AppArmor

Merge lp:~intrigeri/apparmor/profile-backports-for-2.8 into lp:apparmor/2.8

  1. profile-backports-for-2.8
  2. Merge into 2.8
Proposed by intrigeri
Status: Merged
Merged at revision: 2144
Proposed branch: lp:~intrigeri/apparmor/profile-backports-for-2.8
Merge into: lp:apparmor/2.8
Diff against target: 202 lines (+35/-15)
11 files modified
profiles/apparmor.d/abstractions/audio (+3/-0)
profiles/apparmor.d/abstractions/freedesktop.org (+1/-0)
profiles/apparmor.d/abstractions/gnome (+2/-0)
profiles/apparmor.d/abstractions/kde (+1/-0)
profiles/apparmor.d/abstractions/mysql (+2/-2)
profiles/apparmor.d/abstractions/nameservice (+6/-1)
profiles/apparmor.d/abstractions/openssl (+1/-0)
profiles/apparmor.d/abstractions/perl (+4/-2)
profiles/apparmor.d/abstractions/python (+10/-10)
utils/logprof.conf (+2/-0)
utils/severity.db (+3/-0)
To merge this branch: bzr merge lp:~intrigeri/apparmor/profile-backports-for-2.8
Reviewer Review Type Date Requested Status
Seth Arnold Approve
Review via email: mp+234547@code.launchpad.net

Description of the change

I've looked at the abstractions log between 2.8 and master, and cherry-picked the revisions that seemed relevant and unrisky enough. I'd like to nominate these revisions for 2.8.4. I've not tested the result yet, and cannot easily test all of these changes. If this is too much, I can prepare a subset of these changes and test it.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Looks good to me.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'profiles/apparmor.d/abstractions/audio'
2--- profiles/apparmor.d/abstractions/audio 2013-04-09 13:17:39 +0000
3+++ profiles/apparmor.d/abstractions/audio 2014-09-12 20:36:06 +0000
4@@ -68,3 +68,6 @@
5 # openal
6 /etc/openal/alsoft.conf r,
7 owner @{HOME}/.alsoftrc r,
8+
9+# wildmidi
10+/etc/wildmidi/wildmidi.cfg r,
11
12=== modified file 'profiles/apparmor.d/abstractions/freedesktop.org'
13--- profiles/apparmor.d/abstractions/freedesktop.org 2011-01-13 17:13:34 +0000
14+++ profiles/apparmor.d/abstractions/freedesktop.org 2014-09-12 20:36:06 +0000
15@@ -30,6 +30,7 @@
16 owner @{HOME}/.recently-used.xbel* rw,
17 owner @{HOME}/.local/share/recently-used.xbel* rw,
18 owner @{HOME}/.config/user-dirs.dirs r,
19+ owner @{HOME}/.local/share/applications/ r,
20 owner @{HOME}/.local/share/applications/*.desktop r,
21 owner @{HOME}/.local/share/applications/defaults.list r,
22 owner @{HOME}/.local/share/applications/mimeapps.list r,
23
24=== modified file 'profiles/apparmor.d/abstractions/gnome'
25--- profiles/apparmor.d/abstractions/gnome 2013-05-30 21:46:31 +0000
26+++ profiles/apparmor.d/abstractions/gnome 2014-09-12 20:36:06 +0000
27@@ -21,6 +21,7 @@
28 /etc/gtk/* r,
29 /usr/lib{,32,64}/gtk/** mr,
30 /usr/lib/@{multiarch}/gtk/** mr,
31+ /usr/share/themes/ r,
32 /usr/share/themes/** r,
33
34 # for gnome 1 applications
35@@ -82,4 +83,5 @@
36
37 # mime-types
38 /etc/gnome/defaults.list r,
39+ /usr/share/gnome/applications/ r,
40 /usr/share/gnome/applications/mimeinfo.cache r,
41
42=== modified file 'profiles/apparmor.d/abstractions/kde'
43--- profiles/apparmor.d/abstractions/kde 2012-01-19 14:20:28 +0000
44+++ profiles/apparmor.d/abstractions/kde 2014-09-12 20:36:06 +0000
45@@ -22,6 +22,7 @@
46 /etc/kderc r,
47 /etc/kde3/* r,
48 /etc/kde4rc r,
49+/etc/xdg/Trolltech.conf r,
50
51 @{HOME}/.DCOPserver_* r,
52 @{HOME}/.ICEauthority r,
53
54=== modified file 'profiles/apparmor.d/abstractions/mysql'
55--- profiles/apparmor.d/abstractions/mysql 2013-01-13 13:41:56 +0000
56+++ profiles/apparmor.d/abstractions/mysql 2014-09-12 20:36:06 +0000
57@@ -9,7 +9,7 @@
58 #
59 # ------------------------------------------------------------------
60
61- /var/lib/mysql/mysql.sock rw,
62- /{var/,}run/mysql/mysql.sock rw,
63+ /var/lib/mysql{,d}/mysql{,d}.sock rw,
64+ /{var/,}run/mysql{,d}/mysql{,d}.sock rw,
65 /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
66 /usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
67
68=== modified file 'profiles/apparmor.d/abstractions/nameservice'
69--- profiles/apparmor.d/abstractions/nameservice 2014-07-09 08:18:54 +0000
70+++ profiles/apparmor.d/abstractions/nameservice 2014-09-12 20:36:06 +0000
71@@ -21,6 +21,11 @@
72 /etc/passwd r,
73 /etc/protocols r,
74
75+ # When using libnss-extrausers, the passwd and group files are merged from
76+ # an alternate path
77+ /var/lib/extrausers/group r,
78+ /var/lib/extrausers/passwd r,
79+
80 /etc/resolv.conf r,
81 # on systems using resolvconf, /etc/resolv.conf is a symlink to
82 # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
83@@ -50,7 +55,7 @@
84 /etc/default/nss r,
85
86 # avahi-daemon is used for mdns4 resolution
87- /{,var/}run/avahi-daemon/socket w,
88+ /{,var/}run/avahi-daemon/socket rw,
89
90 # nis
91 #include <abstractions/nis>
92
93=== modified file 'profiles/apparmor.d/abstractions/openssl'
94--- profiles/apparmor.d/abstractions/openssl 2011-08-08 20:22:03 +0000
95+++ profiles/apparmor.d/abstractions/openssl 2014-09-12 20:36:06 +0000
96@@ -10,4 +10,5 @@
97
98 /etc/ssl/openssl.cnf r,
99 /usr/share/ssl/openssl.cnf r,
100+ @{PROC}/sys/crypto/fips_enabled r,
101
102
103=== modified file 'profiles/apparmor.d/abstractions/perl'
104--- profiles/apparmor.d/abstractions/perl 2010-12-20 20:29:10 +0000
105+++ profiles/apparmor.d/abstractions/perl 2014-09-12 20:36:06 +0000
106@@ -13,8 +13,10 @@
107 /usr/bin/perl rmix,
108 /usr/bin/perl[0-9].[0-9].[0-9] rmix,
109
110- /usr/lib{,32,64}/perl5/** r,
111- /usr/lib{,32,64}/perl{,5}/**.so* mr,
112+ /usr/lib{,32,64}/perl5/** r,
113+ /usr/lib{,32,64}/perl{,5}/**.so* mr,
114+ /usr/lib/@{multiarch}/perl{,5}/** r,
115+ /usr/lib/@{multiarch}/perl{,5}/[0-9]*/**.so* mr,
116
117 /usr/share/perl/** r,
118 /usr/share/perl5/** r,
119
120=== modified file 'profiles/apparmor.d/abstractions/python'
121--- profiles/apparmor.d/abstractions/python 2012-01-06 16:38:06 +0000
122+++ profiles/apparmor.d/abstractions/python 2014-09-12 20:36:06 +0000
123@@ -10,28 +10,28 @@
124 #
125 # ------------------------------------------------------------------
126
127- /usr/lib{,32,64}/python2.[4567]/**.{pyc,so} mr,
128- /usr/lib{,32,64}/python2.[4567]/**.{egg,py,pth} r,
129- /usr/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r,
130+ /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mr,
131+ /usr/lib{,32,64}/python{2,3}.[34567]/**.{egg,py,pth} r,
132+ /usr/lib{,32,64}/python{2,3}.[34567]/{site,dist}-packages/ r,
133+ /usr/lib{,32,64}/python3.[234]/lib-dynload/*.so mr,
134
135- /usr/local/lib{,32,64}/python2.[4567]/**.{pyc,so} mr,
136- /usr/local/lib{,32,64}/python2.[4567]/**.{egg,py,pth} r,
137- /usr/local/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r,
138+ /usr/local/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mr,
139+ /usr/local/lib{,32,64}/python{2,3}.[34567]/**.{egg,py,pth} r,
140+ /usr/local/lib{,32,64}/python{2,3}.[34567]/{site,dist}-packages/ r,
141+ /usr/local/lib{,32,64}/python3.[234]/lib-dynload/*.so mr,
142
143 # Site-wide configuration
144- /etc/python2.[4567]/** r,
145+ /etc/python{2,3}.[34567]/** r,
146
147 # shared python paths
148 /usr/share/{pyshared,pycentral,python-support}/** r,
149 /{var,usr}/lib/{pyshared,pycentral,python-support}/** r,
150 /usr/lib/{pyshared,pycentral,python-support}/**.so mr,
151 /var/lib/{pyshared,pycentral,python-support}/**.pyc mr,
152+ /usr/lib/python3/dist-packages/**.so mr,
153
154 # wx paths
155 /usr/lib/wx/python/*.pth r,
156
157 # python build configuration and headers
158 /usr/include/python{2,3}.[0-7]*/pyconfig.h r,
159-
160- # python setup script used by apport
161- /etc/python{2,3}.[0-7]*/sitecustomize.py r,
162
163=== modified file 'utils/logprof.conf'
164--- utils/logprof.conf 2011-08-18 23:17:22 +0000
165+++ utils/logprof.conf 2014-09-12 20:36:06 +0000
166@@ -1,6 +1,7 @@
167 # ------------------------------------------------------------------
168 #
169 # Copyright (C) 2004-2006 Novell/SUSE
170+# Copyright (C) 2014 Canonical Ltd.
171 #
172 # This program is free software; you can redistribute it and/or
173 # modify it under the terms of version 2 of the GNU General Public
174@@ -105,6 +106,7 @@
175
176 # if they use any perl modules, grant access to all
177 ^/usr/lib/perl5/.+$ = /usr/lib/perl5/**
178+ ^/usr/lib/[^\/]+/perl5?/.+$ = /usr/lib/@{multiarch}/perl{,5}/**
179
180 # locale foo
181 ^/usr/lib/locale/.+$ = /usr/lib/locale/**
182
183=== modified file 'utils/severity.db'
184--- utils/severity.db 2014-07-22 05:56:11 +0000
185+++ utils/severity.db 2014-09-12 20:36:06 +0000
186@@ -1,6 +1,7 @@
187 # ------------------------------------------------------------------
188 #
189 # Copyright (C) 2002-2005 Novell/SUSE
190+# Copyright (C) 2014 Canonical Ltd.
191 #
192 # This program is free software; you can redistribute it and/or
193 # modify it under the terms of version 2 of the GNU General Public
194@@ -231,6 +232,8 @@
195 /usr/lib/lib*so* 3 8 4
196 /usr/lib/iptables/* 2 8 2
197 /usr/lib/perl5/** 4 10 6
198+/usr/lib/*/perl/** 4 10 6
199+/usr/lib/*/perl5/** 4 10 6
200 /usr/lib/gconv/* 4 7 4
201 /usr/lib/locale/** 4 8 0
202 /usr/lib/jvm/** 5 7 5

Subscribers

People subscribed via source and target branches