pool/apparmor
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- update to AppArmor 2.10.1 (2.10 branch r3326):

Browse Source 
- fix incorrect output of child profile names (apparmor_parser -N) which
    caused 'rcapparmor reload' to remove child profiles and hats (lp#1551950)
  - fix a crash in aa-logprof / logparser.py for change_hat log events
    (lp#1523297) and log events that look like file events, but aren't
    (lp#1540562, lp#1525119, lp#1466812)
  - write unix rules when saving a profile (lp#1522938, boo#954104#c3)
  - several fixes for variable handling in aa-logprof
  - map c (create) log events to w instead of a
  - add python to the "no Px rule" list in logprof.conf
  - let aa-logprof check for duplicate profiles
  - let aa-status work without the apparmor.fail python module (boo#971917,
    lp#1480492)
  - add permissions in several profiles (including boo#948584, boo#948753,
    boo#954959, boo#954958, boo#971790, boo#964971, boo#921098, boo#923201 and
    boo#921098#c15).
  - and many more fixes, see the full changelog at
    http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_1
- drop upstream(ed) patches:
  - fix-initscript-aa_log_end_msg.diff
  - syslog-ng-profile-boo948584.diff
  - upstream-profile-updates-r3205-3241.diff
- refresh patches:
  - apparmor-abstractions-no-multiline.diff
  - apparmor-samba-include-permissions-for-shares.diff

OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=147
This commit is contained in:
Christian Boltz 2016-04-22 22:33:49 +00:00 committed by Git OBS Bridge
parent 7dfa8bfe4d
commit 7374ae94dd
11 changed files with 60 additions and 417 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apparmor-2.10.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:07a76f338304baadc4ad69d025fe000b1ab4779a251ae8f338afdc13ef1e0f24
size 4494037

17
apparmor-2.10.1.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCgAGBQJXF0iqAAoJEGaJ5k49NmS7uXAP/Rz605sXSgJ0ZwZQq/kyP4L6
Z7nz7Bv5dgRiVP47C1c/Fv+uJkOxJ5nJKRog6KzaLHrjcRMlyAvWRq+F3MtrwE2j
6OlhWL3NaPrUwe8Pchgzf89ogssvioD7+qUf/Rg6e7owL8SlWRFkRcOJFAoxqiF1
B0itE7geuj6jxADxfo0OUOGW92tH5y31FZcYCCpebUfvalN9JzwYnF9Y6qH2Af3G
gX4Xh8tyIIZGyTtQYexPnDle6DQFONsUzmRYaFIpZRYpKHz9HoM13KZTUY4TAZJL
VmzxbHS5FzRIOegZVrpydpYkupvQ5CndywaIGDC/7iPQ1cNxdQoxGY4qI/+dB6LZ
0ZfRS88TqE/+OglyfLHgxtxPw369PnvB+kWsND5Nqx77q7/UOQUZJZL0A3nKVcUG
YlJnV/SIKGSUE4TjQ+xjPMlI8EJgv42rVSRhi3H6g7+02Q1S9VHuzU8byQsx3fw0
PzAeBVBoB0i1MduwpZp1kO7L0Yfl+1zyrue8Bd5A5183lbriaSYRqB6MYSKUgf4f
rSdEs8azwmqD2jZsIAAuTgZxCf5LKlkKz/u52fKKG9Pa30OC2bSdHz9LLjVKj+OL
Lh8lO1hy3nnReLdsh4TKAQsTBsYTZuHXIbqfMxc0oykuRbwBHAjGO22t4wi6vdtp
E7Wco+q0mMZzKGjQm6H/
=M5Cf
-----END PGP SIGNATURE-----

3
apparmor-2.10.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4d0e224257a29671b694bd9054edf0dd213aa690fd02844ecf3329b86ac506f4
size 2421759

17
apparmor-2.10.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCgAGBQJVpZFnAAoJEGaJ5k49NmS7XD8P/jjvjD5MmrpLxbfBLeuMBc41
z7Up38fcwVpzs7FcPHPQZKjoz0HUyWkINlHC2wg1VBBAy8uvsbGF2ndfGcH33WJG
BvjXu1RSkkZ0ouc/611ro8V+7gIMK0qkmuFlDf0yYcu7xkUzGsCKPOe9hcuyIkhW
xoK9WUxTDlaOzCEfjIOc9R/A5yLCKIbsbCy+lw7nCk3iZaesroMQBvHPx2+TSFtQ
0Dl+llWp3yEFwugzXaAl8/BXdBBwvSdgNyMcXU+4Cvr+WqrrcQZdL1aN/WkkH3nN
yeVc72kLjsYyLjRjl9bSty61W+PBcxG4uopakl7LMpHL5EGPB0uITUae7Y0BJBxq
kyKs0ufl/qNw+FyqQIchOpaHuyfw/TjxwOFiAQQ1+jrG4cljiAzcoNzjQscs1qxK
Z/uxCD8W+AneqQH1BV7ruYG2pTQISUIHRFm/O9JhyhSl/xBZlNgGca06VckHose+
xRuGqYUo70VjIzNdht9x+kuFJpGpoRyL9+tgr0cl6Z2OU/H69FF8CURMwn30iELR
J29VflgyfaBW9S41dYB7oF5/AfEKZKvVk/2Cqi6iLvdnDBIwBIi6Q7xLcI2vZPVK
HpDNODeW9YSMNEJCpdkc8vyav/CUS7s1SOMR3T4sUoS8lq7DfsJOMcNB2RkfIzqL
efE4Pn9Z0HNWhYL0hvZa
=p6Nx
-----END PGP SIGNATURE-----

10
apparmor-abstractions-no-multiline.diff
View File

@ -1,16 +1,20 @@
=== modified file 'profiles/apparmor.d/abstractions/X'
Index: profiles/apparmor.d/abstractions/X
===================================================================
--- profiles/apparmor.d/abstractions/X.orig 2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/X 2014-10-18 13:11:31.097494817 +0200
@@ -24,9 +24,7 @@
--- profiles/apparmor.d/abstractions/X.orig 2016-04-22 22:35:12.416535187 +0200
+++ profiles/apparmor.d/abstractions/X 2016-04-22 22:35:46.556500929 +0200
@@ -24,12 +24,8 @@
# the unix socket to use to connect to the display
/tmp/.X11-unix/* w,
- unix (connect, receive, send)
- type=stream
- peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
- unix (connect, receive, send)
- type=stream
- peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
/usr/include/X11/ r,
/usr/include/X11/** r,

2
apparmor-samba-include-permissions-for-shares.diff
View File

@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000
+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000
@@ -46,6 +46,10 @@
@@ -47,6 +47,10 @@
@{HOMEDIRS}/** lrwk,

29
apparmor.changes
View File

@ -1,3 +1,32 @@
-------------------------------------------------------------------
Fri Apr 22 20:49:24 UTC 2016 - suse-beta@cboltz.de
- update to AppArmor 2.10.1 (2.10 branch r3326):
- fix incorrect output of child profile names (apparmor_parser -N) which
caused 'rcapparmor reload' to remove child profiles and hats (lp#1551950)
- fix a crash in aa-logprof / logparser.py for change_hat log events
(lp#1523297) and log events that look like file events, but aren't
(lp#1540562, lp#1525119, lp#1466812)
- write unix rules when saving a profile (lp#1522938, boo#954104#c3)
- several fixes for variable handling in aa-logprof
- map c (create) log events to w instead of a
- add python to the "no Px rule" list in logprof.conf
- let aa-logprof check for duplicate profiles
- let aa-status work without the apparmor.fail python module (boo#971917,
lp#1480492)
- add permissions in several profiles (including boo#948584, boo#948753,
boo#954959, boo#954958, boo#971790, boo#964971, boo#921098, boo#923201 and
boo#921098#c15).
- and many more fixes, see the full changelog at
http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_1
- drop upstream(ed) patches:
- fix-initscript-aa_log_end_msg.diff
- syslog-ng-profile-boo948584.diff
- upstream-profile-updates-r3205-3241.diff
- refresh patches:
- apparmor-abstractions-no-multiline.diff
- apparmor-samba-include-permissions-for-shares.diff
-------------------------------------------------------------------
Wed Oct 7 16:12:24 UTC 2015 - opensuse@cboltz.de

18
apparmor.spec
View File

@ -1,8 +1,8 @@
#
# spec file for package apparmor
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2011-2015 Christian Boltz
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2011-2016 Christian Boltz
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -60,7 +60,7 @@ Name: apparmor
%if ! %{?distro:1}0
%define distro suse
%endif
Version: 2.10
Version: 2.10.1
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0+
@ -92,15 +92,6 @@ Patch6: apparmor-abstractions-no-multiline.diff
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch7: apparmor-lessopen-profile.patch
# boo#862170 - fix ugly initscript output (commited upstream trunk r3208)
Patch8: fix-initscript-aa_log_end_msg.diff
# additional syslog-ng permissions (submitted upstream 2015-10-07) (boo#948584, boo#948753)
Patch9: syslog-ng-profile-boo948584.diff
# several profile updates taken from upstream bzr trunk r3205..3241
Patch10: upstream-profile-updates-r3205-3241.diff
Url: https://launchpad.net/apparmor
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -449,9 +440,6 @@ SubDomain.
%patch6
%patch7 -p1
%patch8
%patch9
%patch10
# search for left-over multiline rules
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"

47
fix-initscript-aa_log_end_msg.diff
View File

@ -1,47 +0,0 @@
Fix aa_log_end_msg() in rc.apparmor.suse
"rcapparmor kill" results in a funny error message:
/lib/apparmor/rc.apparmor.functions: line 441: return: -v: invalid option
return: usage: return [n]
SLE12 includes a patch that prevents this error message, but also
prevents that $? is handed over correctly to rc_status. This means that
"rcapparmor kill" will happily display "done" even with a compiled-in
apparmor module that can't be unloaded.
This patch is the improved version - it adds a small helper function to
set $? (as handed over to aa_log_end_msg()) and then calls rc_status -v.
This means that "rcapparmor kill" now shows "failed" because it's
impossible to unload something that is compiled directly into the
kernel.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=862170 (non-public)
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9 and trunk
Commited to trunk revision 3208.
=== modified file 'parser/rc.apparmor.suse'
--- parser/rc.apparmor.suse 2011-09-15 18:20:23 +0000
+++ parser/rc.apparmor.suse 2015-07-22 19:23:28 +0000
@@ -94,12 +94,13 @@
echo -e "$rc_skipped"
}
+_set_status() {
+ return $1
+}
+
aa_log_end_msg() {
- v="-v"
- if [ "$1" != '0' ]; then
- rc="-v$1"
- fi
- rc_status $v
+ _set_status $1
+ rc_status -v
}
usage() {

34
syslog-ng-profile-boo948584.diff
View File

@ -1,34 +0,0 @@
=== modified file 'profiles/apparmor.d/sbin.syslog-ng'
--- profiles/apparmor.d/sbin.syslog-ng 2015-03-07 20:16:11 +0000
+++ profiles/apparmor.d/sbin.syslog-ng 2015-10-07 10:33:01 +0000
@@ -20,6 +20,7 @@
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/mysql>
+ #include <abstractions/openssl>
capability chown,
capability dac_override,
@@ -37,7 +38,10 @@
/dev/syslog w,
/dev/tty10 rw,
/dev/xconsole rw,
+ /etc/machine-id r,
/etc/syslog-ng/* r,
+ /etc/syslog-ng/conf.d/ r,
+ /etc/syslog-ng/conf.d/* r,
@{PROC}/kmsg r,
/etc/hosts.deny r,
/etc/hosts.allow r,
@@ -50,6 +54,10 @@
@{CHROOT_BASE}/var/log/** w,
@{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
@{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
+ /var/log/journal/ r,
+ /var/log/journal/*/ r,
+ /var/log/journal/*/*.journal r,
+ /{var/,}run/syslog-ng.ctl a,
/{var/,}run/syslog-ng/additional-log-sockets.conf r,
# Site-specific additions and overrides. See local/README for details.

297
upstream-profile-updates-r3205-3241.diff
View File

@ -1,297 +0,0 @@
AppArmor bzr trunk
bzr diff -r3205..3241 profiles/
(+ abstractions/X change modified to single line syntax)
------------------------------------------------------------
revno: 3238
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Fri 2015-09-18 19:06:47 +0200
message:
dnsmasq profile - also allow /bin/sh
This patch is based on a SLE12 patch to allow executing the
--dhcp-script. We already have most parts of that patch since r2841,
however the SLE bugreport indicates that /bin/sh is executed (which is
usually a symlink to /bin/bash or /bin/dash), so we should also allow
/bin/sh
References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)
Acked-by: Seth Arnold <seth.arnold@canonicalc.com> for trunk and 2.9
------------------------------------------------------------
revno: 3237
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Tue 2015-09-15 14:24:57 +0200
message:
Allow ntpd to read directory listings of $PATH
For some reasons, it needs to do that to find readable, writeable and
executable files.
See also https://bugzilla.opensuse.org/show_bug.cgi?id=945592
Acked-by: Seth Arnold <seth.arnold@canonical.com>
------------------------------------------------------------
revno: 3236
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Wed 2015-09-09 00:00:23 +0200
message:
Update the /sbin/dhclient profile
Add some permissions that I need on my system:
- execute nm-dhcp-helper
- read and write /var/lib/dhcp6/dhclient.leases
- read /var/lib/NetworkManager/dhclient-*.conf
- read and write /var/lib/NetworkManager/dhclient-*.conf
Looks-good-by: Steve Beattie <steve@nxnw.org>
Acked-by: <timeout> for trunk and 2.9
------------------------------------------------------------
revno: 3234
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Thu 2015-09-03 18:27:00 +0200
message:
Dovecot imap needs to read /run/dovecot/mounts
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
------------------------------------------------------------
revno: 3225
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Sun 2015-08-23 15:20:20 +0200
message:
add /usr/share/locale-bundle/ to abstractions/base
/usr/share/locale-bundle/ contains translations packaged in
bundle-lang-* packages in openSUSE.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
------------------------------------------------------------
revno: 3213
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Thu 2015-07-30 22:03:02 +0200
message:
winbindd profile: allow k for /etc/samba/smbd.tmp/msg/*
References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 starting at comment 15
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
------------------------------------------------------------
revno: 3212
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Tue 2015-07-28 01:15:31 +0200
message:
skype profile: allow reading @{PROC}/@{pid}/net/dev
References: https://bugzilla.opensuse.org/show_bug.cgi?id=939568
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.9
------------------------------------------------------------
revno: 3211
committer: Jamie Strandboge <jamie@ubuntu.com>
branch nick: apparmor
timestamp: Fri 2015-07-24 15:03:30 -0500
message:
profiles/apparmor.d/usr.sbin.avahi-daemon: allow write access to
/run/systemd/notify which is needed on systems with systemd
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
------------------------------------------------------------
revno: 3210
committer: Jamie Strandboge <jamie@ubuntu.com>
branch nick: apparmor
timestamp: Fri 2015-07-24 15:01:46 -0500
message:
profiles/apparmor.d/abstractions/X: also allow unix connections to
@/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
------------------------------------------------------------
revno: 3209
committer: Jamie Strandboge <jamie@ubuntu.com>
branch nick: apparmor
timestamp: Fri 2015-07-24 13:56:27 -0500
message:
profiles/apparmor.d/usr.sbin.dnsmasq: allow /bin/dash in addition to /bin/bash
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
------------------------------------------------------------
revno: 3207 [merge]
committer: Jamie Strandboge <jamie@ubuntu.com>
branch nick: apparmor
timestamp: Mon 2015-07-20 10:16:18 -0500
message:
[ intrigeri ]
dconf abstraction: allow reading /etc/dconf/**.
That's needed e.g. for Totem on current Debian Jessie.
Acked-By: Jamie Strandboge <jamie@canonical.com>
------------------------------------------------------------
Use --include-merged or -n0 to see merged revisions.
=== modified file 'profiles/apparmor.d/abstractions/X'
--- profiles/apparmor.d/abstractions/X 2015-03-25 21:58:31 +0000
+++ profiles/apparmor.d/abstractions/X 2015-07-24 20:01:46 +0000
@@ -27,4 +27,5 @@
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
/usr/include/X11/ r,
/usr/include/X11/** r,
=== modified file 'profiles/apparmor.d/abstractions/base'
--- profiles/apparmor.d/abstractions/base 2015-01-21 19:30:46 +0000
+++ profiles/apparmor.d/abstractions/base 2015-08-23 13:20:20 +0000
@@ -26,6 +26,7 @@
/etc/locale/** r,
/etc/locale.alias r,
/etc/localtime r,
+ /usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
/usr/share/locale/** r,
/usr/share/**/locale/** r,
=== modified file 'profiles/apparmor.d/abstractions/dconf'
--- profiles/apparmor.d/abstractions/dconf 2013-10-09 13:18:09 +0000
+++ profiles/apparmor.d/abstractions/dconf 2015-07-19 13:42:54 +0000
@@ -3,5 +3,6 @@
# permissions for querying dconf settings; granting write access should
# be specified in a specific application's profile.
+ /etc/dconf/** r,
owner /{,var/}run/user/*/dconf/user r,
owner @{HOME}/.config/dconf/user r,
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
--- profiles/apparmor.d/usr.lib.dovecot.imap 2014-12-22 16:41:59 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2015-09-03 16:27:00 +0000
@@ -27,6 +27,7 @@
@{HOME} r, # ???
/usr/lib/dovecot/imap mr,
/{,var/}run/dovecot/auth-master rw,
+ /{,var/}run/dovecot/mounts r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.imap>
=== modified file 'profiles/apparmor.d/usr.sbin.avahi-daemon'
--- profiles/apparmor.d/usr.sbin.avahi-daemon 2014-09-03 19:16:32 +0000
+++ profiles/apparmor.d/usr.sbin.avahi-daemon 2015-07-24 20:03:30 +0000
@@ -26,6 +26,7 @@
/{,var/}run/avahi-daemon/ w,
/{,var/}run/avahi-daemon/pid krw,
/{,var/}run/avahi-daemon/socket w,
+ /{,var/}run/systemd/notify w,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.avahi-daemon>
=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
--- profiles/apparmor.d/usr.sbin.dnsmasq 2015-03-30 03:49:09 +0000
+++ profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-18 17:06:47 +0000
@@ -45,7 +45,7 @@
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
- /bin/bash ix, # Required to execute --dhcp-script argument
+ /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
# access to iface mtu needed for Router Advertisement messages in IPv6
# Neighbor Discovery protocol (RFC 2461)
=== modified file 'profiles/apparmor.d/usr.sbin.ntpd'
--- profiles/apparmor.d/usr.sbin.ntpd 2015-05-18 23:20:49 +0000
+++ profiles/apparmor.d/usr.sbin.ntpd 2015-09-15 12:24:57 +0000
@@ -37,6 +37,7 @@
/etc/ntpd.conf.tmp r,
/tmp/ntp* rwl,
+ /{usr/,usr/local/,}{s,}bin/ r,
/usr/sbin/ntpd rmix,
/var/lib/ntp/drift rwl,
/var/lib/ntp/drift.TEMP rwl,
=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
--- profiles/apparmor.d/usr.sbin.winbindd 2015-05-18 23:25:26 +0000
+++ profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000
@@ -15,7 +15,7 @@
/etc/samba/secrets.tdb rwk,
/etc/samba/smbd.tmp/ rw,
/etc/samba/smbd.tmp/msg/ rw,
- /etc/samba/smbd.tmp/msg/* rw,
+ /etc/samba/smbd.tmp/msg/* rwk,
@{PROC}/sys/kernel/core_pattern r,
/tmp/.winbindd/ w,
/tmp/krb5cc_* rwk,
=== modified file 'profiles/apparmor/profiles/extras/sbin.dhclient'
--- profiles/apparmor/profiles/extras/sbin.dhclient 2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/sbin.dhclient 2015-09-08 22:00:23 +0000
@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2015 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -25,6 +26,8 @@
#include <abstractions/bash>
#include <abstractions/nameservice>
+ capability net_raw,
+
network packet packet,
network packet raw,
@@ -47,13 +50,17 @@
/usr/bin/uptime mrix,
/usr/bin/vmstat mrix,
/usr/bin/w mrix,
+ /usr/lib/nm-dhcp-helper rix,
/var/lib/dhcp/dhclient.leases rw,
/var/lib/dhcp/dhclient-*.leases rw,
+ /var/lib/dhcp6/dhclient.leases rw,
+ /var/lib/NetworkManager/dhclient-*.conf r,
+ /var/lib/NetworkManager/dhclient-*.lease rw,
/var/log/lastlog r,
/var/log/messages r,
/var/log/wtmp r,
- /{,var/}run/dhclient.pid rw,
- /{,var/}run/dhclient-*.pid rw,
+ /{,var/}run/dhclient.pid rw,
+ /{,var/}run/dhclient-*.pid rw,
/var/spool r,
/var/spool/mail r,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.skype'
--- profiles/apparmor/profiles/extras/usr.bin.skype 2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.skype 2015-07-27 23:15:31 +0000
@@ -20,6 +20,7 @@
@{PROC}/sys/kernel/{ostype,osrelease} r,
@{PROC}/@{pid}/net/arp r,
+ @{PROC}/@{pid}/net/dev r,
owner @{PROC}/@{pid}/auxv r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,