Hello,
the attached patch backports most of the profile updates we currently
have in trunk to the 2.8 branch.
Backported from trunk to the 2.8 branch:
- additional/alternative paths in various abstractions
- /bin/ping -> /{usr/,}bin/ping
- update mailinglist address in extra profiles README
Not backported (= remaining differences):
- move extra profiles to /usr/share/apparmor/extra-profiles/
(I doubt we should do this in a minor release)
- capability block_suspend for usr.sbin.nscd (because the 2.8 parser
doesn't support it - which is a problem on its own)
Regards,
Christian Boltz
--
[Im Bugtracker nachsehen] Da weiss man gleich, ob die Software
einen Bug hat, oder man selbst... [Franz Alt in suse-linux]
Backported from trunk to the 2.8 branch:
- additional/alternative paths in various abstractions
- /bin/ping -> /{usr/,}bin/ping
- update mailinglist address in extra profiles README
Not backported (= remaining differences):
- move extra profiles to /usr/share/apparmor/extra-profiles/
(I doubt we should do this in a minor release)
- capability block_suspend for usr.sbin.nscd (because the 2.8 parser
doesn't support it)
=== modified file 'profiles/apparmor.d/abstractions/fonts'
--- profiles/apparmor.d/abstractions/fonts 2012-03-02 21:08:03 +0000
+++ profiles/apparmor.d/abstractions/fonts 2012-12-18 21:44:33 +0000
@@ -37,8 +37,8 @@
@{HOME}/.fonts/ r,
@{HOME}/.fonts/** r,
@{HOME}/.fonts.cache-2 mr,
- @{HOME}/.fontconfig/ r,
- @{HOME}/.fontconfig/** mrl,
+ @{HOME}/.{,cache/}fontconfig/ r,
+ @{HOME}/.{,cache/}fontconfig/** mrl,
@{HOME}/.fonts.conf.d/ r,
@{HOME}/.fonts.conf.d/** r,
=== modified file 'profiles/apparmor.d/abstractions/gnome'
--- profiles/apparmor.d/abstractions/gnome 2012-01-11 13:17:32 +0000
+++ profiles/apparmor.d/abstractions/gnome 2012-12-18 21:44:33 +0000
@@ -83,3 +83,6 @@
# mime-types
/etc/gnome/defaults.list r,
/usr/share/gnome/applications/mimeinfo.cache r,
+
+ # poppler CMap tables
+ /usr/share/poppler/cMap/** r,
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/java'
--- profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2012-03-02 19:03:04 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2012-12-18 21:44:33 +0000
@@ -4,9 +4,11 @@
owner @{HOME}/.java/deployment/deployment.properties k,
/etc/java-*/ r,
/etc/java-*/** r,
- /usr/lib/jvm/java-6-openjdk*/jre/lib/*/IcedTeaPlugin.so mr,
+ /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/*/IcedTeaPlugin.so mr,
/usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
+ /usr/lib/jvm/java-7-openjdk/jre/bin/java cx -> browser_openjdk,
+ /usr/lib/jvm/java-7-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
/usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
/usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
@@ -44,8 +46,8 @@
/var/lib/dbus/machine-id r,
/usr/bin/env ix,
- /usr/lib/jvm/java-6-openjdk*/jre/bin/java ix,
- /usr/lib/jvm/java-6-openjdk*/jre/lib/i386/client/classes.jsa m,
+ /usr/lib/jvm/java-{6,7}-openjdk*/jre/bin/java ix,
+ /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
# Why would java need this?
deny /usr/bin/gconftool-2 x,
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration'
--- profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2012-01-17 14:00:56 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2012-12-18 21:44:34 +0000
@@ -29,3 +29,6 @@
# Exo-aware applications
/usr/bin/exo-open ixr,
+ /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
+ /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
+ /etc/xdg/xfce4/helpers.rc r,
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-helpers'
--- profiles/apparmor.d/abstractions/ubuntu-helpers 2012-05-02 12:44:55 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-helpers 2012-12-18 21:44:34 +0000
@@ -43,10 +43,11 @@
/bin/* Pixr,
/sbin/* Pixr,
/usr/bin/* Pixr,
+ /usr/local/bin/* Pixr,
/usr/sbin/* Pixr,
- # Allow exec of libexec applications in /usr/lib*
- /usr/lib*/{,**/}* Pixr,
+ # Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
+ /usr/{,local/}lib*/{,**/}* Pixr,
# Allow exec of software-center scripts. We may need to allow wider
# permissions for /usr/share, but for now just do this. (LP: #972367)
@@ -65,7 +66,7 @@
# Full access
/ r,
/** rwkl,
- /{,usr/}lib{,32,64}/{,**/}*.so{,.*} m,
+ /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
# Dangerous files
audit deny owner /**/* m, # compiled libraries
=== modified file 'profiles/apparmor.d/bin.ping'
--- profiles/apparmor.d/bin.ping 2010-08-05 19:00:02 +0000
+++ profiles/apparmor.d/bin.ping 2012-12-18 21:44:34 +0000
@@ -10,7 +10,7 @@
# ------------------------------------------------------------------
#include <tunables/global>
-/bin/ping {
+/{usr/,}bin/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
=== modified file 'profiles/apparmor/profiles/extras/README'
--- profiles/apparmor/profiles/extras/README 2007-05-16 18:51:46 +0000
+++ profiles/apparmor/profiles/extras/README 2012-12-18 21:46:21 +0000
@@ -39,7 +39,7 @@
Feedback on these unsupported profiles is welcomed; any
contributions for this directory should be clearly licensed
-- we recommend using the GPL. Please mail suggestions or
-modifications to the apparmor-gene...@forge.novell.com mail list:
-http://forge.novell.com/mailman/listinfo/apparmor-general
+modifications to the apparmor@lists.ubuntu.com mail list:
+https://lists.ubuntu.com/mailman/listinfo/apparmor
Thanks
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
