summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2015-06-04 12:38:03 +0000
committerintrigeri <intrigeri@boum.org>2015-06-04 12:48:56 +0000
commit551d372d12931c41f88aee83eb2bcc5fae66d55a (patch)
tree8483c225d51aaee49862d3d60d24631960af508f
parentba3de99840c2a1cc7ff9b5b2ec11c2881a0e71be (diff)
Pidgin AppArmor profile: disable launchpad-integration abstraction.
That abstraction gives /usr/bin/launchpad-integration wide open access to many files and executables; on the one hand we don't care much, since we don't ship that binary. On the other hand, some of those wide-open rules (for example, those about /** and /{,usr/}lib*/{,**/}*.so{,.*}) won't play well with aliases: they make the policy needlessly hard to audit, and may increase its compilation time. The Pidgin profile is the only one we currently ship that includes the launchpad-integration abstraction. Same on my current Debian sid, so we should be good at least for Tails/Jessie (and possibly even for Tails/Stretch).
-rw-r--r--config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff14
1 files changed, 12 insertions, 2 deletions
diff --git a/config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff b/config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff
index 91c41fa..8e180d8 100644
--- a/config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff
+++ b/config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff
@@ -1,5 +1,14 @@
---- a/etc/apparmor.d/usr.bin.pidgin 2014-10-30 17:47:51.945948920 +0100
-+++ b/etc/apparmor.d/usr.bin.pidgin 2014-10-30 17:48:29.273511368 +0100
+--- a/etc/apparmor.d/usr.bin.pidgin 2015-06-04 12:37:02.453412928 +0000
++++ b/etc/apparmor.d/usr.bin.pidgin 2015-06-04 12:37:40.309205204 +0000
+@@ -11,7 +11,7 @@
+ #include <abstractions/enchant>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+- #include <abstractions/launchpad-integration>
++ # #include <abstractions/launchpad-integration>
+ #include <abstractions/nameservice>
+ #include <abstractions/private-files-strict>
+ #include <abstractions/ssl_certs>
@@ -46,6 +46,7 @@
/usr/bin/gvfs-open rmix,
/usr/bin/pidgin r,
@@ -8,3 +17,4 @@
/usr/share/gnome/applications/ r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
+