AppArmor Profiles

Merge ~intrigeri/apparmor-profiles/+git/apparmor-profiles:usrmerge into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

  1. Git
  2. lp:~intrigeri/apparmor-profiles/+git/apparmor-profiles
  3. usrmerge
  4. Merge into master
Proposed by intrigeri
Status: Merged
Approved by: John Johansen
Approved revision: c9e3ac55739701332e4378c88fb80224128eafab
Merged at revision: 392d8abe20523068beb15a1c92a7a2e0ff6f3f74
Proposed branch: ~intrigeri/apparmor-profiles/+git/apparmor-profiles:usrmerge
Merge into: ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master
Diff against target: 308 lines (+58/-58)
13 files modified
ubuntu/17.04/abstractions/ubuntu-browsers.d/plugins-common (+4/-4)
ubuntu/17.04/opt.WorldOfGoo.WorldOfGoo (+3/-3)
ubuntu/17.04/opt.introversion.darwinia.darwinia (+2/-2)
ubuntu/17.04/usr.bin.chromium-browser (+25/-25)
ubuntu/17.04/usr.bin.evolution (+5/-5)
ubuntu/17.04/usr.bin.gwibber-service (+4/-4)
ubuntu/17.04/usr.bin.irssi (+3/-3)
ubuntu/17.04/usr.bin.pidgin (+2/-2)
ubuntu/17.04/usr.bin.thunderbird (+2/-2)
ubuntu/17.04/usr.bin.ttytter (+1/-1)
ubuntu/17.04/usr.sbin.apt-cacher-ng (+4/-4)
ubuntu/17.04/usr.sbin.ejabberd (+2/-2)
ubuntu/17.04/usr.sbin.murmurd (+1/-1)
Reviewer Review Type Date Requested Status
John Johansen Approve
Review via email: mp+312411@code.launchpad.net

Commit message

More more policy compatible with merged /usr

Signed-off-by: intrigeri <email address hidden>
Acked-by: John Johansen <email address hidden>

To post a comment you must log in.
~intrigeri/apparmor-profiles/+git/apparmor-profiles:usrmerge updated
c9e3ac5... by intrigeri

Make more policy compatible with merged-/usr.

Revision history for this message
intrigeri (intrigeri) wrote :

Hi! Here's the "two weeks later" ping :)

Revision history for this message
intrigeri (intrigeri) wrote :

... and another ping :)

Revision history for this message
Christian Boltz (cboltz) wrote :

those changes look good, but I don't think it's a good idea if someone using openSUSE acks a patch that affects Ubuntu (well, including Debian) profiles ;-)

Therefore I'll leave accepting this merge request for someone else.

Revision history for this message
John Johansen (jjohansen) wrote :

Looks good

Acked-by: John Johansen <email address hidden>

Revision history for this message
John Johansen (jjohansen) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/ubuntu/17.04/abstractions/ubuntu-browsers.d/plugins-common b/ubuntu/17.04/abstractions/ubuntu-browsers.d/plugins-common
2index 2a95b19..cc29a3e 100644
3--- a/ubuntu/17.04/abstractions/ubuntu-browsers.d/plugins-common
4+++ b/ubuntu/17.04/abstractions/ubuntu-browsers.d/plugins-common
5@@ -5,10 +5,10 @@
6 #
7 @{PROC}/@{pid}/fd/ r,
8 /usr/lib/** rm,
9- /bin/bash ixr,
10- /bin/dash ixr,
11- /bin/grep ixr,
12- /bin/sed ixr,
13+ /{usr/,}bin/bash ixr,
14+ /{usr/,}bin/dash ixr,
15+ /{usr/,}bin/grep ixr,
16+ /{usr/,}bin/sed ixr,
17 /usr/bin/m4 ixr,
18
19 # Since all the ubuntu-browsers.d abstractions need this, just include it
20diff --git a/ubuntu/17.04/opt.WorldOfGoo.WorldOfGoo b/ubuntu/17.04/opt.WorldOfGoo.WorldOfGoo
21index 628083b..72bf726 100644
22--- a/ubuntu/17.04/opt.WorldOfGoo.WorldOfGoo
23+++ b/ubuntu/17.04/opt.WorldOfGoo.WorldOfGoo
24@@ -10,9 +10,9 @@
25 #include <abstractions/dbus-session>
26
27 # For the wrapper script
28- /bin/dash ix,
29- /bin/readlink rix,
30- /bin/uname rix,
31+ /{usr/,}bin/dash ix,
32+ /{usr/,}bin/readlink rix,
33+ /{usr/,}bin/uname rix,
34 /usr/bin/dirname rix,
35
36 # The game itself
37diff --git a/ubuntu/17.04/opt.introversion.darwinia.darwinia b/ubuntu/17.04/opt.introversion.darwinia.darwinia
38index f8f3fbb..7fa60ac 100644
39--- a/ubuntu/17.04/opt.introversion.darwinia.darwinia
40+++ b/ubuntu/17.04/opt.introversion.darwinia.darwinia
41@@ -10,8 +10,8 @@
42 #include <abstractions/dbus-session>
43
44 # The wrapper script
45- /bin/dash ix,
46- /bin/grep rix,
47+ /{usr/,}bin/dash ix,
48+ /{usr/,}bin/grep rix,
49 /usr/bin/dirname rix,
50
51 # The game itself
52diff --git a/ubuntu/17.04/usr.bin.chromium-browser b/ubuntu/17.04/usr.bin.chromium-browser
53index aa07770..86f6aae 100644
54--- a/ubuntu/17.04/usr.bin.chromium-browser
55+++ b/ubuntu/17.04/usr.bin.chromium-browser
56@@ -139,7 +139,7 @@
57 # Allow communicating with sandbox
58 unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox),
59
60- /bin/ps Uxr,
61+ /{usr/,}bin/ps Uxr,
62 /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings,
63 /usr/bin/xdg-settings Cxr -> xdgsettings,
64 /usr/bin/lsb_release Cxr -> lsb_release,
65@@ -153,7 +153,7 @@
66 #include <abstractions/bash>
67 #include <abstractions/gnome>
68
69- /bin/dash ixr,
70+ /{usr/,}bin/dash ixr,
71
72 /etc/ld.so.cache r,
73 /usr/bin/xdg-settings r,
74@@ -161,17 +161,17 @@
75 /usr/share/applications/*.desktop r,
76
77 # Checking default browser
78- /bin/grep ixr,
79- /bin/readlink ixr,
80- /bin/sed ixr,
81- /bin/which ixr,
82+ /{usr/,}bin/grep ixr,
83+ /{usr/,}bin/readlink ixr,
84+ /{usr/,}bin/sed ixr,
85+ /{usr/,}bin/which ixr,
86 /usr/bin/basename ixr,
87 /usr/bin/cut ixr,
88
89 # Setting the default browser
90- /bin/mkdir ixr,
91- /bin/mv ixr,
92- /bin/touch ixr,
93+ /{usr/,}bin/mkdir ixr,
94+ /{usr/,}bin/mv ixr,
95+ /{usr/,}bin/touch ixr,
96 /usr/bin/dirname ixr,
97 /usr/bin/gconftool-2 ix,
98 /usr/bin/[gm]awk ixr,
99@@ -184,7 +184,7 @@
100 #include <abstractions/base>
101 #include <abstractions/python>
102 /usr/bin/lsb_release r,
103- /bin/dash ixr,
104+ /{usr/,}bin/dash ixr,
105 /usr/bin/dpkg-query ixr,
106 /usr/include/python2.[4567]/pyconfig.h r,
107 /etc/lsb-release r,
108@@ -202,21 +202,21 @@
109
110 profile chromium_browser_sandbox {
111 # Be fanatical since it is setuid root and don't use an abstraction
112- /lib/libgcc_s.so* mr,
113- /lib/@{multiarch}/libgcc_s.so* mr,
114- /lib{,32,64}/libm-*.so* mr,
115- /lib/@{multiarch}/libm-*.so* mr,
116- /lib{,32,64}/libpthread-*.so* mr,
117- /lib/@{multiarch}/libpthread-*.so* mr,
118- /lib{,32,64}/libc-*.so* mr,
119- /lib/@{multiarch}/libc-*.so* mr,
120- /lib{,32,64}/libld-*.so* mr,
121- /lib/@{multiarch}/libld-*.so* mr,
122- /lib{,32,64}/ld-*.so* mr,
123- /lib/@{multiarch}/ld-*.so* mr,
124- /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
125- /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
126- /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
127+ /{usr/,}lib/libgcc_s.so* mr,
128+ /{usr/,}lib/@{multiarch}/libgcc_s.so* mr,
129+ /{usr/,}lib{,32,64}/libm-*.so* mr,
130+ /{usr/,}lib/@{multiarch}/libm-*.so* mr,
131+ /{usr/,}lib{,32,64}/libpthread-*.so* mr,
132+ /{usr/,}lib/@{multiarch}/libpthread-*.so* mr,
133+ /{usr/,}lib{,32,64}/libc-*.so* mr,
134+ /{usr/,}lib/@{multiarch}/libc-*.so* mr,
135+ /{usr/,}lib{,32,64}/libld-*.so* mr,
136+ /{usr/,}lib/@{multiarch}/libld-*.so* mr,
137+ /{usr/,}lib{,32,64}/ld-*.so* mr,
138+ /{usr/,}lib/@{multiarch}/ld-*.so* mr,
139+ /{usr/,}lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
140+ /{usr/,}lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
141+ /{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
142 /usr/lib/libstdc++.so* mr,
143 /usr/lib/@{multiarch}/libstdc++.so* mr,
144 /etc/ld.so.cache r,
145diff --git a/ubuntu/17.04/usr.bin.evolution b/ubuntu/17.04/usr.bin.evolution
146index a491d61..9fab094 100644
147--- a/ubuntu/17.04/usr.bin.evolution
148+++ b/ubuntu/17.04/usr.bin.evolution
149@@ -115,7 +115,7 @@
150
151 capability sys_ptrace,
152
153- /bin/dash rix,
154+ /{usr/,}bin/dash rix,
155 @{PROC}/ r,
156 @{PROC}/*/cmdline r,
157 @{PROC}/*/stat r,
158@@ -149,10 +149,10 @@
159
160 owner @{PROC}/[0-9]*/auxv r, # investigate
161
162- /bin/dash rix,
163- /bin/rm ix,
164- /bin/tar ix,
165- /bin/gzip ix,
166+ /{usr/,}bin/dash rix,
167+ /{usr/,}bin/rm ix,
168+ /{usr/,}bin/tar ix,
169+ /{usr/,}bin/gzip ix,
170 /usr/bin/gconftool-2 ix,
171 /usr/bin/evolution Px,
172
173diff --git a/ubuntu/17.04/usr.bin.gwibber-service b/ubuntu/17.04/usr.bin.gwibber-service
174index 05dac74..19914f6 100644
175--- a/ubuntu/17.04/usr.bin.gwibber-service
176+++ b/ubuntu/17.04/usr.bin.gwibber-service
177@@ -34,12 +34,12 @@
178
179 /usr/bin/ r,
180 /usr/bin/python2.7 ix,
181- /bin/dash rix,
182- /bin/uname rix,
183+ /{usr/,}bin/dash rix,
184+ /{usr/,}bin/uname rix,
185 /usr/sbin/uuidd Cxr -> uuidd,
186
187- /sbin/ldconfig rix,
188- /sbin/ldconfig.real rix,
189+ /{usr/,}sbin/ldconfig rix,
190+ /{usr/,}sbin/ldconfig.real rix,
191
192 owner @{HOME}/.Xauthority r,
193 owner @{HOME}/.config/dconf/user r,
194diff --git a/ubuntu/17.04/usr.bin.irssi b/ubuntu/17.04/usr.bin.irssi
195index 5688c68..992ee5a 100644
196--- a/ubuntu/17.04/usr.bin.irssi
197+++ b/ubuntu/17.04/usr.bin.irssi
198@@ -14,7 +14,7 @@
199 /usr/share/irssi/scripts/* r,
200 /usr/share/ca-certificates/** r,
201 @{PROC}/uptime r,
202- /bin/dash ix,
203+ /{usr/,}bin/dash ix,
204
205 # for screen_away
206 #include <abstractions/wutmp>
207@@ -26,11 +26,11 @@
208 # for /uptime
209 /usr/bin/gawk ix,
210 /usr/bin/expr ix,
211- /bin/date ix,
212+ /{usr/,}bin/date ix,
213
214 # for /calc
215 /usr/bin/bc ix,
216- /bin/which ixr,
217+ /{usr/,}bin/which ixr,
218
219 # config files, etc
220 /etc/irssi.conf r,
221diff --git a/ubuntu/17.04/usr.bin.pidgin b/ubuntu/17.04/usr.bin.pidgin
222index 35795ac..d9772e7 100644
223--- a/ubuntu/17.04/usr.bin.pidgin
224+++ b/ubuntu/17.04/usr.bin.pidgin
225@@ -56,8 +56,8 @@
226 # owner @{HOME}/.{cache,config}/dconf/user rw,
227 # owner /{,var/}run/user/[0-9]*/dconf/user rwk,
228
229- /bin/dash rix,
230- /bin/which rix,
231+ /{usr/,}bin/dash rix,
232+ /{usr/,}bin/which rix,
233
234 # NB: the preferred browser and proxy settings must be configured
235 # in the GNOME preferences: this profile does not allow running
236diff --git a/ubuntu/17.04/usr.bin.thunderbird b/ubuntu/17.04/usr.bin.thunderbird
237index 8e4abe4..e74e9f5 100644
238--- a/ubuntu/17.04/usr.bin.thunderbird
239+++ b/ubuntu/17.04/usr.bin.thunderbird
240@@ -171,8 +171,8 @@ profile thunderbird /usr/lib/thunderbird/thunderbird {
241 # so running with 'Ux', while not ideal, is ok because we will at least
242 # benefit from glibc's secure execute.
243 /usr/bin/mkfifo Uxr, # investigate
244- /bin/ps Uxr,
245- /bin/uname Uxr,
246+ /{usr/,}bin/ps Uxr,
247+ /{usr/,}bin/uname Uxr,
248 /usr/bin/locale Uxr,
249
250 /usr/bin/gpg Cx -> gpg,
251diff --git a/ubuntu/17.04/usr.bin.ttytter b/ubuntu/17.04/usr.bin.ttytter
252index e8511db..8b4e95d 100644
253--- a/ubuntu/17.04/usr.bin.ttytter
254+++ b/ubuntu/17.04/usr.bin.ttytter
255@@ -15,7 +15,7 @@
256 interface="org.freedesktop.Notifications"
257 member={GetServerInformation,Notify},
258
259- /bin/{da,ba,}sh ixr,
260+ /{usr/,}bin/{da,ba,}sh ixr,
261 /usr/bin/ttytter ixr,
262 /usr/bin/curl ixr,
263 /usr/bin/clear ixr,
264diff --git a/ubuntu/17.04/usr.sbin.apt-cacher-ng b/ubuntu/17.04/usr.sbin.apt-cacher-ng
265index 5929528..03d7cd3 100644
266--- a/ubuntu/17.04/usr.sbin.apt-cacher-ng
267+++ b/ubuntu/17.04/usr.sbin.apt-cacher-ng
268@@ -21,10 +21,10 @@
269 /var/log/apt-cacher-ng/* rw,
270 /{,var/}run/systemd/notify w,
271
272- /bin/dash ixr,
273- /bin/ed ixr,
274- /bin/red ixr,
275- /bin/sed ixr,
276+ /{usr/,}bin/dash ixr,
277+ /{usr/,}bin/ed ixr,
278+ /{usr/,}bin/red ixr,
279+ /{usr/,}bin/sed ixr,
280
281 /usr/lib/apt-cacher-ng/acngtool ixr,
282 }
283diff --git a/ubuntu/17.04/usr.sbin.ejabberd b/ubuntu/17.04/usr.sbin.ejabberd
284index 4529d49..5702ab8 100644
285--- a/ubuntu/17.04/usr.sbin.ejabberd
286+++ b/ubuntu/17.04/usr.sbin.ejabberd
287@@ -29,6 +29,6 @@
288 /usr/lib/erlang/bin/erl ixr,
289 /usr/lib/erlang/erts-*/bin/* ixr,
290
291- /bin/dash ixr,
292- /bin/sed ixr,
293+ /{usr/,}bin/dash ixr,
294+ /{usr/,}bin/sed ixr,
295 }
296diff --git a/ubuntu/17.04/usr.sbin.murmurd b/ubuntu/17.04/usr.sbin.murmurd
297index df475f3..51eecd4 100644
298--- a/ubuntu/17.04/usr.sbin.murmurd
299+++ b/ubuntu/17.04/usr.sbin.murmurd
300@@ -29,7 +29,7 @@
301 #include <abstractions/python>
302
303 /usr/bin/lsb_release r,
304- /bin/dash ixr,
305+ /{usr/,}bin/dash ixr,
306 /usr/bin/dpkg-query ixr,
307
308 /usr/include/python2.[4567]/pyconfig.h r,

Subscribers

People subscribed via source and target branches