apparmor/apparmor-lessopen-profile.patch

Index: profiles/apparmor.d/usr.bin.lessopen.sh
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ profiles/apparmor.d/usr.bin.lessopen.sh	2017-10-28 14:15:12.624358664 +0200
@@ -0,0 +1,49 @@
+# vim: ft=apparmor
+#include <tunables/global>
+
+/usr/bin/lessopen.sh {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+  #include <abstractions/consoles>
+  #include <abstractions/perl>
+
+  capability dac_override,
+  capability dac_read_search,
+
+  /** rk,
+  /bin/bash mrix,
+  /{usr/,}bin/rpm mrix,
+  /bin/tar mrix,
+  /tmp/less.* rw,
+  /usr/bin/bzip2 mrix,
+  /usr/bin/cabextract mrix,
+  /usr/bin/cat mrix,
+  /usr/bin/colordiff mrix,
+  /usr/bin/dvi2tty mrix,
+  /usr/bin/eqn mrix,
+  /usr/bin/file mrix,
+  /usr/bin/grep mrix,
+  /usr/bin/groff mrix,
+  /usr/bin/grotty mrix,
+  /usr/bin/gzip mrix,
+  /usr/bin/head mrix,
+  /usr/bin/lynx mrix,
+  /usr/bin/mktemp mrix,
+  /usr/bin/nm mrix,
+  /usr/bin/pic mrix,
+  /usr/bin/pdftotext mrix,
+  /usr/bin/ps2ascii mrix,
+  /usr/bin/rm mrix,
+  /usr/bin/seq mrix,
+  /usr/bin/soelim mrix,
+  /usr/bin/tar mrix,
+  /usr/bin/tbl mrix,
+  /usr/bin/troff mrix,
+  /usr/bin/unzip mrix,
+  /usr/bin/unzip-plain mrix,
+  /usr/bin/w3m mrix,
+  /usr/bin/which mrix,
+  /usr/bin/xz mrix,
+
+  #include <local/usr.bin.lessopen.sh>
+}
Accepting request 560016 from home:cboltz - update to AppArmor 2.12 - add support for 'owner' rules in aa-logprof and aa-genprof - add support for includes with absolute path in aa-logprof etc. (lp#1733700) - update aa-decode to also decode PROCTITLE (lp#1736841) - several profile and abstraction updates, including boo#1069470 - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 for the detailed upstream changelog - drop upstreamed patches: - read_inactive_profile-exactly-once.patch - utils-fix-sorted-save_profiles-regression.diff - lessopen profile: change all 'rix' rules to 'mrix' - update to AppArmor 2.11.95 aka 2.12 beta1 - add JSON interface to aa-logprof and aa-genprof (used by YaST) - drop old YaST interface code - update audio, base and nameservice abstractions - allow @{pid} to match 7-digit pids - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 for the detailed upstream changelog - drop upstreamed patches - apparmor-yast-cleanup.patch - apparmor-json-support.patch - nameservice-libtirpc.diff - drop obsolete perl modules (YaST no longer needs them) - drop patches that were only needed by the obsolete perl modules: - apparmor-utils-string-split - apparmor-abstractions-no-multiline.diff - drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in apparmor_parser - refresh utils-fix-sorted-save_profiles-regression.diff OBS-URL: https://build.opensuse.org/request/show/560016 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=194 2017-12-26 15:30:01 +01:00			`Index: profiles/apparmor.d/usr.bin.lessopen.sh`
Accepting request 264683 from home:msmeissn:branches:security:apparmor - /usr/bin/lessopen.sh needs confinement. bnc#906858 OBS-URL: https://build.opensuse.org/request/show/264683 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=111 2014-12-21 17:18:25 +01:00			`===================================================================`
Accepting request 560016 from home:cboltz - update to AppArmor 2.12 - add support for 'owner' rules in aa-logprof and aa-genprof - add support for includes with absolute path in aa-logprof etc. (lp#1733700) - update aa-decode to also decode PROCTITLE (lp#1736841) - several profile and abstraction updates, including boo#1069470 - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 for the detailed upstream changelog - drop upstreamed patches: - read_inactive_profile-exactly-once.patch - utils-fix-sorted-save_profiles-regression.diff - lessopen profile: change all 'rix' rules to 'mrix' - update to AppArmor 2.11.95 aka 2.12 beta1 - add JSON interface to aa-logprof and aa-genprof (used by YaST) - drop old YaST interface code - update audio, base and nameservice abstractions - allow @{pid} to match 7-digit pids - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 for the detailed upstream changelog - drop upstreamed patches - apparmor-yast-cleanup.patch - apparmor-json-support.patch - nameservice-libtirpc.diff - drop obsolete perl modules (YaST no longer needs them) - drop patches that were only needed by the obsolete perl modules: - apparmor-utils-string-split - apparmor-abstractions-no-multiline.diff - drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in apparmor_parser - refresh utils-fix-sorted-save_profiles-regression.diff OBS-URL: https://build.opensuse.org/request/show/560016 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=194 2017-12-26 15:30:01 +01:00			`--- /dev/null 1970-01-01 00:00:00.000000000 +0000`
			`+++ profiles/apparmor.d/usr.bin.lessopen.sh 2017-10-28 14:15:12.624358664 +0200`
			`@@ -0,0 +1,49 @@`
			`+# vim: ft=apparmor`
Accepting request 264683 from home:msmeissn:branches:security:apparmor - /usr/bin/lessopen.sh needs confinement. bnc#906858 OBS-URL: https://build.opensuse.org/request/show/264683 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=111 2014-12-21 17:18:25 +01:00			`+#include <tunables/global>`
			`+`
			`+/usr/bin/lessopen.sh {`
			`+ #include <abstractions/base>`
			`+ #include <abstractions/bash>`
			`+ #include <abstractions/consoles>`
			`+ #include <abstractions/perl>`
			`+`
Accepting request 560016 from home:cboltz - update to AppArmor 2.12 - add support for 'owner' rules in aa-logprof and aa-genprof - add support for includes with absolute path in aa-logprof etc. (lp#1733700) - update aa-decode to also decode PROCTITLE (lp#1736841) - several profile and abstraction updates, including boo#1069470 - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 for the detailed upstream changelog - drop upstreamed patches: - read_inactive_profile-exactly-once.patch - utils-fix-sorted-save_profiles-regression.diff - lessopen profile: change all 'rix' rules to 'mrix' - update to AppArmor 2.11.95 aka 2.12 beta1 - add JSON interface to aa-logprof and aa-genprof (used by YaST) - drop old YaST interface code - update audio, base and nameservice abstractions - allow @{pid} to match 7-digit pids - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 for the detailed upstream changelog - drop upstreamed patches - apparmor-yast-cleanup.patch - apparmor-json-support.patch - nameservice-libtirpc.diff - drop obsolete perl modules (YaST no longer needs them) - drop patches that were only needed by the obsolete perl modules: - apparmor-utils-string-split - apparmor-abstractions-no-multiline.diff - drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in apparmor_parser - refresh utils-fix-sorted-save_profiles-regression.diff OBS-URL: https://build.opensuse.org/request/show/560016 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=194 2017-12-26 15:30:01 +01:00			`+ capability dac_override,`
			`+ capability dac_read_search,`
			`+`
Accepting request 264683 from home:msmeissn:branches:security:apparmor - /usr/bin/lessopen.sh needs confinement. bnc#906858 OBS-URL: https://build.opensuse.org/request/show/264683 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=111 2014-12-21 17:18:25 +01:00			`+ /** rk,`
Accepting request 560016 from home:cboltz - update to AppArmor 2.12 - add support for 'owner' rules in aa-logprof and aa-genprof - add support for includes with absolute path in aa-logprof etc. (lp#1733700) - update aa-decode to also decode PROCTITLE (lp#1736841) - several profile and abstraction updates, including boo#1069470 - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 for the detailed upstream changelog - drop upstreamed patches: - read_inactive_profile-exactly-once.patch - utils-fix-sorted-save_profiles-regression.diff - lessopen profile: change all 'rix' rules to 'mrix' - update to AppArmor 2.11.95 aka 2.12 beta1 - add JSON interface to aa-logprof and aa-genprof (used by YaST) - drop old YaST interface code - update audio, base and nameservice abstractions - allow @{pid} to match 7-digit pids - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 for the detailed upstream changelog - drop upstreamed patches - apparmor-yast-cleanup.patch - apparmor-json-support.patch - nameservice-libtirpc.diff - drop obsolete perl modules (YaST no longer needs them) - drop patches that were only needed by the obsolete perl modules: - apparmor-utils-string-split - apparmor-abstractions-no-multiline.diff - drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in apparmor_parser - refresh utils-fix-sorted-save_profiles-regression.diff OBS-URL: https://build.opensuse.org/request/show/560016 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=194 2017-12-26 15:30:01 +01:00			`+ /bin/bash mrix,`
Accepting request 581986 from home:goldwynr:branches:security:apparmor boo#1082956 OBS-URL: https://build.opensuse.org/request/show/581986 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=202 2018-03-03 11:25:05 +01:00			`+ /{usr/,}bin/rpm mrix,`
Accepting request 560016 from home:cboltz - update to AppArmor 2.12 - add support for 'owner' rules in aa-logprof and aa-genprof - add support for includes with absolute path in aa-logprof etc. (lp#1733700) - update aa-decode to also decode PROCTITLE (lp#1736841) - several profile and abstraction updates, including boo#1069470 - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 for the detailed upstream changelog - drop upstreamed patches: - read_inactive_profile-exactly-once.patch - utils-fix-sorted-save_profiles-regression.diff - lessopen profile: change all 'rix' rules to 'mrix' - update to AppArmor 2.11.95 aka 2.12 beta1 - add JSON interface to aa-logprof and aa-genprof (used by YaST) - drop old YaST interface code - update audio, base and nameservice abstractions - allow @{pid} to match 7-digit pids - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 for the detailed upstream changelog - drop upstreamed patches - apparmor-yast-cleanup.patch - apparmor-json-support.patch - nameservice-libtirpc.diff - drop obsolete perl modules (YaST no longer needs them) - drop patches that were only needed by the obsolete perl modules: - apparmor-utils-string-split - apparmor-abstractions-no-multiline.diff - drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in apparmor_parser - refresh utils-fix-sorted-save_profiles-regression.diff OBS-URL: https://build.opensuse.org/request/show/560016 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=194 2017-12-26 15:30:01 +01:00			`+ /bin/tar mrix,`
Accepting request 264683 from home:msmeissn:branches:security:apparmor - /usr/bin/lessopen.sh needs confinement. bnc#906858 OBS-URL: https://build.opensuse.org/request/show/264683 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=111 2014-12-21 17:18:25 +01:00			`+ /tmp/less.* rw,`
Accepting request 560016 from home:cboltz - update to AppArmor 2.12 - add support for 'owner' rules in aa-logprof and aa-genprof - add support for includes with absolute path in aa-logprof etc. (lp#1733700) - update aa-decode to also decode PROCTITLE (lp#1736841) - several profile and abstraction updates, including boo#1069470 - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 for the detailed upstream changelog - drop upstreamed patches: - read_inactive_profile-exactly-once.patch - utils-fix-sorted-save_profiles-regression.diff - lessopen profile: change all 'rix' rules to 'mrix' - update to AppArmor 2.11.95 aka 2.12 beta1 - add JSON interface to aa-logprof and aa-genprof (used by YaST) - drop old YaST interface code - update audio, base and nameservice abstractions - allow @{pid} to match 7-digit pids - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 for the detailed upstream changelog - drop upstreamed patches - apparmor-yast-cleanup.patch - apparmor-json-support.patch - nameservice-libtirpc.diff - drop obsolete perl modules (YaST no longer needs them) - drop patches that were only needed by the obsolete perl modules: - apparmor-utils-string-split - apparmor-abstractions-no-multiline.diff - drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in apparmor_parser - refresh utils-fix-sorted-save_profiles-regression.diff OBS-URL: https://build.opensuse.org/request/show/560016 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=194 2017-12-26 15:30:01 +01:00			`+ /usr/bin/bzip2 mrix,`
			`+ /usr/bin/cabextract mrix,`
			`+ /usr/bin/cat mrix,`
			`+ /usr/bin/colordiff mrix,`
			`+ /usr/bin/dvi2tty mrix,`
			`+ /usr/bin/eqn mrix,`
			`+ /usr/bin/file mrix,`
			`+ /usr/bin/grep mrix,`
			`+ /usr/bin/groff mrix,`
			`+ /usr/bin/grotty mrix,`
			`+ /usr/bin/gzip mrix,`
			`+ /usr/bin/head mrix,`
			`+ /usr/bin/lynx mrix,`
			`+ /usr/bin/mktemp mrix,`
			`+ /usr/bin/nm mrix,`
			`+ /usr/bin/pic mrix,`
			`+ /usr/bin/pdftotext mrix,`
			`+ /usr/bin/ps2ascii mrix,`
			`+ /usr/bin/rm mrix,`
			`+ /usr/bin/seq mrix,`
			`+ /usr/bin/soelim mrix,`
			`+ /usr/bin/tar mrix,`
			`+ /usr/bin/tbl mrix,`
			`+ /usr/bin/troff mrix,`
			`+ /usr/bin/unzip mrix,`
			`+ /usr/bin/unzip-plain mrix,`
			`+ /usr/bin/w3m mrix,`
			`+ /usr/bin/which mrix,`
			`+ /usr/bin/xz mrix,`
Accepting request 264683 from home:msmeissn:branches:security:apparmor - /usr/bin/lessopen.sh needs confinement. bnc#906858 OBS-URL: https://build.opensuse.org/request/show/264683 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=111 2014-12-21 17:18:25 +01:00			`+`
- rename lessopen.sh profile file to usr.bin.lessopen.sh to match the script filename OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=112 2014-12-21 17:26:04 +01:00			`+ #include <local/usr.bin.lessopen.sh>`
Accepting request 264683 from home:msmeissn:branches:security:apparmor - /usr/bin/lessopen.sh needs confinement. bnc#906858 OBS-URL: https://build.opensuse.org/request/show/264683 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=111 2014-12-21 17:18:25 +01:00			`+}`