~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

Last commit made on 2017-10-29
Get this branch:
git clone -b master https://git.launchpad.net/~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old
Members of AppArmor Developers can upload to this branch. Log in for directions.

Branch merges

Branch information

Recent commits

2bb2c0d... by intrigeri on 2017-10-29

Totem: include the nvidia abstraction.

As reported on https://bugs.debian.org/879900, this repairs Totem
that otherwise is broken when using the NVIDIA proprietary driver.

65e93e1... by Tyler Hicks on 2017-10-27

Bionic (Ubuntu 18.04 LTS) is now open

Signed-off-by: Tyler Hicks <email address hidden>

8226392... by intrigeri on 2017-10-27

Thunderbird: allow opening attachments and drop useless rules.

 * Add rules to fix opening of attachements.
 * Remove unneeded mmap rules for potentially dangerous paths.

Signed-off-by: intrigeri <email address hidden>

adee70d... by Vincas Dargis on 2017-10-25

Fix Thunderbird attachements and security

* Add rules to fix opening of attachements.
* Remove redunant mmap rules (copy-paste from Firfox profile) for
potentioly dangerous paths.

8ec53e2... by Steve Beattie on 2017-10-26

Update totem and gstreamer profiles and abstractions

Merge of remote-tracking branch 'intrigeri/gnome-3.26', modified to:

 - convert bwrap permission to scrub environment variables
 - add permission to create (write) and read @{HOME}/.cache/totem/ as
   pointed out by Vincas Dargis in the merge proposal.

Signed-off-by: Steve Beattie <email address hidden>

a28e823... by intrigeri on 2017-10-25

Totem abstraction: enable environment variable scrubbing back when transitioning to the gst_plugin_scanner profile.

We did this previously with Cix this got lost in
commit 2f857ea791aef3d4bf6e038d3970e9cf9f3ed3a2.

7764621... by intrigeri on 2017-10-25

Add permissions needed by recent GStreamer

… at least on Linux 4.14.

953797e... by intrigeri on 2017-10-25

Totem: allow killing unconfined processes.

This is needed so Totem can kill bwrap processes it has spawned.
Once we confine bwrap we will need to adjust the peer= argument;
there's no way we forget as this signal rule won't match anymore,
so the denials this rule fixes right now will come back.

2f857ea... by intrigeri on 2017-10-25

Totem abstraction: fix transition to gst_plugin_scanner profile.

Apparently the behavior of "Cix -> profile" has changed; I think it used to
(incorrectly?) accept to transition to a non-child profile whose name didn't
match the executable name, and now seems to be simply ignored. I'll consider
this as a bugfix. Let's use px instead, which works and matches more closely
what we want here.

89a4823... by Vincas Dargis on 2017-10-11

Totem: fix brwap qualifier

Use pux instead of Pux for bwap, because it was original intention
(not to scrub $HOME which is needed). Also, Pux is deprecated and
produces aa-logprof error.