Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.1:Staging:C
apparmor
upstream-profile-updates-r3205-3241.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File upstream-profile-updates-r3205-3241.diff of Package apparmor
AppArmor bzr trunk bzr diff -r3205..3241 profiles/ (+ abstractions/X change modified to single line syntax) ------------------------------------------------------------ revno: 3238 committer: Christian Boltz <apparmor@cboltz.de> branch nick: apparmor timestamp: Fri 2015-09-18 19:06:47 +0200 message: dnsmasq profile - also allow /bin/sh This patch is based on a SLE12 patch to allow executing the --dhcp-script. We already have most parts of that patch since r2841, however the SLE bugreport indicates that /bin/sh is executed (which is usually a symlink to /bin/bash or /bin/dash), so we should also allow /bin/sh References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public) Acked-by: Seth Arnold <seth.arnold@canonicalc.com> for trunk and 2.9 ------------------------------------------------------------ revno: 3237 committer: Christian Boltz <apparmor@cboltz.de> branch nick: apparmor timestamp: Tue 2015-09-15 14:24:57 +0200 message: Allow ntpd to read directory listings of $PATH For some reasons, it needs to do that to find readable, writeable and executable files. See also https://bugzilla.opensuse.org/show_bug.cgi?id=945592 Acked-by: Seth Arnold <seth.arnold@canonical.com> ------------------------------------------------------------ revno: 3236 committer: Christian Boltz <apparmor@cboltz.de> branch nick: apparmor timestamp: Wed 2015-09-09 00:00:23 +0200 message: Update the /sbin/dhclient profile Add some permissions that I need on my system: - execute nm-dhcp-helper - read and write /var/lib/dhcp6/dhclient.leases - read /var/lib/NetworkManager/dhclient-*.conf - read and write /var/lib/NetworkManager/dhclient-*.conf Looks-good-by: Steve Beattie <steve@nxnw.org> Acked-by: <timeout> for trunk and 2.9 ------------------------------------------------------------ revno: 3234 committer: Christian Boltz <apparmor@cboltz.de> branch nick: apparmor timestamp: Thu 2015-09-03 18:27:00 +0200 message: Dovecot imap needs to read /run/dovecot/mounts Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9. ------------------------------------------------------------ revno: 3225 committer: Christian Boltz <apparmor@cboltz.de> branch nick: apparmor timestamp: Sun 2015-08-23 15:20:20 +0200 message: add /usr/share/locale-bundle/ to abstractions/base /usr/share/locale-bundle/ contains translations packaged in bundle-lang-* packages in openSUSE. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9 ------------------------------------------------------------ revno: 3213 committer: Christian Boltz <apparmor@cboltz.de> branch nick: apparmor timestamp: Thu 2015-07-30 22:03:02 +0200 message: winbindd profile: allow k for /etc/samba/smbd.tmp/msg/* References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 starting at comment 15 Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9 ------------------------------------------------------------ revno: 3212 committer: Christian Boltz <apparmor@cboltz.de> branch nick: apparmor timestamp: Tue 2015-07-28 01:15:31 +0200 message: skype profile: allow reading @{PROC}/@{pid}/net/dev References: https://bugzilla.opensuse.org/show_bug.cgi?id=939568 Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.9 ------------------------------------------------------------ revno: 3211 committer: Jamie Strandboge <jamie@ubuntu.com> branch nick: apparmor timestamp: Fri 2015-07-24 15:03:30 -0500 message: profiles/apparmor.d/usr.sbin.avahi-daemon: allow write access to /run/systemd/notify which is needed on systems with systemd Signed-off-by: Jamie Strandboge <jamie@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> ------------------------------------------------------------ revno: 3210 committer: Jamie Strandboge <jamie@ubuntu.com> branch nick: apparmor timestamp: Fri 2015-07-24 15:01:46 -0500 message: profiles/apparmor.d/abstractions/X: also allow unix connections to @/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird Signed-off-by: Jamie Strandboge <jamie@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> ------------------------------------------------------------ revno: 3209 committer: Jamie Strandboge <jamie@ubuntu.com> branch nick: apparmor timestamp: Fri 2015-07-24 13:56:27 -0500 message: profiles/apparmor.d/usr.sbin.dnsmasq: allow /bin/dash in addition to /bin/bash Signed-off-by: Jamie Strandboge <jamie@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> ------------------------------------------------------------ revno: 3207 [merge] committer: Jamie Strandboge <jamie@ubuntu.com> branch nick: apparmor timestamp: Mon 2015-07-20 10:16:18 -0500 message: [ intrigeri ] dconf abstraction: allow reading /etc/dconf/**. That's needed e.g. for Totem on current Debian Jessie. Acked-By: Jamie Strandboge <jamie@canonical.com> ------------------------------------------------------------ Use --include-merged or -n0 to see merged revisions. === modified file 'profiles/apparmor.d/abstractions/X' --- profiles/apparmor.d/abstractions/X 2015-03-25 21:58:31 +0000 +++ profiles/apparmor.d/abstractions/X 2015-07-24 20:01:46 +0000 @@ -27,4 +27,5 @@ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), /usr/include/X11/ r, /usr/include/X11/** r, === modified file 'profiles/apparmor.d/abstractions/base' --- profiles/apparmor.d/abstractions/base 2015-01-21 19:30:46 +0000 +++ profiles/apparmor.d/abstractions/base 2015-08-23 13:20:20 +0000 @@ -26,6 +26,7 @@ /etc/locale/** r, /etc/locale.alias r, /etc/localtime r, + /usr/share/locale-bundle/** r, /usr/share/locale-langpack/** r, /usr/share/locale/** r, /usr/share/**/locale/** r, === modified file 'profiles/apparmor.d/abstractions/dconf' --- profiles/apparmor.d/abstractions/dconf 2013-10-09 13:18:09 +0000 +++ profiles/apparmor.d/abstractions/dconf 2015-07-19 13:42:54 +0000 @@ -3,5 +3,6 @@ # permissions for querying dconf settings; granting write access should # be specified in a specific application's profile. + /etc/dconf/** r, owner /{,var/}run/user/*/dconf/user r, owner @{HOME}/.config/dconf/user r, === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' --- profiles/apparmor.d/usr.lib.dovecot.imap 2014-12-22 16:41:59 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap 2015-09-03 16:27:00 +0000 @@ -27,6 +27,7 @@ @{HOME} r, # ??? /usr/lib/dovecot/imap mr, /{,var/}run/dovecot/auth-master rw, + /{,var/}run/dovecot/mounts r, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.imap> === modified file 'profiles/apparmor.d/usr.sbin.avahi-daemon' --- profiles/apparmor.d/usr.sbin.avahi-daemon 2014-09-03 19:16:32 +0000 +++ profiles/apparmor.d/usr.sbin.avahi-daemon 2015-07-24 20:03:30 +0000 @@ -26,6 +26,7 @@ /{,var/}run/avahi-daemon/ w, /{,var/}run/avahi-daemon/pid krw, /{,var/}run/avahi-daemon/socket w, + /{,var/}run/systemd/notify w, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.avahi-daemon> === modified file 'profiles/apparmor.d/usr.sbin.dnsmasq' --- profiles/apparmor.d/usr.sbin.dnsmasq 2015-03-30 03:49:09 +0000 +++ profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-18 17:06:47 +0000 @@ -45,7 +45,7 @@ /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage - /bin/bash ix, # Required to execute --dhcp-script argument + /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument # access to iface mtu needed for Router Advertisement messages in IPv6 # Neighbor Discovery protocol (RFC 2461) === modified file 'profiles/apparmor.d/usr.sbin.ntpd' --- profiles/apparmor.d/usr.sbin.ntpd 2015-05-18 23:20:49 +0000 +++ profiles/apparmor.d/usr.sbin.ntpd 2015-09-15 12:24:57 +0000 @@ -37,6 +37,7 @@ /etc/ntpd.conf.tmp r, /tmp/ntp* rwl, + /{usr/,usr/local/,}{s,}bin/ r, /usr/sbin/ntpd rmix, /var/lib/ntp/drift rwl, /var/lib/ntp/drift.TEMP rwl, === modified file 'profiles/apparmor.d/usr.sbin.winbindd' --- profiles/apparmor.d/usr.sbin.winbindd 2015-05-18 23:25:26 +0000 +++ profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000 @@ -15,7 +15,7 @@ /etc/samba/secrets.tdb rwk, /etc/samba/smbd.tmp/ rw, /etc/samba/smbd.tmp/msg/ rw, - /etc/samba/smbd.tmp/msg/* rw, + /etc/samba/smbd.tmp/msg/* rwk, @{PROC}/sys/kernel/core_pattern r, /tmp/.winbindd/ w, /tmp/krb5cc_* rwk, === modified file 'profiles/apparmor/profiles/extras/sbin.dhclient' --- profiles/apparmor/profiles/extras/sbin.dhclient 2013-01-02 23:34:38 +0000 +++ profiles/apparmor/profiles/extras/sbin.dhclient 2015-09-08 22:00:23 +0000 @@ -1,6 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2015 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -25,6 +26,8 @@ #include <abstractions/bash> #include <abstractions/nameservice> + capability net_raw, + network packet packet, network packet raw, @@ -47,13 +50,17 @@ /usr/bin/uptime mrix, /usr/bin/vmstat mrix, /usr/bin/w mrix, + /usr/lib/nm-dhcp-helper rix, /var/lib/dhcp/dhclient.leases rw, /var/lib/dhcp/dhclient-*.leases rw, + /var/lib/dhcp6/dhclient.leases rw, + /var/lib/NetworkManager/dhclient-*.conf r, + /var/lib/NetworkManager/dhclient-*.lease rw, /var/log/lastlog r, /var/log/messages r, /var/log/wtmp r, - /{,var/}run/dhclient.pid rw, - /{,var/}run/dhclient-*.pid rw, + /{,var/}run/dhclient.pid rw, + /{,var/}run/dhclient-*.pid rw, /var/spool r, /var/spool/mail r, === modified file 'profiles/apparmor/profiles/extras/usr.bin.skype' --- profiles/apparmor/profiles/extras/usr.bin.skype 2013-01-02 23:34:38 +0000 +++ profiles/apparmor/profiles/extras/usr.bin.skype 2015-07-27 23:15:31 +0000 @@ -20,6 +20,7 @@ @{PROC}/sys/kernel/{ostype,osrelease} r, @{PROC}/@{pid}/net/arp r, + @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/auxv r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor