,
+ /{usr/,}bin/basename mixr,
+ /{usr/,}bin/bash mix,
+ /{usr/,}bin/grep mixr,
+ /{usr/,}bin/netstat mixr,
/dev/random r,
/etc/cups/client.conf r,
/etc/cups/lpoptions r,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.gaim'
--- profiles/apparmor/profiles/extras/usr.bin.gaim 2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.gaim 2016-12-03 10:03:35 +0000
@@ -23,7 +23,7 @@
#include <abstractions/gnome>
#include <abstractions/user-tmp>
- /bin/bash mixr,
+ /{usr/,}bin/bash mixr,
/dev/random r,
/etc/esd.conf r,
/etc/pango/pango.modules r,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh 2016-12-03 10:03:35 +0000
@@ -22,12 +22,12 @@
/usr/bin/mlmmj-make-ml.sh r,
# some shell tools are needed
- /bin/domainname mix,
- /bin/hostname mix,
- /bin/bash mix,
- /bin/cp mixr,
- /bin/mkdir mixr,
- /bin/touch mixr,
+ /{usr/,}bin/domainname mix,
+ /{usr/,}bin/hostname mix,
+ /{usr/,}bin/bash mix,
+ /{usr/,}bin/cp mixr,
+ /{usr/,}bin/mkdir mixr,
+ /{usr/,}bin/touch mixr,
/usr/bin/which mixr,
# if mkdir cant read the current work directory it jumps into /
# allow reading that dir.
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.opera'
--- profiles/apparmor/profiles/extras/usr.bin.opera 2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.opera 2016-12-03 10:03:35 +0000
@@ -22,9 +22,9 @@
capability dac_override,
- /bin/bash mix,
- /bin/sed mixr,
- /bin/true mixr,
+ /{usr/,}bin/bash mix,
+ /{usr/,}bin/sed mixr,
+ /{usr/,}bin/true mixr,
/etc/SuSE-release r,
/etc/X11/.qt_plugins_3.3rc.lock rw,
/etc/X11/.qtrc.lock rw,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.procmail'
--- profiles/apparmor/profiles/extras/usr.bin.procmail 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.procmail 2016-12-03 10:03:35 +0000
@@ -27,9 +27,9 @@
/dev/tty rw,
# common commands
- /bin/bash rmix,
- /bin/date rmix,
- /bin/gzip rmix,
+ /{usr/,}bin/bash rmix,
+ /{usr/,}bin/date rmix,
+ /{usr/,}bin/gzip rmix,
/usr/bin/formail rmix,
/usr/bin/procmail rmix,
/usr/bin/spamc Px,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay'
--- profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay 2016-12-03 10:03:35 +0000
@@ -23,9 +23,9 @@
#include <abstractions/user-download>
#include <abstractions/X>
- /bin/bash mix,
- /bin/sed mixr,
- /bin/true mixr,
+ /{usr/,}bin/bash mix,
+ /{usr/,}bin/sed mixr,
+ /{usr/,}bin/true mixr,
/etc/pango/pango.modules r,
/usr/share/icons r,
/usr/share/icons/** r,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.firefox.firefox'
--- profiles/apparmor/profiles/extras/usr.lib.firefox.firefox 2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.firefox.firefox 2016-12-03 10:03:35 +0000
@@ -65,8 +65,8 @@
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/pwd ixr,
- /sbin/killall5 ixr,
- /bin/which ixr,
+ /{usr/,}sbin/killall5 ixr,
+ /{usr/,}bin/which ixr,
/usr/bin/tr ixr,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/mountinfo r,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.firefox.firefox.sh'
--- profiles/apparmor/profiles/extras/usr.lib.firefox.firefox.sh 2008-11-05 16:00:39 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.firefox.firefox.sh 2016-12-03 10:03:35 +0000
@@ -8,9 +8,9 @@
deny capability sys_ptrace,
- /bin/basename rix,
- /bin/bash rix,
- /bin/grep rix,
+ /{usr/,}bin/basename rix,
+ /{usr/,}bin/bash rix,
+ /{usr/,}bin/grep rix,
/etc/magic r,
/usr/bin/file rix,
/usr/lib/firefox/firefox px,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.man-db.man'
--- profiles/apparmor/profiles/extras/usr.lib.man-db.man 2011-08-05 23:35:37 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.man-db.man 2016-12-03 10:03:35 +0000
@@ -17,12 +17,12 @@
#include <abstractions/consoles>
#include <abstractions/user-manpages>
- /bin/bash rmix,
- /bin/cat rmix,
- /bin/gunzip rmix,
- /bin/mktemp rmix,
- /bin/more rmix,
- /bin/rm rmix,
+ /{usr/,}bin/bash rmix,
+ /{usr/,}bin/cat rmix,
+ /{usr/,}bin/gunzip rmix,
+ /{usr/,}bin/mktemp rmix,
+ /{usr/,}bin/more rmix,
+ /{usr/,}bin/rm rmix,
/etc/groff/man.local r,
/etc/lesskey.bin r,
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.postfix.local'
--- profiles/apparmor/profiles/extras/usr.lib.postfix.local 2014-06-27 04:32:56 +0000
+++ profiles/apparmor/profiles/extras/usr.lib.postfix.local 2016-12-03 10:03:35 +0000
@@ -25,8 +25,8 @@
/usr/bin/mlmmj-recieve Px,
/usr/lib/postfix/local rmix,
- /bin/bash mixr,
- /bin/date mixr,
+ /{usr/,}bin/bash mixr,
+ /{usr/,}bin/date mixr,
/dev/tty rw,
/etc/{postfix/,}aliases.db r,
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.cupsd'
--- profiles/apparmor/profiles/extras/usr.sbin.cupsd 2013-01-02 23:31:01 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.cupsd 2016-12-03 10:03:35 +0000
@@ -15,8 +15,8 @@
capability setgid,
capability setuid,
- /bin/bash ixr,
- /bin/cat ix,
+ /{usr/,}bin/bash ixr,
+ /{usr/,}bin/cat ix,
/usr/bin/foomatic-rip ixr,
/etc/foomatic/** r,
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.lighttpd'
--- profiles/apparmor/profiles/extras/usr.sbin.lighttpd 2011-07-14 12:57:57 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.lighttpd 2016-12-03 10:03:35 +0000
@@ -49,8 +49,8 @@
# log files
/var/log/lighttpd/*.log rw,
# include_shell
- /bin/bash mix,
- /bin/zsh mix,
- /bin/cat mix,
+ /{usr/,}bin/bash mix,
+ /{usr/,}bin/zsh mix,
+ /{usr/,}bin/cat mix,
}
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.spamd'
--- profiles/apparmor/profiles/extras/usr.sbin.spamd 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.spamd 2016-12-03 10:03:35 +0000
@@ -22,7 +22,7 @@
capability setgid,
capability setuid,
- /bin/pwd mixr,
+ /{usr/,}bin/pwd mixr,
/etc/mail/spamassassin r,
/etc/mail/spamassassin/* r,
/etc/mtab r,
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
--- profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-04-29 18:25:53 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-12-03 10:03:35 +0000
@@ -77,20 +77,20 @@
/sys/fs/cgroup/*/user/*/[0-9]*/ rw,
/sys/fs/cgroup/systemd/user.slice/user-[0-9]*.slice/session-c[0-9]*.scope/ rw,
- /bin/ash Uxr,
- /bin/bash Uxr,
- /bin/bash2 Uxr,
- /bin/bsh Uxr,
- /bin/csh Uxr,
- /bin/dash Uxr,
- /bin/ksh Uxr,
- /bin/sh Uxr,
- /bin/tcsh Uxr,
- /bin/zsh Uxr,
- /bin/zsh4 Uxr,
- /bin/zsh5 Uxr,
+ /{usr/,}bin/ash Uxr,
+ /{usr/,}bin/bash Uxr,
+ /{usr/,}bin/bash2 Uxr,
+ /{usr/,}bin/bsh Uxr,
+ /{usr/,}bin/csh Uxr,
+ /{usr/,}bin/dash Uxr,
+ /{usr/,}bin/ksh Uxr,
+ /{usr/,}bin/sh Uxr,
+ /{usr/,}bin/tcsh Uxr,
+ /{usr/,}bin/zsh Uxr,
+ /{usr/,}bin/zsh4 Uxr,
+ /{usr/,}bin/zsh5 Uxr,
/{,usr/}sbin/nologin Uxr,
- /bin/false Uxr,
+ /{usr/,}bin/false Uxr,
# XXX: this needs to be enabled otherwise we risk locking out a user
# Call passwd for password change when expired
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.useradd'
--- profiles/apparmor/profiles/extras/usr.sbin.useradd 2014-12-02 19:22:40 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.useradd 2016-12-03 10:03:35 +0000
@@ -26,7 +26,7 @@
capability fsetid,
capability sys_resource,
- /bin/bash mixr,
+ /{usr/,}bin/bash mixr,
/etc/.pwd.lock rwk,
/etc/default/useradd r,
/etc/group* rwl,
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.userdel'
--- profiles/apparmor/profiles/extras/usr.sbin.userdel 2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.userdel 2016-12-03 10:03:35 +0000
@@ -25,8 +25,8 @@
capability dac_read_search,
capability sys_resource,
- /bin/cat rmix,
- /bin/bash rmix,
+ /{usr/,}bin/cat rmix,
+ /{usr/,}bin/bash rmix,
/dev/log w,
/etc/.pwd.lock rwk,
/etc/cron.deny r,
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.xinetd'
--- profiles/apparmor/profiles/extras/usr.sbin.xinetd 2011-07-14 12:57:57 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.xinetd 2016-12-03 10:03:35 +0000
@@ -27,9 +27,9 @@
/var/log/xinetd.log w,
/{,var/}run/xinetd.pid rwl,
- /bin/netstat Px,
- /bin/ps mix,
- /sbin/linuxconf Px,
+ /{usr/,}bin/netstat Px,
+ /{usr/,}bin/ps mix,
+ /{usr/,}sbin/linuxconf Px,
/usr/bin/cvs Px,
/usr/bin/fam Px,
/usr/bin/kotalkd Px,
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
