apparmor:cherry-pick-d257afd3

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

fae582b... by John Johansen <email address hidden> on 2020-02-03

Add xdg-open (and friends) abstraction

Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments.

Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers.

PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/404
Acked-by: John Johansen <email address hidden>

(cherry picked from commit d257afd3096b25f5d76e2575478c13d4f6930f9a)

622fc44b Add xdg-open (and friends) abstraction
af278ca6 exo-open: Fix denials on OpenSUSE
f07f0771 exo-open: Allow playing alert sounds
80514906 kde-open5: use dbus-network-manager-strict abstraction
ac08dc66 kde-open5: fix denies Ubuntu Eoan
501aada8 gio-open: fix denies Ubuntu Eoan
0a55babe exo-open: do not enable a11y by default
e77abfa5 exo-open: update comment about DBUS denial
d35faafd kde-open5: do not enable a11y by default
8b481d46 kde-open5: do not enable gstreamer support by default
162e5086 xdg-open: update usage example

dda6825... by Rich McAllister <email address hidden> on 2020-04-01

abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns

In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.

It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow

Therefore I'm asking to add
   /etc/mdns.allow r,
to the file
   /etc/apparmor.d/abstractions/mdns"
by default.

--- original bug ---

Many repetitions of

audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0

in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains

hosts: files mdns [NOTFOUND=return] myhostname dns

and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)

Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.

Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629
Signed-off-by: John Johansen <email address hidden>

(cherry picked from commit eeac8c11c935edf9eea2bed825af6c57e9fb52e3)

92f6679... by John Johansen <email address hidden> on 2020-03-31

Merge [2.13] fix build with make 4.3

his MR backports the patches for make 4.3 compability to the 2.13 branch.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/74
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1167953
Acked-by: John Johansen <email address hidden>

03acdeb... by John Johansen <email address hidden> on 2020-03-31

Merge [2.12 + 2.13] Add "run" variable

Define the "run" variable in 2.12 and 2.13 to make backporting profile updates easier.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/88
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/466

Acked-by: John Johansen <email address hidden>

1f319c3... by nl6720 <email address hidden> on 2020-03-19

abstractions/nameservice: allow accessing /run/systemd/userdb/

On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .

(cherry picked from commit 16f9f6885aff84123c0b52197f435e40d656c0e4)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82
Signed-off-by: nl6720 <email address hidden>
Signed-off-by: John Johansen <email address hidden>

411af09... by Christian Boltz <email address hidden> on 2020-03-31

Merge branch 'mesa-20.0' into 'master'

abstractions/mesa: allow checking if the kernel supports the i915 perf interface

See merge request apparmor/apparmor!464

Acked-by: Vincas Dargis <email address hidden>
Acked-by: Christian Boltz <email address hidden> for master and 2.13

(cherry picked from commit f56bab3f75dfbdfc9456628a392cabbb985a44bb)

61571da1 abstractions/mesa: allow checking if the kernel supports the i915 perf interface

454fca7... by nl6720 <email address hidden> on 2020-02-13

Add "run" variable

Signed-off-by: nl6720 <email address hidden>
(cherry picked from commit 452b5b8735e449cba29a1fb25c9bff38ba8763ec)

af0c288... by Christian Boltz on 2020-03-28

fix capabilities in apparmor.vim

https://gitlab.com/apparmor/apparmor/-/merge_requests/461 /
e92da079ca12e776991bd36524430bd67c1cb72a changed creating the
capabilities to use a script.

A side effect is that the list is now separated by \n instead of
spaces. Adjust create-apparmor.vim.py to the new output.

(cherry picked from commit 60b005788e79c1be7276349242e0cc97b99f7118)

0d8e4cd... by allgdante <email address hidden> on 2020-03-23

Generate CAPABILITIES in a script due to make 4.3

This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.

(cherry picked from commit e92da079ca12e776991bd36524430bd67c1cb72a)

69651fc... by John Johansen on 2019-06-14

Revert "utils/test-network.py: fix failing testcase"

This reverts commit 378519d23f8b6e55b1c0741e8cd197863e0ff8a0.
this commit was meant for the 2.13 branch not master

Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit 9144e39d252cd75dd2d6941154e014f7d46147ca)