summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-patches/apparmor-aliases.diff
blob: 2d0cef07fa4a8edb08d639cf81202f30c81fc24d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
--- a/etc/apparmor.d.orig/abstractions/base	2013-07-10 22:05:57.000000000 +0000
+++ b/etc/apparmor.d/abstractions/base	2015-06-03 18:11:08.402380000 +0000
@@ -47,17 +47,19 @@
   # available everywhere
   /etc/ld.so.cache               mr,
   /lib{,32,64}/ld{,32,64}-*.so   mrix,
-  /lib{,32,64}/**/ld{,32,64}-*.so     mrix,
+  /lib{32,64}/**/ld{,32,64}-*.so     mrix,
+  /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}**/ld{,32,64}-*.so     mrix,
   /lib/@{multiarch}/ld{,32,64}-*.so    mrix,
   /lib/tls/i686/{cmov,nosegneg}/ld-*.so     mrix,
   /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so     mrix,
   /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
 
   # we might as well allow everything to use common libraries
-  /lib{,32,64}/**                r,
+  /lib{32,64}/**                r,
+  /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}**                r,
   /lib{,32,64}/lib*.so*          mr,
-  /lib{,32,64}/**/lib*.so*       mr,
-  /lib/@{multiarch}/**            r,
+  /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}**/lib*.so*       mr,
+  /lib/@{multiarch}/{[^l],l[^i],li[^v],liv[^e],live[^/]}**            r,
   /lib/@{multiarch}/lib*.so*      mr,
   /lib/@{multiarch}/**/lib*.so*   mr,
   /usr/lib{,32,64}/**            r,
diff -Naur '--exclude=cache' /etc/apparmor.d.orig/abstractions/ubuntu-helpers /etc/apparmor.d/abstractions/ubuntu-helpers
--- a/etc/apparmor.d.orig/abstractions/ubuntu-helpers	2013-07-10 22:05:57.000000000 +0000
+++ b/etc/apparmor.d/abstractions/ubuntu-helpers	2015-06-03 18:16:42.022380000 +0000
@@ -63,8 +63,8 @@
   # in limited libraries so glibc's secure execution should be enough to not
   # require the santized_helper (ie, LD_PRELOAD will only use standard system
   # paths (man ld.so)).
-  /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
-  /usr/lib/chromium-browser/chrome-sandbox PUxr,
+  # /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
+  # /usr/lib/chromium-browser/chrome-sandbox PUxr,
   /opt/google/chrome/chrome-sandbox PUxr,
   /opt/google/chrome/google-chrome Pixr,
   /opt/google/chrome/chrome Pixr,
@@ -73,7 +73,8 @@
   # Full access
   / r,
   /** rwkl,
-  /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
+  /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}{,**/}*.so{,.*} m,
+  /usr{/,/local/}lib{,32,64}/{,**/}*.so{,.*} m,
 
   # Dangerous files
   audit deny owner /**/* m,              # compiled libraries
diff -Naur '--exclude=cache' /etc/apparmor.d.orig/tunables/alias /etc/apparmor.d/tunables/alias
--- a/etc/apparmor.d.orig/tunables/alias	2013-07-10 22:05:57.000000000 +0000
+++ b/etc/apparmor.d/tunables/alias	2015-06-03 18:12:46.426380000 +0000
@@ -14,3 +14,7 @@
 #
 # Or if mysql databases are stored in /home:
 # alias /var/lib/mysql/ -> /home/mysql/,
+
+alias / -> /lib/live/mount/overlay/,
+alias / -> /lib/live/mount/rootfs/*.squashfs/,
+