lp:~intrigeri/apparmor/wayland

Branch merges

Propose for merging

No branches dependent on this one.

Merged into lp:apparmor/2.12 at revision 3566

Steve Beattie: Approve on 2016-10-14

Diff: 28 lines (+13/-0)

2 files modified

profiles/apparmor.d/abstractions/gnome (+1/-0)
profiles/apparmor.d/abstractions/wayland (+12/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

3507. By intrigeri on 2016-09-11

Include the wayland abstraction from the gnome one.

This is the least invasive solution to the problem I'm trying to solve
right now (Evince not starting in GNOME on Wayland, and probably
similar issues for other GNOME applications I suppose).

At some point, we will probably want to source the wayland abstraction
from other desktop environments' abstractions, or simply from the
X one. Let's come back to it once people using these other desktop
environments on Wayland with AppArmor enabled tell us what policy
change is needed to make it work for them.

3506. By intrigeri on 2016-09-11

Add a basic wayland abstraction.

It's good enough to allow starting Evince in GNOME on Wayland,
on current Debian unstable.

References: https://bugs.debian.org/807880

3505. By John Johansen on 2016-09-03

Previously a stack with unconfined would cause the mode to be reported as mixed

  profile_A//&:ns1://unconfined (mixed)

this is confusing and can even break some trusted helpers. The unconfined
profile has been special cased and now will report enforce when stacking
with unconfined
  profile_A//&:ns1://unconfined (enforce)

This patch fixes the regression tests to work with this change

Signed-off-by: John Johansen <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3504. By Seth Arnold on 2016-08-25

gnome abstraction: allow reading file type associations from another place where it can live on Debian.

    In Debian, gnome-session (3.20.1-2)'s changelog reads:

        If /etc/gnome/defaults.list was modified by the system administrator,
        the file is moved to /etc/xdg/gnome-mimeapps.list during the upgrade.

    So we want to at least support /etc/xdg/gnome-mimeapps.list. And
    while we're at it, let's support *-mimeapps.list instead of just
    gnome-mimeapps.list, in case other desktop environments or derivatives
    need such customizations.

3503. By Christian Boltz on 2016-08-15

Fix aa-logprof "add hat" endless loop

This turned out to be a simple case of misinterpreting the promptUser()
result - it returns the answer and the selected option, and
"surprisingly" something like
    ('CMD_ADDHAT', 0)
never matched
    'CMD_ADDHAT'
;-)

I also noticed that the new hat doesn't get initialized as
profile_storage(), and that the changed profile doesn't get marked as
changed. This is also fixed by this patch.

References: https://bugs.launchpad.net/apparmor/+bug/1538306

Acked-by: Steve Beattie <email address hidden> for trunk, 2.10 and 2.9

3502. By Christian Boltz on 2016-08-12

type_is_str(): make pyflakes3 happy

pyflakes3 doesn't check sys.version and therefore complains about
'unicode' being undefined.

This patch defines unicode as alias of str to make pyflakes3 happy, and
as a side effect, simplifies type_is_str().

Acked-by: Seth Arnold <email address hidden> for trunk and 2.10.

3501. By Christian Boltz on 2016-08-08

delete_duplicates(): don't modify self.rules while looping over it

By calling self.delete() inside the delete_duplicates() loop, the
self.rules list was modified. This resulted in some rules not being
checked and therefore (some, not all) superfluous rules not being
removed.

This patch switches to a temporary variable to loop over, and rebuilds
self.rules with the rules that are not superfluous.

This also fixes some strange issues already marked with a "Huh?" comment
in the tests.

Acked-by: Seth Arnold <email address hidden> for trunk and 2.10.

Note that in 2.10 cleanprof_test.* doesn't contain a ptrace rule,
therefore the cleanprof_test.out change doesn't make sense for 2.10.

3500. By Christian Boltz on 2016-08-03

winbindd profile: allow dac_override

This is needed to delete kerberos ccache files, for details see
https://bugzilla.opensuse.org/show_bug.cgi?id=990006#c5

Acked-by: Seth Arnold <email address hidden> for trunk, 2.10 and 2.9.
Acked-by: Steve Beattie <email address hidden> for trunk, 2.10 and 2.9.

3499. By Christian Boltz on 2016-07-31

logparser: store network-related params if an event looks like network

Network events can come with an operation= that looks like a file event.
Nevertheless, if the event has a typical network parameter (like
net_protocol) set, make sure to store the network-related flags in ev.

This fixes the test failure introduced in my last commit.

Acked-by: Kshitij Gupta <email address hidden> for trunk, 2.10 and 2.9

3498. By Christian Boltz on 2016-07-29

logparser.py: ignore network events with 'send receive'

We already ignore network events that look like file events (based on
the operation keyword) if they have a request_mask of 'send' or
'receive' to avoid aa-logprof crashes because of "unknown" permissions.
It turned out that both can happen at once, so we should also ignore
this case.

Also add the now-ignored log event as test_multi testcase.

References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13

Acked-by: Tyler Hicks <email address hidden> for trunk, 2.10 and 2.9.