File upstream-profile-updates-r3205-3241.diff of Package apparmor

Overview Repositories Revisions Requests Users Attributes Meta

File upstream-profile-updates-r3205-3241.diff of Package apparmor

AppArmor bzr trunk
bzr diff -r3205..3241 profiles/
(+ abstractions/X change modified to single line syntax)

------------------------------------------------------------
revno: 3238
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Fri 2015-09-18 19:06:47 +0200
message:
  dnsmasq profile - also allow /bin/sh
  
  This patch is based on a SLE12 patch to allow executing the
  --dhcp-script. We already have most parts of that patch since r2841,
  however the SLE bugreport indicates that /bin/sh is executed (which is
  usually a symlink to /bin/bash or /bin/dash), so we should also allow
  /bin/sh
  
  References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)
  
  
  Acked-by: Seth Arnold <seth.arnold@canonicalc.com> for trunk and 2.9
------------------------------------------------------------
revno: 3237
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Tue 2015-09-15 14:24:57 +0200
message:
  Allow ntpd to read directory listings of $PATH
  
  For some reasons, it needs to do that to find readable, writeable and
  executable files.
  
  See also https://bugzilla.opensuse.org/show_bug.cgi?id=945592
  
  
  Acked-by: Seth Arnold <seth.arnold@canonical.com>
------------------------------------------------------------
revno: 3236
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Wed 2015-09-09 00:00:23 +0200
message:
  Update the /sbin/dhclient profile
  
  Add some permissions that I need on my system:
  - execute nm-dhcp-helper
  - read and write /var/lib/dhcp6/dhclient.leases
  - read /var/lib/NetworkManager/dhclient-*.conf
  - read and write /var/lib/NetworkManager/dhclient-*.conf
  
  
  Looks-good-by: Steve Beattie <steve@nxnw.org>
  Acked-by: <timeout> for trunk and 2.9
------------------------------------------------------------
revno: 3234
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Thu 2015-09-03 18:27:00 +0200
message:
  Dovecot imap needs to read /run/dovecot/mounts
  
  Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
------------------------------------------------------------
revno: 3225
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Sun 2015-08-23 15:20:20 +0200
message:
  add /usr/share/locale-bundle/ to abstractions/base
  
  /usr/share/locale-bundle/ contains translations packaged in
  bundle-lang-* packages in openSUSE.
  
  
  Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
------------------------------------------------------------
revno: 3213
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Thu 2015-07-30 22:03:02 +0200
message:
  winbindd profile: allow k for /etc/samba/smbd.tmp/msg/*
  
  References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 starting at comment 15
  
  
  Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
------------------------------------------------------------
revno: 3212
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Tue 2015-07-28 01:15:31 +0200
message:
  skype profile: allow reading @{PROC}/@{pid}/net/dev
  
  References: https://bugzilla.opensuse.org/show_bug.cgi?id=939568
  
  
  Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.9
------------------------------------------------------------
revno: 3211
committer: Jamie Strandboge <jamie@ubuntu.com>
branch nick: apparmor
timestamp: Fri 2015-07-24 15:03:30 -0500
message:
  profiles/apparmor.d/usr.sbin.avahi-daemon: allow write access to
  /run/systemd/notify which is needed on systems with systemd
  
  Signed-off-by: Jamie Strandboge <jamie@canonical.com>
  Acked-by: Seth Arnold <seth.arnold@canonical.com>
------------------------------------------------------------
revno: 3210
committer: Jamie Strandboge <jamie@ubuntu.com>
branch nick: apparmor
timestamp: Fri 2015-07-24 15:01:46 -0500
message:
  profiles/apparmor.d/abstractions/X: also allow unix connections to
  @/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird
  
  Signed-off-by: Jamie Strandboge <jamie@canonical.com>
  Acked-by: Seth Arnold <seth.arnold@canonical.com>
------------------------------------------------------------
revno: 3209
committer: Jamie Strandboge <jamie@ubuntu.com>
branch nick: apparmor
timestamp: Fri 2015-07-24 13:56:27 -0500
message:
  profiles/apparmor.d/usr.sbin.dnsmasq: allow /bin/dash in addition to /bin/bash
  
  Signed-off-by: Jamie Strandboge <jamie@canonical.com>
  Acked-by: Christian Boltz <apparmor@cboltz.de>
------------------------------------------------------------
revno: 3207 [merge]
committer: Jamie Strandboge <jamie@ubuntu.com>
branch nick: apparmor
timestamp: Mon 2015-07-20 10:16:18 -0500
message:
  [ intrigeri ]
  dconf abstraction: allow reading /etc/dconf/**.
  That's needed e.g. for Totem on current Debian Jessie.
  
  Acked-By: Jamie Strandboge <jamie@canonical.com>
------------------------------------------------------------
Use --include-merged or -n0 to see merged revisions.

=== modified file 'profiles/apparmor.d/abstractions/X'
--- profiles/apparmor.d/abstractions/X	2015-03-25 21:58:31 +0000
+++ profiles/apparmor.d/abstractions/X	2015-07-24 20:01:46 +0000
@@ -27,4 +27,5 @@
   unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
 
   /usr/include/X11/               r,
   /usr/include/X11/**             r,

=== modified file 'profiles/apparmor.d/abstractions/base'
--- profiles/apparmor.d/abstractions/base	2015-01-21 19:30:46 +0000
+++ profiles/apparmor.d/abstractions/base	2015-08-23 13:20:20 +0000
@@ -26,6 +26,7 @@
   /etc/locale/**                 r,
   /etc/locale.alias              r,
   /etc/localtime                 r,
+  /usr/share/locale-bundle/**    r,
   /usr/share/locale-langpack/**  r,
   /usr/share/locale/**           r,
   /usr/share/**/locale/**        r,

=== modified file 'profiles/apparmor.d/abstractions/dconf'
--- profiles/apparmor.d/abstractions/dconf	2013-10-09 13:18:09 +0000
+++ profiles/apparmor.d/abstractions/dconf	2015-07-19 13:42:54 +0000
@@ -3,5 +3,6 @@
 # permissions for querying dconf settings; granting write access should
 # be specified in a specific application's profile.
 
+  /etc/dconf/** r,
   owner /{,var/}run/user/*/dconf/user r,
   owner @{HOME}/.config/dconf/user r,

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
--- profiles/apparmor.d/usr.lib.dovecot.imap	2014-12-22 16:41:59 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap	2015-09-03 16:27:00 +0000
@@ -27,6 +27,7 @@
   @{HOME} r, # ???
   /usr/lib/dovecot/imap mr,
   /{,var/}run/dovecot/auth-master rw,
+  /{,var/}run/dovecot/mounts r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.imap>

=== modified file 'profiles/apparmor.d/usr.sbin.avahi-daemon'
--- profiles/apparmor.d/usr.sbin.avahi-daemon	2014-09-03 19:16:32 +0000
+++ profiles/apparmor.d/usr.sbin.avahi-daemon	2015-07-24 20:03:30 +0000
@@ -26,6 +26,7 @@
   /{,var/}run/avahi-daemon/ w,
   /{,var/}run/avahi-daemon/pid krw,
   /{,var/}run/avahi-daemon/socket w,
+  /{,var/}run/systemd/notify w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.avahi-daemon>

=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
--- profiles/apparmor.d/usr.sbin.dnsmasq	2015-03-30 03:49:09 +0000
+++ profiles/apparmor.d/usr.sbin.dnsmasq	2015-09-18 17:06:47 +0000
@@ -45,7 +45,7 @@
 
   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
 
-  /bin/bash ix, # Required to execute --dhcp-script argument
+  /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
 
   # access to iface mtu needed for Router Advertisement messages in IPv6
   # Neighbor Discovery protocol (RFC 2461)

=== modified file 'profiles/apparmor.d/usr.sbin.ntpd'
--- profiles/apparmor.d/usr.sbin.ntpd	2015-05-18 23:20:49 +0000
+++ profiles/apparmor.d/usr.sbin.ntpd	2015-09-15 12:24:57 +0000
@@ -37,6 +37,7 @@
   /etc/ntpd.conf.tmp r,
 
   /tmp/ntp* rwl,
+  /{usr/,usr/local/,}{s,}bin/ r,
   /usr/sbin/ntpd rmix,
   /var/lib/ntp/drift rwl,
   /var/lib/ntp/drift.TEMP rwl,

=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
--- profiles/apparmor.d/usr.sbin.winbindd	2015-05-18 23:25:26 +0000
+++ profiles/apparmor.d/usr.sbin.winbindd	2015-07-30 20:03:02 +0000
@@ -15,7 +15,7 @@
   /etc/samba/secrets.tdb rwk,
   /etc/samba/smbd.tmp/ rw,
   /etc/samba/smbd.tmp/msg/ rw,
-  /etc/samba/smbd.tmp/msg/* rw,
+  /etc/samba/smbd.tmp/msg/* rwk,
   @{PROC}/sys/kernel/core_pattern r,
   /tmp/.winbindd/ w,
   /tmp/krb5cc_* rwk,

=== modified file 'profiles/apparmor/profiles/extras/sbin.dhclient'
--- profiles/apparmor/profiles/extras/sbin.dhclient	2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/sbin.dhclient	2015-09-08 22:00:23 +0000
@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2015 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -25,6 +26,8 @@
   #include <abstractions/bash>
   #include <abstractions/nameservice>
 
+  capability net_raw,
+
   network packet packet,
   network packet raw,
 
@@ -47,13 +50,17 @@
   /usr/bin/uptime             mrix,
   /usr/bin/vmstat             mrix,
   /usr/bin/w                  mrix,
+  /usr/lib/nm-dhcp-helper     rix,
   /var/lib/dhcp/dhclient.leases     rw,
   /var/lib/dhcp/dhclient-*.leases   rw,
+  /var/lib/dhcp6/dhclient.leases    rw,
+  /var/lib/NetworkManager/dhclient-*.conf  r,
+  /var/lib/NetworkManager/dhclient-*.lease rw,
   /var/log/lastlog            r,
   /var/log/messages           r,
   /var/log/wtmp               r,
-  /{,var/}run/dhclient.pid       rw,
-  /{,var/}run/dhclient-*.pid     rw,
+  /{,var/}run/dhclient.pid    rw,
+  /{,var/}run/dhclient-*.pid  rw,
   /var/spool                  r,
   /var/spool/mail             r,

=== modified file 'profiles/apparmor/profiles/extras/usr.bin.skype'
--- profiles/apparmor/profiles/extras/usr.bin.skype	2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.skype	2015-07-27 23:15:31 +0000
@@ -20,6 +20,7 @@
 
   @{PROC}/sys/kernel/{ostype,osrelease} r,
   @{PROC}/@{pid}/net/arp r,
+  @{PROC}/@{pid}/net/dev r,
   owner @{PROC}/@{pid}/auxv r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,

Places

File upstream-profile-updates-r3205-3241.diff of Package apparmor

Places