pool/apparmor
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a86a930209
apparmor/apparmor-abstractions-no-multiline.diff
Christian Boltz 7374ae94dd - update to AppArmor 2.10.1 (2.10 branch r3326): 
- fix incorrect output of child profile names (apparmor_parser -N) which
    caused 'rcapparmor reload' to remove child profiles and hats (lp#1551950)
  - fix a crash in aa-logprof / logparser.py for change_hat log events
    (lp#1523297) and log events that look like file events, but aren't
    (lp#1540562, lp#1525119, lp#1466812)
  - write unix rules when saving a profile (lp#1522938, boo#954104#c3)
  - several fixes for variable handling in aa-logprof
  - map c (create) log events to w instead of a
  - add python to the "no Px rule" list in logprof.conf
  - let aa-logprof check for duplicate profiles
  - let aa-status work without the apparmor.fail python module (boo#971917,
    lp#1480492)
  - add permissions in several profiles (including boo#948584, boo#948753,
    boo#954959, boo#954958, boo#971790, boo#964971, boo#921098, boo#923201 and
    boo#921098#c15).
  - and many more fixes, see the full changelog at
    http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_1
- drop upstream(ed) patches:
  - fix-initscript-aa_log_end_msg.diff
  - syslog-ng-profile-boo948584.diff
  - upstream-profile-updates-r3205-3241.diff
- refresh patches:
  - apparmor-abstractions-no-multiline.diff
  - apparmor-samba-include-permissions-for-shares.diff

OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=147
2016-04-22 22:33:49 +00:00

290 lines
12 KiB
Diff
Raw Blame History

=== modified file 'profiles/apparmor.d/abstractions/X'
Index: profiles/apparmor.d/abstractions/X
===================================================================
--- profiles/apparmor.d/abstractions/X.orig 2016-04-22 22:35:12.416535187 +0200
+++ profiles/apparmor.d/abstractions/X 2016-04-22 22:35:46.556500929 +0200
@@ -24,12 +24,8 @@
# the unix socket to use to connect to the display
/tmp/.X11-unix/* w,
- unix (connect, receive, send)
- type=stream
- peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
- unix (connect, receive, send)
- type=stream
- peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
/usr/include/X11/ r,
/usr/include/X11/** r,
Index: profiles/apparmor.d/abstractions/dbus-accessibility-strict
===================================================================
--- profiles/apparmor.d/abstractions/dbus-accessibility-strict.orig 2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/dbus-accessibility-strict 2014-10-18 13:11:31.098494805 +0200
@@ -9,9 +9,4 @@
#
# ------------------------------------------------------------------
- dbus send
- bus=accessibility
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
- peer=(name=org.freedesktop.DBus),
+ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
Index: profiles/apparmor.d/abstractions/dbus-session-strict
===================================================================
--- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/dbus-session-strict 2014-10-18 13:11:31.098494805 +0200
@@ -13,13 +13,6 @@
/etc/machine-id r,
/var/lib/dbus/machine-id r,
- unix (connect, receive, send)
- type=stream
- peer=(addr="@/tmp/dbus-*"),
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
- dbus send
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
- peer=(name=org.freedesktop.DBus),
+ dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
Index: profiles/apparmor.d/abstractions/dbus-strict
===================================================================
--- profiles/apparmor.d/abstractions/dbus-strict.orig 2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/dbus-strict 2014-10-18 13:11:31.098494805 +0200
@@ -11,9 +11,4 @@
/{,var/}run/dbus/system_bus_socket rw,
- dbus send
- bus=system
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
- peer=(name=org.freedesktop.DBus),
+ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base
===================================================================
--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2014-10-18 13:11:18.497652337 +0200
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2014-10-18 13:11:31.098494805 +0200
@@ -16,41 +16,16 @@
#include <abstractions/gnome>
# Allow connecting to session bus and where to connect to services
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=Hello
- peer=(name=org.freedesktop.DBus),
- dbus (send)
- bus=session
- path=/org/freedesktop/{db,DB}us
- interface=org.freedesktop.DBus
- member={Add,Remove}Match
- peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=GetNameOwner
- peer=(name=org.freedesktop.DBus),
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=NameHasOwner
- peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus),
# Allow starting services on the session bus (actual communications with
# the service are mediated elsewhere)
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=StartServiceByName
- peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus),
# Allow connecting to system bus and where to connect to services. Put these
# here so we don't need to repeat these rules in multiple places (actual
@@ -58,108 +33,47 @@
# allow apps to brute-force enumerate system services, but our system
# services aren't a secret.
/{,var/}run/dbus/system_bus_socket rw,
- dbus (send)
- bus=system
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=Hello
- peer=(name=org.freedesktop.DBus),
- dbus (send)
- bus=system
- path=/org/freedesktop/{db,DB}us
- interface=org.freedesktop.DBus
- member={Add,Remove}Match
- peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
- dbus (send)
- bus=system
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=GetNameOwner
- peer=(name=org.freedesktop.DBus),
- dbus (send)
- bus=system
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=NameHasOwner
- peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus),
#
# Access required for connecting to/communication with Unity HUD
#
- dbus (send)
- bus=session
- path="/com/canonical/hud",
- dbus (send)
- bus=session
- interface="com.canonical.hud.*",
- dbus (send)
- bus=session
- path="/com/canonical/hud/applications/*",
- dbus (receive)
- bus=session
- path="/com/canonical/hud",
- dbus (receive)
- bus=session
- interface="com.canonical.hud.*",
+ dbus (send) bus=session path="/com/canonical/hud",
+ dbus (send) bus=session interface="com.canonical.hud.*",
+ dbus (send) bus=session path="/com/canonical/hud/applications/*",
+ dbus (receive) bus=session path="/com/canonical/hud",
+ dbus (receive) bus=session interface="com.canonical.hud.*",
#
# Allow access for connecting to/communication with the appmenu
#
# dbusmenu
- dbus (send)
- bus=session
- interface="com.canonical.AppMenu.*",
- dbus (receive, send)
- bus=session
- path=/com/canonical/menu/**,
+ dbus (send) bus=session interface="com.canonical.AppMenu.*",
+ dbus (receive, send) bus=session path=/com/canonical/menu/**,
# gmenu
- dbus (receive, send)
- bus=session
- interface=org.gtk.Actions,
- dbus (receive, send)
- bus=session
- interface=org.gtk.Menus,
+ dbus (receive, send) bus=session interface=org.gtk.Actions,
+ dbus (receive, send) bus=session interface=org.gtk.Menus,
#
# Access required for using freedesktop notifications
#
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=GetCapabilities,
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=GetServerInformation,
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=Notify,
- dbus (receive)
- bus=session
- member="Notify"
- peer=(name="org.freedesktop.DBus"),
- dbus (receive)
- bus=session
- path=/org/freedesktop/Notifications
- member=NotificationClosed,
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=CloseNotification,
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=GetCapabilities,
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=GetServerInformation,
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=Notify,
+ dbus (receive) bus=session member="Notify" peer=(name="org.freedesktop.DBus"),
+ dbus (receive) bus=session path=/org/freedesktop/Notifications member=NotificationClosed,
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=CloseNotification,
# accessibility
- dbus (send)
- bus=session
- peer=(name=org.a11y.Bus),
- dbus (receive)
- bus=session
- interface=org.a11y.atspi*,
- dbus (receive, send)
- bus=accessibility,
+ dbus (send) bus=session peer=(name=org.a11y.Bus),
+ dbus (receive) bus=session interface=org.a11y.atspi*,
+ dbus (receive, send) bus=accessibility,
#
# Deny potentially dangerous access
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-launcher
===================================================================
--- profiles/apparmor.d/abstractions/ubuntu-unity7-launcher.orig 2014-10-18 13:11:18.497652337 +0200
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-launcher 2014-10-18 13:11:31.098494805 +0200
@@ -1,7 +1,4 @@
#
# Access required for connecting to/communicating with the Unity Launcher
#
- dbus (send)
- bus=session
- interface="com.canonical.Unity.LauncherEntry"
- member="Update",
+ dbus (send) bus=session interface="com.canonical.Unity.LauncherEntry" member="Update",
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-messaging
===================================================================
--- profiles/apparmor.d/abstractions/ubuntu-unity7-messaging.orig 2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-messaging 2014-10-18 13:11:31.099494792 +0200
@@ -2,6 +2,4 @@
# Access required for connecting to/communicating with the Unity messaging
# indicator
#
- dbus (receive, send)
- bus=session
- path="/com/canonical/indicator/messages/*",
+ dbus (receive, send) bus=session path="/com/canonical/indicator/messages/*",
Index: profiles/apparmor.d/abstractions/gnome
===================================================================
--- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200
+++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200
@@ -88,6 +88,4 @@
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
# rules)
- unix (send, receive, connect)
- type=stream
- peer=(addr="@/dbus-vfs-daemon/socket-*"),
+ unix (send, receive, connect) type=stream peer=(addr="@/dbus-vfs-daemon/socket-*"),
Reference in New Issue View Git Blame Copy Permalink