Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
security:apparmor
apparmor_2_8
apparmor_2_8_bzr_changes_2148_2153.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apparmor_2_8_bzr_changes_2148_2153.diff of Package apparmor_2_8
------------------------------------------------------------ revno: 2153 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.8 timestamp: Fri 2016-04-15 23:05:27 +0200 message: backport nscd profile additions from 2.9 branch The most important change is /proc/[0-9]*/cmdline to allow paranoid mode. Acked-by: Seth Arnold <seth.arnold@canonical.com> ------------------------------------------------------------ revno: 2152 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.8 timestamp: Fri 2016-04-15 22:20:54 +0200 message: Backport profile additions from the 2.9 branch This patch backports most profile additions from the latest 2.9 branch r3004, with the exception of new rule types (2.8 doesn't support dbus, ptrace etc.) and some noisy cleanups (like /proc/*/ -> @{PROC}/@{pid}/). Acked-by: Seth Arnold <seth.arnold@canonical.com> ------------------------------------------------------------ revno: 2151 behebt den Fehler: https://launchpad.net/bugs/1399027 committer: Steve Beattie <sbeattie@ubuntu.com> branch nick: 2.8 timestamp: Fri 2014-12-12 17:07:42 -0800 message: libapparmor: fix parsing for yet another format Backport from trunk revision 2830 This patch fixes the libapparmor log parsing library to take into account yet another log format style, as well as incorporating a testcase for it. Bugs: https://bugs.launchpad.net/apparmor/+bug/1399027 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771400 https://bugzilla.opensuse.org/show_bug.cgi?id=905368 Nominated-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com> ------------------------------------------------------------ revno: 2150 committer: Steve Beattie <sbeattie@ubuntu.com> branch nick: 2.8 timestamp: Fri 2014-12-12 17:03:07 -0800 message: libaalogparse: fix for new kernel dmesg format Merge from trunk revision 2647 The upstream kernel at some point between the 3.13 and 3.16 kernel adjusted the output of audit messages to include an additional "audit:" keyword. e.g. a 3.13 message would look like: kernel: [182243.243324] type=1400 audit(1409684003.960:273342): [SNIP] whereas in 3.16, it looks like: kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): [SNIP] ^^^^^^ This patch adjust the libapparmor aalogparse grammar and lexer to compensate for this change. Nominated-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> ------------------------------------------------------------ revno: 2149 committer: Christian Boltz <apparmor@cboltz.de> branch nick: 2.8 timestamp: Tue 2014-11-18 00:28:51 +0100 message: fix filename for .../nscd/hosts (which was accidently changed to "host" 3 years ago) Acked-by: Seth Arnold <seth.arnold@canonical.com> ------------------------------------------------------------ === modified file 'libraries/libapparmor/src/grammar.y' --- libraries/libapparmor/src/grammar.y 2014-07-12 14:48:12 +0000 +++ libraries/libapparmor/src/grammar.y 2014-12-13 01:07:42 +0000 @@ -182,6 +182,10 @@ { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); } | syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); } + | syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list + { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); } + | syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list + { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); } ; /* when audit dispatches a message it doesn't prepend the audit type string */ === modified file 'libraries/libapparmor/src/scanner.l' --- libraries/libapparmor/src/scanner.l 2013-01-08 20:51:07 +0000 +++ libraries/libapparmor/src/scanner.l 2014-12-13 01:03:07 +0000 @@ -176,6 +176,7 @@ <audit_id>{ {digits} { yylval->t_str = strdup(yytext); return(TOK_AUDIT_DIGITS);} + {colon}{ws} { yy_pop_state(yyscanner); return(TOK_COLON); } {colon} { return(TOK_COLON); } {period} { return(TOK_PERIOD); } {open_paren} { return(TOK_OPEN_PAREN); } === added file 'libraries/libapparmor/testsuite/test_multi/syslog_audit_01.err' === added file 'libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in' --- libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in 2014-12-13 01:03:07 +0000 @@ -0,0 +1,1 @@ +Sep 2 11:53:23 utopic-amd64 kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): apparmor="DENIED" operation="mkdir" profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir" name="/tmp/sdtest.7283-14445-r31VAP/tmpdir/" pid=7314 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 === added file 'libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out' --- libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out 2014-12-13 01:03:07 +0000 @@ -0,0 +1,15 @@ +START +File: test_multi/syslog_audit_01.in +Event type: AA_RECORD_DENIED +Audit ID: 1409684003.960:273342 +Operation: mkdir +Mask: c +Denied Mask: c +fsuid: 0 +ouid: 0 +Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir +Name: /tmp/sdtest.7283-14445-r31VAP/tmpdir/ +Command: mkdir +PID: 7314 +Epoch: 1409684003 +Audit subid: 273342 === added file 'libraries/libapparmor/testsuite/test_multi/syslog_audit_02.err' === added file 'libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in' --- libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in 2014-12-13 01:07:42 +0000 @@ -0,0 +1,1 @@ +Dec 7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 === added file 'libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out' --- libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out 1970-01-01 00:00:00 +0000 +++ libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out 2014-12-13 01:07:42 +0000 @@ -0,0 +1,15 @@ +START +File: test_multi/syslog_audit_02.in +Event type: AA_RECORD_ALLOWED +Audit ID: 1417954745.397:82 +Operation: open +Mask: r +Denied Mask: r +fsuid: 1000 +ouid: 0 +Profile: /home/simi/bin/aa-test +Name: /usr/bin/ +Command: ls +PID: 3231 +Epoch: 1417954745 +Audit subid: 82 === modified file 'profiles/apparmor.d/abstractions/X' --- profiles/apparmor.d/abstractions/X 2013-01-04 17:45:19 +0000 +++ profiles/apparmor.d/abstractions/X 2016-04-15 20:20:54 +0000 @@ -19,6 +19,8 @@ @{HOME}/.Xauthority r, owner /{,var/}run/gdm{,3}/*/database r, owner /{,var/}run/lightdm/authority/[0-9]* r, + owner /{,var/}run/lightdm/*/xauthority r, + owner /{,var/}run/user/*/gdm/Xauthority r, # the unix socket to use to connect to the display /tmp/.X11-unix/* w, @@ -32,9 +34,13 @@ /usr/share/X11/** r, /usr/X11R6/**.so* mr, + # EGL + /usr/lib/@{multiarch}/egl/*.so* mr, + # DRI /usr/lib{,32,64}/dri/** mr, /usr/lib/@{multiarch}/dri/** mr, + /usr/lib/fglrx/dri/** mr, /dev/dri/** rw, /etc/drirc r, owner @{HOME}/.drirc r, === modified file 'profiles/apparmor.d/abstractions/aspell' --- profiles/apparmor.d/abstractions/aspell 2012-01-18 18:15:57 +0000 +++ profiles/apparmor.d/abstractions/aspell 2016-04-15 20:20:54 +0000 @@ -8,4 +8,6 @@ /usr/lib/aspell/ r, /usr/lib/aspell/* r, /usr/lib/aspell/*.so m, + /usr/share/aspell/ r, + /usr/share/aspell/* r, /var/lib/aspell/* r, === modified file 'profiles/apparmor.d/abstractions/base' --- profiles/apparmor.d/abstractions/base 2013-04-09 13:18:40 +0000 +++ profiles/apparmor.d/abstractions/base 2016-04-15 20:20:54 +0000 @@ -26,12 +26,14 @@ /etc/locale/** r, /etc/locale.alias r, /etc/localtime r, + /usr/share/locale-bundle/** r, /usr/share/locale-langpack/** r, /usr/share/locale/** r, /usr/share/**/locale/** r, /usr/share/zoneinfo/ r, /usr/share/zoneinfo/** r, /usr/share/X11/locale/** r, + /{,var/}run/systemd/journal/dev-log w, /usr/lib{,32,64}/locale/** mr, /usr/lib{,32,64}/gconv/*.so mr, @@ -103,6 +105,9 @@ # glibc malloc (man 5 proc) @{PROC}/sys/vm/overcommit_memory r, + # Allow determining the highest valid capability of the running kernel + @{PROC}/sys/kernel/cap_last_cap r, + # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked # filesystems generally. This does not appreciably decrease security with # Ubuntu profiles because the user is expected to have access to files owned === modified file 'profiles/apparmor.d/abstractions/cups-client' --- profiles/apparmor.d/abstractions/cups-client 2012-01-06 16:45:34 +0000 +++ profiles/apparmor.d/abstractions/cups-client 2016-04-15 20:20:54 +0000 @@ -12,7 +12,7 @@ # discoverable system configuration for non-local cupsd /etc/cups/client.conf r, # client should be able to talk the local cupsd - /{,var/}run/cups/cups.sock w, + /{,var/}run/cups/cups.sock rw, # client should be able to read user-specified cups configuration owner @{HOME}/.cups/client.conf r, owner @{HOME}/.cups/lpoptions r, === modified file 'profiles/apparmor.d/abstractions/fonts' --- profiles/apparmor.d/abstractions/fonts 2013-10-14 23:31:38 +0000 +++ profiles/apparmor.d/abstractions/fonts 2016-04-15 20:20:54 +0000 @@ -52,3 +52,6 @@ # poppler CMap tables /usr/share/poppler/cMap/** r, + + # data files for LibThai + /usr/share/libthai/thbrk.tri r, === modified file 'profiles/apparmor.d/abstractions/freedesktop.org' --- profiles/apparmor.d/abstractions/freedesktop.org 2014-09-11 00:40:14 +0000 +++ profiles/apparmor.d/abstractions/freedesktop.org 2016-04-15 20:20:54 +0000 @@ -11,6 +11,7 @@ # system configuration /usr/share/applications/ r, + /usr/share/applications/defaults.list r, /usr/share/applications/mimeinfo.cache r, /usr/share/applications/*.desktop r, /usr/share/icons/ r, @@ -30,6 +31,7 @@ owner @{HOME}/.recently-used.xbel* rw, owner @{HOME}/.local/share/recently-used.xbel* rw, owner @{HOME}/.config/user-dirs.dirs r, + owner @{HOME}/.config/mimeapps.list r, owner @{HOME}/.local/share/applications/ r, owner @{HOME}/.local/share/applications/*.desktop r, owner @{HOME}/.local/share/applications/defaults.list r, === modified file 'profiles/apparmor.d/abstractions/nameservice' --- profiles/apparmor.d/abstractions/nameservice 2014-09-11 00:37:02 +0000 +++ profiles/apparmor.d/abstractions/nameservice 2016-04-15 20:20:54 +0000 @@ -26,12 +26,21 @@ /var/lib/extrausers/group r, /var/lib/extrausers/passwd r, + # When using sssd, the passwd and group files are stored in an alternate path + # and the nss plugin also needs to talk to a pipe + /var/lib/sss/mc/group r, + /var/lib/sss/mc/passwd r, + /var/lib/sss/pipes/nss rw, + /etc/resolv.conf r, # on systems using resolvconf, /etc/resolv.conf is a symlink to # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in # /etc/resolvconf/run/resolv.conf /{,var/}run/resolvconf/resolv.conf r, /etc/resolvconf/run/resolv.conf r, + # on systems using systemd's networkd, /etc/resolv.conf is a symlink to + # /run/systemd/resolve/resolv.conf + /{,var/}run/systemd/resolve/resolv.conf r, /etc/samba/lmhosts r, /etc/services r, @@ -41,7 +50,7 @@ # to vast speed increases when working with network-based lookups. /{,var/}run/.nscd_socket rw, /{,var/}run/nscd/socket rw, - /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host} r, + /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,hosts} r, # nscd renames and unlinks files in it's operation that clients will # have open /{,var/}run/nscd/db* rmix, === modified file 'profiles/apparmor.d/abstractions/p11-kit' --- profiles/apparmor.d/abstractions/p11-kit 2013-09-12 14:25:56 +0000 +++ profiles/apparmor.d/abstractions/p11-kit 2016-04-15 20:20:54 +0000 @@ -19,6 +19,9 @@ /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/* r, + # gnome-keyring pkcs11 module + owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw, + # p11-kit also supports reading user configuration from ~/.pkcs11 depending # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be # included in this abstraction. === modified file 'profiles/apparmor.d/abstractions/php5' --- profiles/apparmor.d/abstractions/php5 2010-03-30 17:34:32 +0000 +++ profiles/apparmor.d/abstractions/php5 2016-04-15 20:20:54 +0000 @@ -11,8 +11,8 @@ # ------------------------------------------------------------------ # shared snippets for config files - /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r, - /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r, + /etc/php5/**/ r, + /etc/php5/**.ini r, # Xlibs /usr/X11R6/lib{,32,64}/lib*.so* mr, @@ -30,3 +30,6 @@ # MySQL extension /usr/share/mysql/** r, + + # Zend opcache + /tmp/.ZendSem.* rwlk, === modified file 'profiles/apparmor.d/abstractions/samba' --- profiles/apparmor.d/abstractions/samba 2013-12-23 21:16:59 +0000 +++ profiles/apparmor.d/abstractions/samba 2016-04-15 20:20:54 +0000 @@ -13,7 +13,7 @@ /usr/share/samba/*.dat r, /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, /var/cache/samba/ w, - /var/lib/samba/**.tdb rwk, + /var/lib/samba/** rwk, /var/log/samba/cores/ rw, /var/log/samba/cores/** rw, /var/log/samba/log.* w, === modified file 'profiles/apparmor.d/abstractions/ssl_certs' --- profiles/apparmor.d/abstractions/ssl_certs 2013-11-25 23:42:19 +0000 +++ profiles/apparmor.d/abstractions/ssl_certs 2016-04-15 20:20:54 +0000 @@ -12,6 +12,10 @@ /etc/ssl/ r, /etc/ssl/certs/ r, /etc/ssl/certs/* r, + /etc/pki/trust/ r, + /etc/pki/trust/* r, + /etc/pki/trust/anchors/ r, + /etc/pki/trust/anchors/** r, /usr/share/ca-certificates/ r, /usr/share/ca-certificates/** r, /usr/share/ssl/certs/ca-bundle.crt r, @@ -19,3 +23,7 @@ /usr/local/share/ca-certificates/** r, /var/lib/ca-certificates/ r, /var/lib/ca-certificates/** r, + + # acmetool + /var/lib/acme/certs/*/chain r, + /var/lib/acme/certs/*/cert r, === modified file 'profiles/apparmor.d/abstractions/ssl_keys' --- profiles/apparmor.d/abstractions/ssl_keys 2010-12-20 20:29:10 +0000 +++ profiles/apparmor.d/abstractions/ssl_keys 2016-04-15 20:20:54 +0000 @@ -16,3 +16,7 @@ /etc/ssl/ r, /etc/ssl/** r, + # acmetool + /var/lib/acme/live/* r, + /var/lib/acme/certs/** r, + /var/lib/acme/keys/** r, === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/java' --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2013-01-03 23:37:41 +0000 +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2016-04-15 20:20:54 +0000 @@ -12,6 +12,8 @@ /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java, /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java, /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java, + owner /{,var/}run/user/*/icedteaplugin-*/ rw, + owner /{,var/}run/user/*/icedteaplugin-*/** rwk, # Profile for the supported OpenJDK in Ubuntu. This doesn't require the # unfortunate workarounds of the proprietary Javas, so have a separate === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia' --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia 2013-01-09 23:15:59 +0000 +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia 2016-04-15 20:20:54 +0000 @@ -55,3 +55,6 @@ # Virus scanners /usr/bin/clamscan Cx -> sanitized_helper, + + # gxine (LP: #1057642) + /var/lib/xine/gxine.desktop r, === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common' --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common 2012-01-17 14:22:11 +0000 +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common 2016-04-15 20:20:54 +0000 @@ -5,10 +5,10 @@ # @{PROC}/[0-9]*/fd/ r, /usr/lib/** rm, - /bin/bash ixr, - /bin/dash ixr, - /bin/grep ixr, - /bin/sed ixr, + /{,usr/}bin/bash ixr, + /{,usr/}bin/dash ixr, + /{,usr/}bin/grep ixr, + /{,usr/}bin/sed ixr, /usr/bin/m4 ixr, # Since all the ubuntu-browsers.d abstractions need this, just include it === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration' --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2013-07-01 15:51:11 +0000 +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2016-04-15 20:20:54 +0000 @@ -33,3 +33,9 @@ /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, /etc/xdg/xfce4/helpers.rc r, + + # unity webapps integration. Could go in its own abstraction + owner /run/user/*/dconf/user rw, + owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk, + /usr/bin/debconf-communicate Cxr -> sanitized_helper, + owner @{HOME}/.config/libaccounts-glib/accounts.db rk, === modified file 'profiles/apparmor.d/abstractions/ubuntu-email' --- profiles/apparmor.d/abstractions/ubuntu-email 2012-05-18 20:30:22 +0000 +++ profiles/apparmor.d/abstractions/ubuntu-email 2016-04-15 20:20:54 +0000 @@ -10,6 +10,8 @@ /usr/bin/balsa Cx -> sanitized_helper, /usr/bin/claws-mail Cx -> sanitized_helper, /usr/bin/evolution Cx -> sanitized_helper, + /usr/bin/geary Cx -> sanitized_helper, + /usr/bin/gnome-gmail Cx -> sanitized_helper, /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper, /usr/bin/kmail Cx -> sanitized_helper, /usr/bin/mailody Cx -> sanitized_helper, === modified file 'profiles/apparmor.d/abstractions/ubuntu-helpers' --- profiles/apparmor.d/abstractions/ubuntu-helpers 2013-01-03 23:44:14 +0000 +++ profiles/apparmor.d/abstractions/ubuntu-helpers 2016-04-15 20:20:54 +0000 @@ -33,6 +33,7 @@ profile sanitized_helper { #include <abstractions/base> + #include <abstractions/X> # Allow all networking network inet, @@ -53,11 +54,15 @@ # permissions for /usr/share, but for now just do this. (LP: #972367) /usr/share/software-center/* Pixr, + # Allow exec of texlive font build scripts (LP: #1010909) + /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr, + # While the chromium and chrome sandboxes are setuid root, they only link # in limited libraries so glibc's secure execution should be enough to not # require the santized_helper (ie, LD_PRELOAD will only use standard system # paths (man ld.so)). /usr/lib/chromium-browser/chromium-browser-sandbox PUxr, + /usr/lib/chromium-browser/chrome-sandbox PUxr, /opt/google/chrome/chrome-sandbox PUxr, /opt/google/chrome/google-chrome Pixr, /opt/google/chrome/chrome Pixr, === modified file 'profiles/apparmor.d/abstractions/user-mail' --- profiles/apparmor.d/abstractions/user-mail 2010-12-22 22:55:18 +0000 +++ profiles/apparmor.d/abstractions/user-mail 2016-04-15 20:20:54 +0000 @@ -1,6 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE +# Copyright (C) 2014 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -12,8 +13,8 @@ owner @{HOME}/[mM]ail/ r, owner @{HOME}/[mM]ail/** rwl, owner @{HOME}/postponed* rwl, - /var/spool/mail/ r, - /var/spool/mail/* rwl, + /var/{,spool/}mail/ r, + /var/{,spool/}mail/* rwl, owner @{HOME}/mbox.lock* rwl, owner @{HOME}/mbox rw, owner @{HOME}/inbox rw, === modified file 'profiles/apparmor.d/apache2.d/phpsysinfo' --- profiles/apparmor.d/apache2.d/phpsysinfo 2011-07-14 12:57:57 +0000 +++ profiles/apparmor.d/apache2.d/phpsysinfo 2016-04-15 20:20:54 +0000 @@ -5,36 +5,44 @@ #include <abstractions/apache2-common> #include <abstractions/base> #include <abstractions/nameservice> + #include <abstractions/php5> #include <abstractions/python> - /bin/dash ixr, - /bin/df ixr, - /bin/mount ixr, - /bin/uname ixr, + /{,usr/}bin/dash ixr, + /{,usr/}bin/df ixr, + /{,usr/}bin/mount ixr, + /{,usr/}bin/uname ixr, /dev/bus/usb/ r, /dev/bus/usb/** r, /etc/debian_version r, /etc/lsb-release r, /etc/mtab r, /etc/phpsysinfo/config.php r, + /etc/udev/udev.conf r, /proc/** r, + /sys/bus/ r, /sys/bus/pci/devices/ r, + /sys/bus/pci/slots/ r, + /sys/bus/pci/slots/** r, + /sys/bus/usb/devices/ r, + /sys/class/ r, /sys/devices/** r, + /usr/bin/ r, /usr/bin/apt-cache ixr, /usr/bin/dpkg-query ixr, /usr/bin/lsb_release ixr, /usr/bin/lspci ixr, /usr/bin/who ixr, - /usr/sbin/lsusb ixr, + /usr/{,s}bin/lsusb ixr, /usr/share/phpsysinfo/** r, + /var/lib/dpkg/arch r, /var/lib/dpkg/available r, /var/lib/dpkg/status r, /var/lib/dpkg/triggers/* r, /var/lib/dpkg/updates/ r, - /var/lib/misc/usb.ids r, + /var/lib/{misc,usbutils}/usb.ids r, /var/log/apache2/access.log w, /var/log/apache2/error.log w, /{,var/}run/utmp rk, /usr/share/misc/pci.ids r, - } === modified file 'profiles/apparmor.d/sbin.syslog-ng' --- profiles/apparmor.d/sbin.syslog-ng 2012-01-09 12:28:25 +0000 +++ profiles/apparmor.d/sbin.syslog-ng 2016-04-15 20:20:54 +0000 @@ -20,6 +20,7 @@ #include <abstractions/consoles> #include <abstractions/nameservice> #include <abstractions/mysql> + #include <abstractions/openssl> capability chown, capability dac_override, @@ -34,7 +35,10 @@ /dev/syslog w, /dev/tty10 rw, /dev/xconsole rw, + /etc/machine-id r, /etc/syslog-ng/* r, + /etc/syslog-ng/conf.d/ r, + /etc/syslog-ng/conf.d/* r, @{PROC}/kmsg r, /etc/hosts.deny r, /etc/hosts.allow r, @@ -47,6 +51,10 @@ @{CHROOT_BASE}/var/log/** w, @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw, @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw, + /{var,var/run,run}/log/journal/ r, + /{var,var/run,run}/log/journal/*/ r, + /{var,var/run,run}/log/journal/*/*.journal r, + /{var/,}run/syslog-ng.ctl a, /{var/,}run/syslog-ng/additional-log-sockets.conf r, # Site-specific additions and overrides. See local/README for details. === modified file 'profiles/apparmor.d/usr.sbin.identd' --- profiles/apparmor.d/usr.sbin.identd 2011-07-14 12:57:57 +0000 +++ profiles/apparmor.d/usr.sbin.identd 2016-04-15 20:20:54 +0000 @@ -23,7 +23,9 @@ /usr/sbin/identd rmix, @{PROC}/net/tcp r, @{PROC}/net/tcp6 r, - /{,var/}run/identd.pid w, + /{,var/}run/identd.pid w, + /{,var/}run/identd/ w, + /{,var/}run/identd/identd.pid w, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.identd> === modified file 'profiles/apparmor.d/usr.sbin.nscd' --- profiles/apparmor.d/usr.sbin.nscd 2013-03-05 21:12:37 +0000 +++ profiles/apparmor.d/usr.sbin.nscd 2016-04-15 21:05:27 +0000 @@ -34,9 +34,10 @@ /{,var/}run/nscd/ rw, /{,var/}run/nscd/db* rwl, /{,var/}run/nscd/socket wl, - /var/{cache,run}/nscd/{passwd,group,services,hosts,netgroup} rw, + /{var/cache,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw, /{,var/}run/{nscd/,}nscd.pid rwl, /var/log/nscd.log rw, + @{PROC}/[0-9]*/cmdline r, @{PROC}/[0-9]*/fd/ r, @{PROC}/[0-9]*/fd/* r, @{PROC}/[0-9]*/maps r, === modified file 'profiles/apparmor.d/usr.sbin.smbd' --- profiles/apparmor.d/usr.sbin.smbd 2014-08-11 21:24:23 +0000 +++ profiles/apparmor.d/usr.sbin.smbd 2016-04-15 20:20:54 +0000 @@ -17,6 +17,7 @@ capability net_bind_service, capability setgid, capability setuid, + capability sys_admin, # needed to store ACLS in the security.NTACL namespace capability sys_resource, capability sys_tty_config, === modified file 'profiles/apparmor.d/usr.sbin.smbldap-useradd' --- profiles/apparmor.d/usr.sbin.smbldap-useradd 2012-01-10 18:06:24 +0000 +++ profiles/apparmor.d/usr.sbin.smbldap-useradd 2016-04-15 20:20:54 +0000 @@ -8,7 +8,7 @@ #include <abstractions/perl> /dev/tty rw, - /bin/bash ix, + /{,usr/}bin/bash ix, /etc/init.d/nscd Cx, /etc/shadow r, /etc/smbldap-tools/smbldap.conf r, @@ -26,9 +26,9 @@ capability sys_ptrace, - /bin/bash r, - /bin/mountpoint rix, - /bin/systemctl rix, + /{,usr/}bin/bash r, + /{,usr/}bin/mountpoint rix, + /{,usr/}bin/systemctl rix, /dev/tty rw, /etc/init.d/nscd r, /etc/rc.status r,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor