[pkg-apparmor] Bug#919723: Patch for some AppArmor profiles
Jörg Sommer
joerg at jo-so.de
Fri Jan 18 22:35:59 GMT 2019
Package: apparmor
Version: 2.13.2-3
Severity: normal
Hi,
I've added some rules to profiles shipped with package to better match the
behaviour of Firefox and Skype. Maybe some of them are helpful and you
want pick them. Otherwise you're free to close this report.
Regards Jörg
diff -u -r /tmp/aa/etc/apparmor.d/abstractions/dconf /etc/apparmor.d/abstractions/dconf
--- /tmp/aa/etc/apparmor.d/abstractions/dconf 2019-01-01 19:03:54.000000000 +0100
+++ /etc/apparmor.d/abstractions/dconf 2019-01-11 12:17:18.614182127 +0100
@@ -4,5 +4,5 @@
# be specified in a specific application's profile.
/etc/dconf/** r,
- owner /{,var/}run/user/*/dconf/user r,
+ owner /{,var/}run/user/*/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
diff -u -r /tmp/aa/etc/apparmor.d/abstractions/fonts /etc/apparmor.d/abstractions/fonts
--- /tmp/aa/etc/apparmor.d/abstractions/fonts 2019-01-01 19:03:54.000000000 +0100
+++ /etc/apparmor.d/abstractions/fonts 2019-01-18 22:56:20.159428688 +0100
@@ -18,14 +18,14 @@
/usr/share/fonts/** r,
/etc/fonts/** r,
- /usr/share/fontconfig/conf.avail/** r,
+ /usr/share/fontconfig/conf.avail/{,**} r,
/opt/kde3/share/fonts/** r,
/usr/lib{,32,64}/openoffice/share/fonts/** r,
/var/cache/fonts/** r,
- /var/cache/fontconfig/** mr,
+ /var/cache/fontconfig/** rw,
/var/lib/defoma/** mr,
/usr/share/a2ps/fonts/** r,
@@ -43,7 +43,7 @@
owner @{HOME}/.local/share/fonts/** r,
owner @{HOME}/.fonts.cache-2 mr,
owner @{HOME}/.{,cache/}fontconfig/ r,
- owner @{HOME}/.{,cache/}fontconfig/** mrl,
+ owner @{HOME}/.{,cache/}fontconfig/** rwlk,
owner @{HOME}/.fonts.conf.d/ r,
owner @{HOME}/.fonts.conf.d/** r,
owner @{HOME}/.config/fontconfig/ r,
diff -u -r /tmp/aa/etc/apparmor.d/abstractions/gnome /etc/apparmor.d/abstractions/gnome
--- /tmp/aa/etc/apparmor.d/abstractions/gnome 2019-01-01 19:03:54.000000000 +0100
+++ /etc/apparmor.d/abstractions/gnome 2019-01-12 11:19:46.827157086 +0100
@@ -63,6 +63,7 @@
owner @{HOME}/.fonts.cache-* rwl,
# icon caches
+ owner @{HOME}/.cache/gtk-3.0/** r,
/var/cache/**/icon-theme.cache r,
/usr/share/**/icon-theme.cache r,
diff -u -r /tmp/aa/etc/apparmor.d/abstractions/mesa /etc/apparmor.d/abstractions/mesa
--- /tmp/aa/etc/apparmor.d/abstractions/mesa 2019-01-01 19:03:54.000000000 +0100
+++ /etc/apparmor.d/abstractions/mesa 2019-01-18 21:01:17.727350842 +0100
@@ -2,6 +2,8 @@
# Rules for Mesa implementation of the OpenGL API
# System files
+ /etc/drirc r,
+ /usr/share/drirc.d/{,*} r,
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
# User files
diff -u -r /tmp/aa/etc/apparmor.d/tunables/alias /etc/apparmor.d/tunables/alias
--- /tmp/aa/etc/apparmor.d/tunables/alias 2019-01-01 19:03:54.000000000 +0100
+++ /etc/apparmor.d/tunables/alias 2019-01-16 00:20:42.868356851 +0100
@@ -14,3 +14,5 @@
#
# Or if mysql databases are stored in /home:
# alias /var/lib/mysql/ -> /home/mysql/,
+
+alias /bin/sh -> /bin/dash,
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.20.0-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apparmor depends on:
ii debconf [debconf-2.0] 1.5.70
ii libc6 2.28-5
ii lsb-base 10.2018112800
ii python3 3.7.1-3
apparmor recommends no packages.
Versions of packages apparmor suggests:
ii apparmor-profiles-extra 1.24
ii apparmor-utils 2.13.2-3
--
Wer A sagt, muß nicht B sagen. Er kann auch erkennen, daß A falsch war.
(Erich Kästner)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20190118/55afa327/attachment.sig>
More information about the pkg-apparmor-team
mailing list