Hello,

Am Mittwoch, 13. April 2016, 22:04:37 CEST schrieb Michal Kubecek:
> On Wed, Apr 13, 2016 at 01:22:46PM +0200, Michal Kubecek wrote:
> > I'll submit both later today once I have chance to to at least some
> > testing (and write the patchinfo). Anyone willing to test it is
> > welcome, of course.
> 
> I did some (very) basic testing and found only one issue: to start
> nmbd from 4.2.4 package on a 13.1 system with AppArmor, these need to
> be added to its profile:
> 
>   /var/{cache,lib}/samba/lck/ w,
>   /var/{cache,lib}/samba/lck/* wk,
>   /var/{cache,lib}/samba/msg/ w,
>   /var/{cache,lib}/samba/msg/* w,

Are those files and directories in /var/cache/samba/ or /var/lib/samba/ ?
I'm asking because /var/lib/samba/** is covered by newer upstream 
profiles (via abstractions/samba), while /var/cache/samba/ isn't.

> The profile is provided by apparmor-profiles package built from
> apparmor source package. I'm not sure what would be the best way to
> handle this:
> 
>   (a) add apparmor.openSUSE_13.1_Update to the project manually and
>       submit it with the rest
>   (b) do a separate update of apparmor and send the request to the
> same maintenance incident once it is created
>   (c) ignore the issue and just warn users about it

If those changes are needed to start nmbd, option (c) doesn't sound good 
;-)

I'd even propose to do some more profile updates while we are on it.
The 2.8 branch isn't maintained in upstream AppArmor anymore, so we 
might want to backport profile changes from the 2.9 bzr branch (which is 
the oldest maintained branch, and also what will be released as 2.9.3 
(hopefully) soon).

The upstream policy for profile maintenance is that usually permissions 
get added, but it's extremely rare that permissions get removed, which 
makes the risk of regressions quite low.

However, 2.9 introduced some new rule types (like dbus and ptrace) which 
2.8 doesn't understand, so just shipping the 2.9 profiles isn't possible. 
(We could upgrade all of AppArmor (parser and utils) to 2.9.x or 2.10.x, 
but that's a bigger change and nothing I'd do with only a day or two of 
testing ;-)


I just looked at the changes between the 2.8 and 2.9 profiles and picked 
the interesting changes into the attached patch. I'm not sure if all 
changes are needed on 13.1, but IIRC at least some of them are.

Note that the patch is completely untested (except "it applies on top of 
security:apparmor/apparmor_2_8") - feedback welcome ;-)

General feedback if we want that "big" profile update patch or only a 
"small" patch to adjust the samba/nmbd profile is also welcome.


Regards,

Christian Boltz
-- 
Gericom + Pentium IV? Willst Du ein tragbares Heizkissen,
oder ein Notebook?        [Manfred Tremmel in suse-linux]
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/X /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/X
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/X	2013-01-04 18:45:19.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/X	2016-03-01 22:38:31.564186000 +0100
@@ -7,6 +7,8 @@
   @{HOME}/.Xauthority           r,
   owner /{,var/}run/gdm{,3}/*/database r,
   owner /{,var/}run/lightdm/authority/[0-9]* r,
+  owner /{,var/}run/lightdm/*/xauthority r,
+  owner /{,var/}run/user/*/gdm/Xauthority r,
 
   # the unix socket to use to connect to the display
   /tmp/.X11-unix/*           w,
@@ -32,9 +34,13 @@
   /usr/share/X11/**               r,
   /usr/X11R6/**.so*               mr,
 
+  # EGL
+  /usr/lib/@{multiarch}/egl/*.so* mr,
+
   # DRI
   /usr/lib{,32,64}/dri/**         mr,
   /usr/lib/@{multiarch}/dri/**    mr,
+  /usr/lib/fglrx/dri/**           mr,
   /dev/dri/**                     rw,
   /etc/drirc                      r,
   owner @{HOME}/.drirc            r,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/aspell /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/aspell
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/aspell	2012-01-18 19:15:57.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/aspell	2016-03-01 22:38:31.564186000 +0100
@@ -8,4 +8,6 @@
   /usr/lib/aspell/ r,
   /usr/lib/aspell/* r,
   /usr/lib/aspell/*.so m,
+  /usr/share/aspell/ r,
+  /usr/share/aspell/* r,
   /var/lib/aspell/* r,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/base /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/base
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/base	2013-04-09 15:18:40.000000000 +0200
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/base	2016-03-01 22:38:31.564186000 +0100
@@ -26,12 +26,14 @@
   /etc/locale/**                 r,
   /etc/locale.alias              r,
   /etc/localtime                 r,
+  /usr/share/locale-bundle/**    r,
   /usr/share/locale-langpack/**  r,
   /usr/share/locale/**           r,
   /usr/share/**/locale/**        r,
   /usr/share/zoneinfo/           r,
   /usr/share/zoneinfo/**         r,
   /usr/share/X11/locale/**       r,
+  /{,var/}run/systemd/journal/dev-log w,
 
   /usr/lib{,32,64}/locale/**             mr,
   /usr/lib{,32,64}/gconv/*.so            mr,
@@ -103,6 +105,9 @@
   # glibc malloc (man 5 proc)
   @{PROC}/sys/vm/overcommit_memory r,
 
+  # Allow determining the highest valid capability of the running kernel
+  @{PROC}/sys/kernel/cap_last_cap r,
+
   # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
   # filesystems generally. This does not appreciably decrease security with
   # Ubuntu profiles because the user is expected to have access to files owned
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/cups-client /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/cups-client
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/cups-client	2012-01-06 17:45:34.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/cups-client	2014-12-19 13:22:37.965310000 +0100
@@ -12,7 +12,7 @@
   # discoverable system configuration for non-local cupsd
   /etc/cups/client.conf   r,
   # client should be able to talk the local cupsd
-  /{,var/}run/cups/cups.sock w,
+  /{,var/}run/cups/cups.sock rw,
   # client should be able to read user-specified cups configuration
   owner @{HOME}/.cups/client.conf r,
   owner @{HOME}/.cups/lpoptions r,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/fonts /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/fonts
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/fonts	2013-10-15 01:31:38.000000000 +0200
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/fonts	2014-12-19 13:22:37.965310000 +0100
@@ -52,3 +52,6 @@
 
   # poppler CMap tables
   /usr/share/poppler/cMap/**            r,
+
+  # data files for LibThai
+  /usr/share/libthai/thbrk.tri          r,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/freedesktop.org /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/freedesktop.org
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/freedesktop.org	2014-09-11 02:40:14.000000000 +0200
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/freedesktop.org	2015-12-11 19:58:07.576592000 +0100
@@ -11,6 +11,7 @@
 
   # system configuration
   /usr/share/applications/               r,
+  /usr/share/applications/defaults.list  r,
   /usr/share/applications/mimeinfo.cache r,
   /usr/share/applications/*.desktop      r,
   /usr/share/icons/               r,
@@ -30,6 +31,7 @@
   owner @{HOME}/.recently-used.xbel*    rw,
   owner @{HOME}/.local/share/recently-used.xbel* rw,
   owner @{HOME}/.config/user-dirs.dirs  r,
+  owner @{HOME}/.config/mimeapps.list   r,
   owner @{HOME}/.local/share/applications/               r,
   owner @{HOME}/.local/share/applications/*.desktop      r,
   owner @{HOME}/.local/share/applications/defaults.list  r,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/nameservice /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/nameservice
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/nameservice	2014-09-11 02:37:02.000000000 +0200
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/nameservice	2016-03-01 22:38:31.564186000 +0100
@@ -26,12 +26,21 @@
   /var/lib/extrausers/group  r,
   /var/lib/extrausers/passwd r,
 
+  # When using sssd, the passwd and group files are stored in an alternate path
+  # and the nss plugin also needs to talk to a pipe
+  /var/lib/sss/mc/group   r,
+  /var/lib/sss/mc/passwd  r,
+  /var/lib/sss/pipes/nss  rw,
+
   /etc/resolv.conf        r,
   # on systems using resolvconf, /etc/resolv.conf is a symlink to
   # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
   # /etc/resolvconf/run/resolv.conf
   /{,var/}run/resolvconf/resolv.conf r,
   /etc/resolvconf/run/resolv.conf r,
+  # on systems using systemd's networkd, /etc/resolv.conf is a symlink to
+  # /run/systemd/resolve/resolv.conf
+  /{,var/}run/systemd/resolve/resolv.conf r,
 
   /etc/samba/lmhosts      r,
   /etc/services           r,
@@ -41,7 +50,7 @@
   # to vast speed increases when working with network-based lookups.
   /{,var/}run/.nscd_socket   rw,
   /{,var/}run/nscd/socket    rw,
-  /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host}    r,
+  /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,hosts}    r,
   # nscd renames and unlinks files in it's operation that clients will
   # have open
   /{,var/}run/nscd/db*  rmix,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/p11-kit /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/p11-kit
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/p11-kit	2013-09-12 16:25:56.000000000 +0200
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/p11-kit	2014-12-19 13:22:37.965310000 +0100
@@ -19,6 +19,9 @@
   /usr/share/p11-kit/modules/  r,
   /usr/share/p11-kit/modules/* r,
 
+  # gnome-keyring pkcs11 module
+  owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
+
   # p11-kit also supports reading user configuration from ~/.pkcs11 depending
   # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
   # included in this abstraction.
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/php5 /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/php5
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/php5	2010-03-30 19:34:32.000000000 +0200
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/php5	2015-12-11 19:58:07.576592000 +0100
@@ -11,8 +11,8 @@
 # ------------------------------------------------------------------
 
   # shared snippets for config files
-  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r,
-  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r,
+  /etc/php5/**/ r,
+  /etc/php5/**.ini r,
 
   # Xlibs
   /usr/X11R6/lib{,32,64}/lib*.so* mr,
@@ -30,3 +30,6 @@
 
   # MySQL extension
   /usr/share/mysql/** r,
+
+  # Zend opcache
+  /tmp/.ZendSem.* rwlk,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/samba /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/samba
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/samba	2013-12-23 22:16:59.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/samba	2016-03-01 22:38:31.564186000 +0100
@@ -13,10 +13,12 @@
   /usr/share/samba/*.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/cache/samba/ w,
-  /var/lib/samba/**.tdb rwk,
+  /var/lib/samba/** rwk,
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,
   /var/log/samba/log.* w,
   /{,var/}run/samba/ w,
   /{,var/}run/samba/*.tdb rw,
 
+  # required for clustering
+  /var/lib/ctdb/** rwk,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/ssl_certs /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ssl_certs
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/ssl_certs	2013-11-26 00:42:19.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ssl_certs	2016-03-28 21:43:42.503723242 +0200
@@ -12,6 +12,10 @@
   /etc/ssl/ r,
   /etc/ssl/certs/ r,
   /etc/ssl/certs/* r,
+  /etc/pki/trust/ r,
+  /etc/pki/trust/* r,
+  /etc/pki/trust/anchors/ r,
+  /etc/pki/trust/anchors/** r,
   /usr/share/ca-certificates/ r,
   /usr/share/ca-certificates/** r,
   /usr/share/ssl/certs/ca-bundle.crt          r,
@@ -19,3 +23,7 @@
   /usr/local/share/ca-certificates/** r,
   /var/lib/ca-certificates/ r,
   /var/lib/ca-certificates/** r,
+
+  # acmetool
+  /var/lib/acme/certs/*/chain r,
+  /var/lib/acme/certs/*/cert r,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/ssl_keys /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ssl_keys
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/ssl_keys	2010-12-20 21:29:10.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ssl_keys	2016-03-28 21:43:42.503723242 +0200
@@ -16,3 +16,7 @@
   /etc/ssl/ r,
   /etc/ssl/** r,
 
+  # acmetool
+  /var/lib/acme/live/* r,
+  /var/lib/acme/certs/** r,
+  /var/lib/acme/keys/** r,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java	2013-01-04 00:37:41.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java	2015-12-11 19:58:07.576592000 +0100
@@ -12,6 +12,8 @@
   /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
   /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
   /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
+  owner /{,var/}run/user/*/icedteaplugin-*/   rw,
+  owner /{,var/}run/user/*/icedteaplugin-*/** rwk,
 
   # Profile for the supported OpenJDK in Ubuntu. This doesn't require the
   # unfortunate workarounds of the proprietary Javas, so have a separate
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia	2013-01-10 00:15:59.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia	2014-12-19 13:22:37.965310000 +0100
@@ -55,3 +55,6 @@
 
   # Virus scanners
   /usr/bin/clamscan Cx -> sanitized_helper,
+
+  # gxine (LP: #1057642)
+  /var/lib/xine/gxine.desktop r,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common	2012-01-17 15:22:11.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common	2016-03-01 22:38:31.564186000 +0100
@@ -3,10 +3,10 @@
   #
   @{PROC}/[0-9]*/fd/ r,
   /usr/lib/** rm,
-  /bin/bash ixr,
-  /bin/dash ixr,
-  /bin/grep ixr,
-  /bin/sed ixr,
+  /{,usr/}bin/bash ixr,
+  /{,usr/}bin/dash ixr,
+  /{,usr/}bin/grep ixr,
+  /{,usr/}bin/sed ixr,
   /usr/bin/m4 ixr,
 
   # Since all the ubuntu-browsers.d abstractions need this, just include it
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration	2013-07-01 17:51:11.000000000 +0200
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration	2014-12-19 13:22:37.965310000 +0100
@@ -33,3 +33,9 @@
   /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
   /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
   /etc/xdg/xfce4/helpers.rc r,
+
+  # unity webapps integration. Could go in its own abstraction
+  owner /run/user/*/dconf/user rw,
+  owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk,
+  /usr/bin/debconf-communicate Cxr -> sanitized_helper,
+  owner @{HOME}/.config/libaccounts-glib/accounts.db rk,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-email /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-email
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-email	2012-05-18 22:30:22.000000000 +0200
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-email	2016-03-01 22:38:31.564186000 +0100
@@ -10,6 +10,8 @@
   /usr/bin/balsa Cx -> sanitized_helper,
   /usr/bin/claws-mail Cx -> sanitized_helper,
   /usr/bin/evolution Cx -> sanitized_helper,
+  /usr/bin/geary Cx -> sanitized_helper,
+  /usr/bin/gnome-gmail Cx -> sanitized_helper,
   /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper,
   /usr/bin/kmail Cx -> sanitized_helper,
   /usr/bin/mailody Cx -> sanitized_helper,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-helpers /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-helpers
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/ubuntu-helpers	2013-01-04 00:44:14.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/ubuntu-helpers	2016-03-01 22:38:31.564186000 +0100
@@ -33,6 +33,7 @@
 
 profile sanitized_helper {
   #include <abstractions/base>
+  #include <abstractions/X>
 
   # Allow all networking
   network inet,
@@ -53,11 +54,15 @@ profile sanitized_helper {
   # permissions for /usr/share, but for now just do this. (LP: #972367)
   /usr/share/software-center/* Pixr,
 
+  # Allow exec of texlive font build scripts (LP: #1010909)
+  /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,
+
   # While the chromium and chrome sandboxes are setuid root, they only link
   # in limited libraries so glibc's secure execution should be enough to not
   # require the santized_helper (ie, LD_PRELOAD will only use standard system
   # paths (man ld.so)).
   /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
+  /usr/lib/chromium-browser/chrome-sandbox PUxr,
   /opt/google/chrome/chrome-sandbox PUxr,
   /opt/google/chrome/google-chrome Pixr,
   /opt/google/chrome/chrome Pixr,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/abstractions/user-mail /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/user-mail
--- apparmor-2.8.4/profiles/apparmor.d/abstractions/user-mail	2010-12-22 23:55:18.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/abstractions/user-mail	2015-12-11 19:58:07.576592000 +0100
@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2014 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -12,8 +13,8 @@
   owner @{HOME}/[mM]ail/      r,
   owner @{HOME}/[mM]ail/**    rwl,
   owner @{HOME}/postponed*    rwl,
-  /var/spool/mail/      r,
-  /var/spool/mail/*     rwl,
+  /var/{,spool/}mail/         r,
+  /var/{,spool/}mail/*        rwl,
   owner @{HOME}/mbox.lock*    rwl,
   owner @{HOME}/mbox          rw,
   owner @{HOME}/inbox         rw,
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/apache2.d/phpsysinfo /home/cb/apparmor/2.9-branch/profiles/apparmor.d/apache2.d/phpsysinfo
--- apparmor-2.8.4/profiles/apparmor.d/apache2.d/phpsysinfo	2011-07-14 14:57:57.000000000 +0200
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/apache2.d/phpsysinfo	2016-03-01 22:38:31.564186000 +0100
@@ -5,36 +5,44 @@
     #include <abstractions/apache2-common>
     #include <abstractions/base>
     #include <abstractions/nameservice>
+    #include <abstractions/php5>
     #include <abstractions/python>
 
-    /bin/dash ixr,
-    /bin/df ixr,
-    /bin/mount ixr,
-    /bin/uname ixr,
+    /{,usr/}bin/dash ixr,
+    /{,usr/}bin/df ixr,
+    /{,usr/}bin/mount ixr,
+    /{,usr/}bin/uname ixr,
     /dev/bus/usb/ r,
     /dev/bus/usb/** r,
     /etc/debian_version r,
     /etc/lsb-release r,
     /etc/mtab r,
     /etc/phpsysinfo/config.php r,
+    /etc/udev/udev.conf r,
     /proc/** r,
+    /sys/bus/ r,
     /sys/bus/pci/devices/ r,
+    /sys/bus/pci/slots/ r,
+    /sys/bus/pci/slots/** r,
+    /sys/bus/usb/devices/ r,
+    /sys/class/ r,
     /sys/devices/** r,
+    /usr/bin/ r,
     /usr/bin/apt-cache ixr,
     /usr/bin/dpkg-query ixr,
     /usr/bin/lsb_release ixr,
     /usr/bin/lspci ixr,
     /usr/bin/who ixr,
-    /usr/sbin/lsusb ixr,
+    /usr/{,s}bin/lsusb ixr,
     /usr/share/phpsysinfo/** r,
+    /var/lib/dpkg/arch r,
     /var/lib/dpkg/available r,
     /var/lib/dpkg/status r,
     /var/lib/dpkg/triggers/* r,
     /var/lib/dpkg/updates/ r,
-    /var/lib/misc/usb.ids r,
+    /var/lib/{misc,usbutils}/usb.ids r,
     /var/log/apache2/access.log w,
     /var/log/apache2/error.log w,
     /{,var/}run/utmp rk,
     /usr/share/misc/pci.ids r,
-
   }
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/sbin.syslog-ng /home/cb/apparmor/2.9-branch/profiles/apparmor.d/sbin.syslog-ng
--- apparmor-2.8.4/profiles/apparmor.d/sbin.syslog-ng	2012-01-09 13:28:25.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/sbin.syslog-ng	2016-03-01 22:38:31.564186000 +0100
@@ -20,6 +20,7 @@
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
   #include <abstractions/mysql>
+  #include <abstractions/openssl>
 
   capability chown,
   capability dac_override,
@@ -30,7 +31,10 @@
   /dev/syslog w,
   /dev/tty10 rw,
   /dev/xconsole rw,
+  /etc/machine-id r,
   /etc/syslog-ng/* r,
+  /etc/syslog-ng/conf.d/ r,
+  /etc/syslog-ng/conf.d/* r,
   @{PROC}/kmsg r,
   /etc/hosts.deny r,
   /etc/hosts.allow r,
@@ -47,6 +51,10 @@
   @{CHROOT_BASE}/var/log/** w,
   @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
   @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
+  /{var,var/run,run}/log/journal/ r,
+  /{var,var/run,run}/log/journal/*/ r,
+  /{var,var/run,run}/log/journal/*/*.journal r,
+  /{var/,}run/syslog-ng.ctl a,
   /{var/,}run/syslog-ng/additional-log-sockets.conf r,
 
   # Site-specific additions and overrides. See local/README for details.
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/usr.sbin.identd /home/cb/apparmor/2.9-branch/profiles/apparmor.d/usr.sbin.identd
--- apparmor-2.8.4/profiles/apparmor.d/usr.sbin.identd	2011-07-14 14:57:57.000000000 +0200
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/usr.sbin.identd	2015-12-11 19:55:24.371592000 +0100
@@ -23,7 +23,9 @@
   /usr/sbin/identd	   rmix,
   @{PROC}/net/tcp          r,
   @{PROC}/net/tcp6         r,
-  /{,var/}run/identd.pid      w,
+  /{,var/}run/identd.pid   w,
+  /{,var/}run/identd/           w,
+  /{,var/}run/identd/identd.pid w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.identd>
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/usr.sbin.smbd /home/cb/apparmor/2.9-branch/profiles/apparmor.d/usr.sbin.smbd
--- apparmor-2.8.4/profiles/apparmor.d/usr.sbin.smbd	2014-08-11 23:24:23.000000000 +0200
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/usr.sbin.smbd	2016-04-13 23:22:02.258617250 +0200
@@ -17,6 +17,7 @@
   capability net_bind_service,
   capability setgid,
   capability setuid,
+  capability sys_admin,  # needed to store ACLS in the security.NTACL namespace
   capability sys_resource,
   capability sys_tty_config,
 
diff -u -p -r apparmor-2.8.4/profiles/apparmor.d/usr.sbin.smbldap-useradd /home/cb/apparmor/2.9-branch/profiles/apparmor.d/usr.sbin.smbldap-useradd
--- apparmor-2.8.4/profiles/apparmor.d/usr.sbin.smbldap-useradd	2012-01-10 19:06:24.000000000 +0100
+++ /home/cb/apparmor/2.9-branch/profiles/apparmor.d/usr.sbin.smbldap-useradd	2016-03-01 22:38:31.564186000 +0100
@@ -8,7 +8,7 @@
   #include <abstractions/perl>
 
   /dev/tty rw,
-  /bin/bash ix,
+  /{,usr/}bin/bash ix,
   /etc/init.d/nscd Cx,
   /etc/shadow r,
   /etc/smbldap-tools/smbldap.conf r,
@@ -26,9 +26,9 @@
 
     capability sys_ptrace,
 
-    /bin/bash r,
-    /bin/mountpoint rix,
-    /bin/systemctl rix,
+    /{,usr/}bin/bash r,
+    /{,usr/}bin/mountpoint rix,
+    /{,usr/}bin/systemctl rix,
     /dev/tty rw,
     /etc/init.d/nscd r,
     /etc/rc.status r,
_______________________________________________
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen

Reply via email to