Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.3:Rings:1-MinimalX
apparmor
profile-updates-2.10r3381..3384.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File profile-updates-2.10r3381..3384.diff of Package apparmor
------------------------------------------------------------ revno: 3384 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Mon 2017-01-30 20:44:40 +0100 message: Dovecot profile: change Px to mrPx for /usr/lib/dovecot/* Some of the /usr/lib/dovecot/* rules already have mrPx permissions, while others don't. With a more recent kernel, I noticed that at least auth, config, dict, lmtp, pop3 and ssl-params need mrPx instead of just Px (confirmed by the audit.log and actual breakage caused by the missing mr permissions). The mr additions for anvil, log and managesieve are just a wild guess, but I would be very surprised if they don't need mr. Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9. ------------------------------------------------------------ revno: 3383 fixes bug: https://launchpad.net/bugs/1512131 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.10 timestamp: Thu 2017-01-26 21:42:52 +0100 message: Dovecot profile update Add several permissions to the dovecot profiles that are needed on ubuntu (surprisingly not on openSUSE, maybe it depends on the dovecot config?) As discussed some weeks ago, the added permissions use only /run/ instead of /{var/,}run/ (which is hopefully superfluous nowadays). References: https://bugs.launchpad.net/apparmor/+bug/1512131 Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9. ------------------------------------------------------------ revno: 3382 fixes bug: https://launchpad.net/bugs/1658239 author: Kees Cook committer: Seth Arnold <seth.arnold@canonical.com> branch nick: 2.10 timestamp: Fri 2017-01-20 17:22:10 -0800 message: glibc uses /proc/*/auxv and /proc/*/status files, too Acked-by: Seth Arnold <seth.arnold@canonical.com> ------------------------------------------------------------ revno: 3381 fixes bug: https://launchpad.net/bugs/1658238 author: Kees Cook committer: Seth Arnold <seth.arnold@canonical.com> branch nick: 2.10 timestamp: Fri 2017-01-20 17:19:56 -0800 message: Apache2 profile updates for proper signal handling, optional saslauth, and OCSP stapling Acked-by: Seth Arnold <seth.arnold@canonical.com> === modified file 'profiles/apparmor.d/abstractions/apache2-common' --- profiles/apparmor.d/abstractions/apache2-common 2014-06-24 18:06:06 +0000 +++ profiles/apparmor.d/abstractions/apache2-common 2017-01-21 01:19:56 +0000 @@ -8,6 +8,8 @@ signal (receive) peer=unconfined, # Allow apache to send us signals by default signal (receive) peer=/usr/sbin/apache2, + # Allow other hats to signal by default + signal peer=/usr/sbin/apache2//*, # Allow us to signal ourselves signal peer=@{profile_name}, @@ -25,3 +27,8 @@ /dev/urandom r, + # sasl-auth + /run/saslauthd/mux rw, + + # OCSP stapling + /var/log/apache2/stapling-cache rw, === modified file 'profiles/apparmor.d/abstractions/base' --- profiles/apparmor.d/abstractions/base 2016-07-29 18:46:16 +0000 +++ profiles/apparmor.d/abstractions/base 2017-01-21 01:22:10 +0000 @@ -92,7 +92,7 @@ /sys/devices/system/cpu/online r, # glibc's *printf protections read the maps file - @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/{maps,auxv,status} r, # libgcrypt reads some flags from /proc @{PROC}/sys/crypto/* r, === modified file 'profiles/apparmor.d/usr.lib.dovecot.anvil' --- profiles/apparmor.d/usr.lib.dovecot.anvil 2014-06-27 19:14:53 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.anvil 2017-01-26 20:42:52 +0000 @@ -18,6 +18,7 @@ capability setuid, capability sys_chroot, + /run/dovecot/anvil rw, /usr/lib/dovecot/anvil mr, # Site-specific additions and overrides. See local/README for details. === modified file 'profiles/apparmor.d/usr.lib.dovecot.auth' --- profiles/apparmor.d/usr.lib.dovecot.auth 2016-12-27 16:47:24 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.auth 2017-01-26 20:42:52 +0000 @@ -37,6 +37,9 @@ /var/tmp/sieve_* rw, /var/tmp/smtp_* rw, + /run/dovecot/auth-master rw, + /run/dovecot/auth-worker rw, + /run/dovecot/login/login rw, /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw, /{var/,}run/dovecot/stats-user rw, /{var/,}run/dovecot/anvil-auth-penalty rw, === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' --- profiles/apparmor.d/usr.lib.dovecot.imap 2016-10-05 18:53:37 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap 2017-01-26 20:42:52 +0000 @@ -21,6 +21,8 @@ capability setuid, deny capability block_suspend, + network unix stream, + @{DOVECOT_MAILSTORE}/ rw, @{DOVECOT_MAILSTORE}/** rwkl, @@ -33,6 +35,7 @@ /usr/bin/doveconf rix, /usr/lib/dovecot/imap mrix, /usr/share/dovecot/** r, + /run/dovecot/login/imap rw, /{,var/}run/dovecot/auth-master rw, /{,var/}run/dovecot/mounts r, === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login' --- profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-12-22 16:41:59 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2017-01-26 20:42:52 +0000 @@ -22,6 +22,7 @@ network inet stream, network inet6 stream, + network unix stream, /usr/lib/dovecot/imap-login mr, /{,var/}run/dovecot/anvil rw, === modified file 'profiles/apparmor.d/usr.lib.dovecot.ssl-params' --- profiles/apparmor.d/usr.lib.dovecot.ssl-params 2014-06-27 19:14:53 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.ssl-params 2017-01-26 20:42:52 +0000 @@ -15,6 +15,7 @@ #include <abstractions/base> #include <abstractions/dovecot-common> + /run/dovecot/login/ssl-params rw, /usr/lib/dovecot/ssl-params mr, /var/lib/dovecot/ssl-parameters.dat rw, /var/lib/dovecot/ssl-parameters.dat.tmp rwk, === modified file 'profiles/apparmor.d/usr.sbin.dovecot' --- profiles/apparmor.d/usr.sbin.dovecot 2016-11-29 20:36:19 +0000 +++ profiles/apparmor.d/usr.sbin.dovecot 2017-01-30 19:44:40 +0000 @@ -36,21 +36,21 @@ /etc/SuSE-release r, @{PROC}/@{pid}/mounts r, /usr/bin/doveconf rix, - /usr/lib/dovecot/anvil Px, - /usr/lib/dovecot/auth Px, - /usr/lib/dovecot/config Px, - /usr/lib/dovecot/dict Px, + /usr/lib/dovecot/anvil mrPx, + /usr/lib/dovecot/auth mrPx, + /usr/lib/dovecot/config mrPx, + /usr/lib/dovecot/dict mrPx, /usr/lib/dovecot/dovecot-auth Pxmr, /usr/lib/dovecot/imap Pxmr, /usr/lib/dovecot/imap-login Pxmr, - /usr/lib/dovecot/lmtp Px, - /usr/lib/dovecot/log Px, - /usr/lib/dovecot/managesieve Px, + /usr/lib/dovecot/lmtp mrPx, + /usr/lib/dovecot/log mrPx, + /usr/lib/dovecot/managesieve mrPx, /usr/lib/dovecot/managesieve-login Pxmr, - /usr/lib/dovecot/pop3 Px, + /usr/lib/dovecot/pop3 mrPx, /usr/lib/dovecot/pop3-login Pxmr, /usr/lib/dovecot/ssl-build-param rix, - /usr/lib/dovecot/ssl-params Px, + /usr/lib/dovecot/ssl-params mrPx, /usr/sbin/dovecot mrix, /usr/share/dovecot/protocols.d/ r, /usr/share/dovecot/protocols.d/** r, vim:ft=diff
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor