summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-patches
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2015-06-06 11:47:40 +0000
committerintrigeri <intrigeri@boum.org>2015-06-06 11:47:40 +0000
commit0a50f82707598c5d361dcaf123311f20a393b5d5 (patch)
tree8d87a64b073f4646c8afe6867ea3bd32daabc41b /config/chroot_local-patches
parent1e9f3a53786846fe461c7b36b1b00054fb275846 (diff)
Update AppArmor aliases adjustments to work with AppArmor 2.9.
It is quite a bit more picky and failed to load profiles with: profile has merged rule with conflicting x modifiers ERROR processing regexs for profile sanitized_helper, failed to load Looking at it closely, one realizes that it's totally correct, and our previous adjustments were incomplete. This change includes re-diff'ing so that this patch applies cleanly against the profiles shipped by apparmor 2.9.0-3~bpo70+1 (uploaded to our APT overlay for this branch, but not to Debian yet).
Diffstat (limited to 'config/chroot_local-patches')
-rw-r--r--config/chroot_local-patches/apparmor-aliases.diff31
1 files changed, 26 insertions, 5 deletions
diff --git a/config/chroot_local-patches/apparmor-aliases.diff b/config/chroot_local-patches/apparmor-aliases.diff
index 5b0c0a6..2d0cef0 100644
--- a/config/chroot_local-patches/apparmor-aliases.diff
+++ b/config/chroot_local-patches/apparmor-aliases.diff
@@ -1,6 +1,15 @@
--- a/etc/apparmor.d.orig/abstractions/base 2013-07-10 22:05:57.000000000 +0000
+++ b/etc/apparmor.d/abstractions/base 2015-06-03 18:11:08.402380000 +0000
-@@ -53,10 +53,11 @@
+@@ -47,17 +47,19 @@
+ # available everywhere
+ /etc/ld.so.cache mr,
+ /lib{,32,64}/ld{,32,64}-*.so mrix,
+- /lib{,32,64}/**/ld{,32,64}-*.so mrix,
++ /lib{32,64}/**/ld{,32,64}-*.so mrix,
++ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}**/ld{,32,64}-*.so mrix,
+ /lib/@{multiarch}/ld{,32,64}-*.so mrix,
+ /lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
+ /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
/opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
# we might as well allow everything to use common libraries
@@ -8,8 +17,9 @@
+ /lib{32,64}/** r,
+ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
/lib{,32,64}/lib*.so* mr,
- /lib{,32,64}/**/lib*.so* mr,
+- /lib{,32,64}/**/lib*.so* mr,
- /lib/@{multiarch}/** r,
++ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}**/lib*.so* mr,
+ /lib/@{multiarch}/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
/lib/@{multiarch}/lib*.so* mr,
/lib/@{multiarch}/**/lib*.so* mr,
@@ -17,13 +27,24 @@
diff -Naur '--exclude=cache' /etc/apparmor.d.orig/abstractions/ubuntu-helpers /etc/apparmor.d/abstractions/ubuntu-helpers
--- a/etc/apparmor.d.orig/abstractions/ubuntu-helpers 2013-07-10 22:05:57.000000000 +0000
+++ b/etc/apparmor.d/abstractions/ubuntu-helpers 2015-06-03 18:16:42.022380000 +0000
-@@ -66,7 +66,8 @@
+@@ -63,8 +63,8 @@
+ # in limited libraries so glibc's secure execution should be enough to not
+ # require the santized_helper (ie, LD_PRELOAD will only use standard system
+ # paths (man ld.so)).
+- /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
+- /usr/lib/chromium-browser/chrome-sandbox PUxr,
++ # /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
++ # /usr/lib/chromium-browser/chrome-sandbox PUxr,
+ /opt/google/chrome/chrome-sandbox PUxr,
+ /opt/google/chrome/google-chrome Pixr,
+ /opt/google/chrome/chrome Pixr,
+@@ -73,7 +73,8 @@
# Full access
/ r,
/** rwkl,
- /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
-+ /{,usr/,usr/local/}lib{32,64}/{,**/}*.so{,.*} m,
-+ /{,usr/,usr/local/}lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}{,**/}*.so{,.*} m,
++ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}{,**/}*.so{,.*} m,
++ /usr{/,/local/}lib{,32,64}/{,**/}*.so{,.*} m,
# Dangerous files
audit deny owner /**/* m, # compiled libraries