lp:~intrigeri/apparmor/wayland
- Get this branch:
- bzr branch lp:~intrigeri/apparmor/wayland
Branch merges
- Steve Beattie: Approve
-
Diff: 28 lines (+13/-0)2 files modifiedprofiles/apparmor.d/abstractions/gnome (+1/-0)
profiles/apparmor.d/abstractions/wayland (+12/-0)
Recent revisions
- 3507. By intrigeri
-
Include the wayland abstraction from the gnome one.
This is the least invasive solution to the problem I'm trying to solve
right now (Evince not starting in GNOME on Wayland, and probably
similar issues for other GNOME applications I suppose).At some point, we will probably want to source the wayland abstraction
from other desktop environments' abstractions, or simply from the
X one. Let's come back to it once people using these other desktop
environments on Wayland with AppArmor enabled tell us what policy
change is needed to make it work for them. - 3506. By intrigeri
-
Add a basic wayland abstraction.
It's good enough to allow starting Evince in GNOME on Wayland,
on current Debian unstable.References: https:/
/bugs.debian. org/807880 - 3505. By John Johansen
-
Previously a stack with unconfined would cause the mode to be reported as mixed
profile_
A//&:ns1: //unconfined (mixed) this is confusing and can even break some trusted helpers. The unconfined
profile has been special cased and now will report enforce when stacking
with unconfined
profile_A//&:ns1: //unconfined (enforce) This patch fixes the regression tests to work with this change
Signed-off-by: John Johansen <email address hidden>
Acked-by: Seth Arnold <email address hidden> - 3504. By Seth Arnold
-
gnome abstraction: allow reading file type associations from another place where it can live on Debian.
In Debian, gnome-session (3.20.1-2)'s changelog reads:
If /etc/gnome/
defaults. list was modified by the system administrator,
the file is moved to /etc/xdg/gnome-mimeapps. list during the upgrade. So we want to at least support /etc/xdg/
gnome-mimeapps. list. And
while we're at it, let's support *-mimeapps.list instead of just
gnome-mimeapps. list, in case other desktop environments or derivatives
need such customizations. - 3503. By Christian Boltz
-
Fix aa-logprof "add hat" endless loop
This turned out to be a simple case of misinterpreting the promptUser()
result - it returns the answer and the selected option, and
"surprisingly" something like
('CMD_ADDHAT', 0)
never matched
'CMD_ADDHAT'
;-)I also noticed that the new hat doesn't get initialized as
profile_storage(), and that the changed profile doesn't get marked as
changed. This is also fixed by this patch.References: https:/
/bugs.launchpad .net/apparmor/ +bug/1538306 Acked-by: Steve Beattie <email address hidden> for trunk, 2.10 and 2.9
- 3502. By Christian Boltz
-
type_is_str(): make pyflakes3 happy
pyflakes3 doesn't check sys.version and therefore complains about
'unicode' being undefined.This patch defines unicode as alias of str to make pyflakes3 happy, and
as a side effect, simplifies type_is_str().Acked-by: Seth Arnold <email address hidden> for trunk and 2.10.
- 3501. By Christian Boltz
-
delete_
duplicates( ): don't modify self.rules while looping over it By calling self.delete() inside the delete_duplicates() loop, the
self.rules list was modified. This resulted in some rules not being
checked and therefore (some, not all) superfluous rules not being
removed.This patch switches to a temporary variable to loop over, and rebuilds
self.rules with the rules that are not superfluous.This also fixes some strange issues already marked with a "Huh?" comment
in the tests.Acked-by: Seth Arnold <email address hidden> for trunk and 2.10.
Note that in 2.10 cleanprof_test.* doesn't contain a ptrace rule,
therefore the cleanprof_test.out change doesn't make sense for 2.10. - 3500. By Christian Boltz
-
winbindd profile: allow dac_override
This is needed to delete kerberos ccache files, for details see
https://bugzilla. opensuse. org/show_ bug.cgi? id=990006# c5 Acked-by: Seth Arnold <email address hidden> for trunk, 2.10 and 2.9.
Acked-by: Steve Beattie <email address hidden> for trunk, 2.10 and 2.9. - 3499. By Christian Boltz
-
logparser: store network-related params if an event looks like network
Network events can come with an operation= that looks like a file event.
Nevertheless, if the event has a typical network parameter (like
net_protocol) set, make sure to store the network-related flags in ev.This fixes the test failure introduced in my last commit.
Acked-by: Kshitij Gupta <email address hidden> for trunk, 2.10 and 2.9
- 3498. By Christian Boltz
-
logparser.py: ignore network events with 'send receive'
We already ignore network events that look like file events (based on
the operation keyword) if they have a request_mask of 'send' or
'receive' to avoid aa-logprof crashes because of "unknown" permissions.
It turned out that both can happen at once, so we should also ignore
this case.Also add the now-ignored log event as test_multi testcase.
References: https:/
/bugs.launchpad .net/apparmor/ +bug/1577051 #13 Acked-by: Tyler Hicks <email address hidden> for trunk, 2.10 and 2.9.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:apparmor/2.12