--- apparmor-2.1+1075.orig/tests/stress/subdomain/uservars.inc +++ apparmor-2.1+1075/tests/stress/subdomain/uservars.inc @@ -28,8 +28,10 @@ if [ -z "`grep '^subdomain ' /proc/modules`" ] then if [ -z "`grep '^apparmor ' /proc/modules`" ] ; then - echo "$0: subdomain module not loaded" >&2 - exit 1 + if [ ! -d "/sys/module/apparmor" ] ; then + echo "$0: apparmor module not loaded" >&2 + exit 1 + fi fi fi --- apparmor-2.1+1075.orig/debian/libpam-apparmor.docs +++ apparmor-2.1+1075/debian/libpam-apparmor.docs @@ -0,0 +1 @@ +changehat/pam_apparmor/README --- apparmor-2.1+1075.orig/debian/rules +++ apparmor-2.1+1075/debian/rules @@ -0,0 +1,217 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# libapparmor uses autotools +export DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +# FOR AUTOCONF 2.52 AND NEWER ONLY +CONFFLAGS = +ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) + CONFFLAGS += --build $(DEB_HOST_GNU_TYPE) +else + CONFFLAGS += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +endif + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + # Regenerate all files. This should be done by the maintainer + # before building the source package and not at build time. + cd changehat/libapparmor ; sh autogen.sh + rm -f changehat/libapparmor/config.cache + cd changehat/libapparmor ; sh configure $(CONFFLAGS) --prefix=/usr + touch configure-stamp + + +build: build-stamp + +build-stamp: configure-stamp + dh_testdir + + # Add here commands to compile the package. + cd utils; $(MAKE) + cd parser; $(MAKE) + cd profiles; $(MAKE) + + touch $@ + +clean: clean-patched +clean-patched: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + # Add here commands to clean up after the build process. + -cd utils; $(MAKE) clean; rm -f common + -cd parser; $(MAKE) clean; rm -f common libapparmor_re/regexp.o libapparmor_re/regexp.cc + -cd profiles; $(MAKE) clean; rm -f common + -cd changehat/libapparmor; $(MAKE) maintainer-clean + -find changehat/libapparmor/ -type d -name autom4te.cache -print0 | xargs -0 -r rm -rf \; + -find changehat/libapparmor/ -type d -name build -print0 | xargs -0 -r rm -rf \; + # Remove config.sub, config.guess, ltmain.sh as they will be linked + # during build time (as suggested by the autotools-dev package) + -find changehat/libapparmor/ \( -name config.sub -o -name config.guess -o -name ltmain.sh \) -print0 | xargs -0 -r rm -f \; + # Remove all Makefile.in as they will regenerated at build time + # by autogen.sh + -find changehat/libapparmor/ \( -name Makefile.in \) -print0 | xargs -0 -r rm -f \; + # Final static cleanups: other files that are auto-generated by + # autotools + if [ -r debian/deletable.files ] ; then \ + xargs -t -r rm -f < debian/deletable.files ;\ + fi + -cd changehat/mod_apparmor; $(MAKE) clean; rm -f common + #-cd changehat/pam_apparmor; $(MAKE) clean; rm -f common + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Utils + cd utils; $(MAKE) \ + DESTDIR=$(CURDIR)/debian/apparmor-utils \ + PERLDIR=$(CURDIR)/debian/apparmor-utils/usr/share/perl5/Immunix \ + install + + # Parser + cd parser; $(MAKE) \ + DESTDIR=$(CURDIR)/debian/apparmor \ + install + mv $(CURDIR)/debian/apparmor/lib/apparmor/rc.* $(CURDIR)/debian/apparmor/etc/apparmor/ + mkdir -p $(CURDIR)/debian/apparmor/etc/apparmor.d/disable + mkdir -p $(CURDIR)/debian/apparmor/etc/apparmor.d/force-complain + rm -rf $(CURDIR)/debian/apparmor/lib + + # Changehat via libapparmor + cd changehat/libapparmor; $(MAKE) \ + RELEASE=$(shell dpkg-parsechangelog | grep ^Version | cut -d+ -f2 | cut -d. -f1) \ + DESTDIR=$(CURDIR)/debian/libapparmor1 \ + install + # don't include deprecated library and headers + rm -f $(CURDIR)/debian/libapparmor1/usr/lib/*immunix* + rm -f $(CURDIR)/debian/libapparmor1/usr/include/sys/immunix.h + # libapparmor-dev + mkdir -p $(CURDIR)/debian/libapparmor-dev/usr/lib + mv $(CURDIR)/debian/libapparmor1/usr/lib/libapparmor.a $(CURDIR)/debian/libapparmor-dev/usr/lib/ + mv $(CURDIR)/debian/libapparmor1/usr/lib/libapparmor.la $(CURDIR)/debian/libapparmor-dev/usr/lib/ + cp -P $(CURDIR)/debian/libapparmor1/usr/lib/libapparmor.so $(CURDIR)/debian/libapparmor-dev/usr/lib/ + mv $(CURDIR)/debian/libapparmor1/usr/include $(CURDIR)/debian/libapparmor-dev/usr + + # Changehat via mod_apparmor + cd changehat/mod_apparmor; $(MAKE) \ + DESTDIR=$(CURDIR)/debian/libapache2-mod-apparmor \ + LIBAPPARMOR_FLAGS="-I$(CURDIR)/debian/libapparmor-dev/usr/include -L$(CURDIR)/debian/libapparmor1/usr/lib -lapparmor" \ + install + mkdir -p $(CURDIR)/debian/libapache2-mod-apparmor/etc/apache2/mods-available + echo "LoadModule apparmor_module /usr/lib/apache2/modules/mod_apparmor.so" > $(CURDIR)/debian/libapache2-mod-apparmor/etc/apache2/mods-available/apparmor.load + # Fix rpath in mod_apparmor.so + chrpath -d $(CURDIR)/debian/libapache2-mod-apparmor/usr/lib/apache2/modules/mod_apparmor.so + + # Changehat via libpam-apparmor + cd changehat/pam_apparmor; $(MAKE) \ + DESTDIR=$(CURDIR)/debian/libpam-apparmor \ + CFLAGS="$(CFLAGS) -I$(CURDIR)/debian/libapparmor-dev/usr/include" \ + LIBS="-L$(CURDIR)/debian/libapparmor1/usr/lib -lapparmor -lpam" \ + install + + # Fix rpath in pam_apparmor.so + chrpath -d $(CURDIR)/debian/libpam-apparmor/lib/security/pam_apparmor.so + + # Remove libapparmor.so now that mod_apparmor and libpam-apparmor have + # been built. + rm $(CURDIR)/debian/libapparmor1/usr/lib/libapparmor.so + + # Profiles + cd profiles; $(MAKE) \ + DESTDIR=$(CURDIR)/debian/apparmor-profiles \ + EXTRAS_DEST=$(CURDIR)/debian/apparmor-profiles/usr/share/doc/apparmor-profiles/extras \ + install + + # Delete aa-eventd and Reports.pm + rm -f $(CURDIR)/debian/apparmor-utils/usr/sbin/aa-eventd + rm -f $(CURDIR)/debian/apparmor-utils/usr/share/perl5/Immunix/Reports.pm + + # Delete existing enabled profiles that also appear in extras + rm -f $(CURDIR)/debian/apparmor-profiles/usr/share/doc/apparmor-profiles/extras/usr.sbin.mysqld + + # Move tunable/ and abstractions/ in apparmor + # as long as apparmor-profiles is in universe. + mv $(CURDIR)/debian/apparmor-profiles/etc/apparmor.d/tunables/ $(CURDIR)/debian/apparmor/etc/apparmor.d/ + mv $(CURDIR)/debian/apparmor-profiles/etc/apparmor.d/abstractions/ $(CURDIR)/debian/apparmor/etc/apparmor.d/ + + # Apparmor-doc + install -d $(CURDIR)/debian/apparmor-docs/usr/share/doc/apparmor-docs/ + cp parser/techdoc.pdf $(CURDIR)/debian/apparmor-docs/usr/share/doc/apparmor-docs/ + + dh_install + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_installexamples +# dh_install +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_python + dh_installinit --update-rcd-params='start 37 S .' --no-restart-on-upgrade --error-handler=true +# dh_installcron +# dh_installinfo + dh_installman + dh_link + dh_strip + dh_compress -Xextras + dh_fixperms + dh_perl + dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure + +VERSION=$(shell dpkg-parsechangelog | grep ^Version | cut -d+ -f1 | cut -d\ -f2) +SVN_RELEASE=$(shell dpkg-parsechangelog | grep ^Version | cut -d+ -f2 | cut -d. -f1 | cut -d- -f1) +ORIG_FILE=$(CURDIR)/../apparmor_$(VERSION)+$(SVN_RELEASE).orig.tar.gz +SVN_CO_DIR=$(CURDIR)/apparmor +get-orig-source: + test ! -e $(ORIG_FILE) + test ! -e $(SVN_CO_DIR) + svn co -r $(SVN_RELEASE) https://forgesvn1.novell.com/svn/apparmor/trunk $(SVN_CO_DIR) + tar czf $(ORIG_FILE) -C `dirname $(SVN_CO_DIR)` --exclude .svn `basename $(SVN_CO_DIR)` + rm -rf $(SVN_CO_DIR) --- apparmor-2.1+1075.orig/debian/control +++ apparmor-2.1+1075/debian/control @@ -0,0 +1,73 @@ +Source: apparmor +Section: base +Priority: extra +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Magnus Runesson +Build-Depends: debhelper (>= 5), flex, bison, bzip2, apache2-prefork-dev, libpam-dev, autotools-dev, libtool, automake, autoconf, chrpath, texlive-latex-base +Build-Depends-Indep: perl (>= 5.8.0-1) +Standards-Version: 3.7.2 +Vcs-Bzr: https://code.launchpad.net/~ubuntu-core-dev/apparmor/ubuntu + +Package: apparmor +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, upstart-compat-sysv | sysvinit +Replaces: apparmor-parser +Recommends: apparmor-profiles +Suggests: apparmor-docs, apparmor-modules-source +Description: User-space parser utility for AppArmor + AppArmor Parser is a user level programs that is used to load in program + profiles to the AppArmor Security kernel module. + +Package: apparmor-utils +Architecture: any +Depends: apparmor, libterm-readkey-perl, librpc-xml-perl, ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends} +Recommends: libterm-readline-gnu-perl +Suggests: apparmor-docs +Description: Utilities for controlling AppArmor + This provides some useful programs to help create and manage + AppArmor profiles. + +Package: apparmor-profiles +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Recommends: apparmor +Description: Profiles for AppArmor Security policies + Base AppArmor profiles (aka security policy). AppArmor is a file + mandatory access control mechanism. AppArmor confines processes + to the resources allowed by the systems administrator and can + constrain the scope of potential security vulnerabilities. + +Package: apparmor-docs +Architecture: all +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Documentation for AppArmor + HTML and PDF documentation for AppArmor. + +Package: libapparmor-dev +Section: libdevel +Architecture: any +Depends: libapparmor1 (= ${binary:Version}) +Description: changehat development libraries and header files + This package provides the develpment libraries and header files needed to + link against the AppArmor changehat function. + +Package: libapparmor1 +Section: libs +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: changehat AppArmor library + Library for allowing AppArmor changehat function. + +Package: libapache2-mod-apparmor +Section: libs +Architecture: any +Depends: apache2.2-common, ${shlibs:Depends}, ${misc:Depends} +Description: changehat AppArmor library as an Apache module + Library for allowing AppArmor changehat function in Apache. + +Package: libpam-apparmor +Section: libs +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: changehat AppArmor library as a PAM module + Library for allowing AppArmor changehat function via PAM. --- apparmor-2.1+1075.orig/debian/apparmor.prerm +++ apparmor-2.1+1075/debian/apparmor.prerm @@ -0,0 +1,23 @@ +#!/bin/sh +# prerm script for apparmor +# +# see: dh_installdeb(1) +set -e + +# summary of how this script can be called: +# * `remove' +# * `upgrade' +# * `failed-upgrade' +# * `remove' `in-favour' +# * `deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- apparmor-2.1+1075.orig/debian/apparmor.postinst +++ apparmor-2.1+1075/debian/apparmor.postinst @@ -0,0 +1,40 @@ +#!/bin/sh +# postinst script for apparmor +# +# see: dh_installdeb(1) +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +# Now that AppArmor is started, attempt to reload profiles in the +# case of upgrades (since dh_installinit has been forced not to unload +# the profiles in the case of an upgrade). +case "$1" in + configure) + if [ -x "/etc/init.d/apparmor" ]; then + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + invoke-rc.d apparmor reload || true + else + /etc/init.d/apparmor reload || true + fi + fi + ;; +esac + +exit 0 --- apparmor-2.1+1075.orig/debian/changelog +++ apparmor-2.1+1075/debian/changelog @@ -0,0 +1,441 @@ +apparmor (2.1+1075-0ubuntu7) hardy; urgency=low + + * profiles/apparmor.d/abstractions/nameservice: (LP: #207912) + - fix ldap path + - add nsswitch "db" backend paths + + -- Kees Cook Thu, 27 Mar 2008 14:19:06 -0700 + +apparmor (2.1+1075-0ubuntu6) hardy; urgency=low + + [ Kees Cook ] + * utils/SubDomain.pm: + - fix up mask parsing to match kernel version (LP: #202920). + - fix up syslog parsing regexp to match broken kernels (LP: #202888). + * profiles/apparmor.d/abstractions/base: add licenses path for reading. + * profiles/apparmor.d/abstractions/freedesktop.org: include /usr/local. + * profiles/apparmor.d/usr.sbin.smbd: include print client abstraction. + * profiles/apparmor.d/abstractions/nameservice: include missing gai.conf + (LP: #202991). + + [ Jamie Strandboge ] + * add Debian Policy compliant way to toggle complain mode (LP: #203137) + - parser/rc.apparmor.functions: add '-C' to PARSER_ARGS if + force-complain/ exists + - utils/enforce: remove symlink in force-complain/ + - debian/rules: create /etc/apparmor.d/force-complain + + -- Kees Cook Mon, 17 Mar 2008 10:28:23 -0700 + +apparmor (2.1+1075-0ubuntu5) hardy; urgency=low + + * profiles/apparmor.d/abstractions/python: update shared python locations. + * debian/control: adjust Depends to allow sysvinit (LP: #199871). + + -- Kees Cook Tue, 11 Mar 2008 15:25:11 -0700 + +apparmor (2.1+1075-0ubuntu4) hardy; urgency=low + + [ Jamie Strandboge ] + * removed usr.sbin.named and usr.sbin.mysqld, as these will be provided + be bind9 and mysql-server-5.0, respectively. + + [ Mathias Gug ] + * profiles/apparmor.d/abstractions/ssl_keys: add ssl_keys abstraction, to + be used by profiles accessing ssl privates keys. + + [ Rick Clark ] + * added abstraction for likewise-open. + + -- Mathias Gug Wed, 13 Feb 2008 19:16:12 -0500 + +apparmor (2.1+1075-0ubuntu3) hardy; urgency=low + + * profiles/apparmor.d/abstractions/fonts: add missing ~/.fonts.conf + * profiles/apparmor.d/sbin.klogd: add newly needed @{PROC}/kallsyms + + -- Kees Cook Wed, 16 Jan 2008 14:16:18 -0800 + +apparmor (2.1+1075-0ubuntu2) hardy; urgency=low + + * utils/apparmor_status: fix module loaded test to handle built-in. + + -- Kees Cook Thu, 03 Jan 2008 17:24:40 -0800 + +apparmor (2.1+1075-0ubuntu1) hardy; urgency=low + + [ Mathias Gug ] + * profiles/apparmor.d/abstractions/nameservice: update nameservice + abstraction to support nscd setup. + + [ Kees Cook ] + * merge with upstream trunk revision 1075. + * debian/{control,apparmor.postrm,apparmor.postinst,apparmor.initramfs}: + dropped module hook since module is loaded in kernel automatically now. + * debian/rules: tweaked get-orig-source to use defined variables. + * debian/copyright: mention "get-orig-source" build rule. + * debian/{rules,control,libpam-apparmor.docs}: add libpam-apparmor now + that PAM is 0.99. + + -- Kees Cook Thu, 03 Jan 2008 13:29:31 -0800 + +apparmor (2.1+993-0ubuntu3) gutsy; urgency=low + + [ Mathias Gug ] + * Add mdns4 resolution to nameservice abstraction. (LP: #148579). + * Update syslog-ng profile. (LP: #148708). + * Add xen tls libraries to base abstraction. (LP: #150282). + * Update cups-client abstraction: add /var/run/cups/cups.sock. (LP: #151269) + + [ Kees Cook ] + * Adjust KDE abstractions for Ubuntu paths (LP: #148309). + + -- Kees Cook Fri, 12 Oct 2007 12:54:36 -0700 + +apparmor (2.1+993-0ubuntu2) gutsy; urgency=low + + [ Mathias Gug ] + * debian/control: Set maintainer to Ubuntu Core Developers. + * utils/SubDomain.pm, utils/logprog.conf: refactor readprofiledir() to not + fail on non-existing profile directory. Fixes LP: #141128. + * debian/rules: don't compress profiles in doc/extras/. + * utils/SubDomain.pm: Fix regex so that aa-logprof can find audit messages + in syslog files. Fixes LP: #140508. + * Update usr.sbin.nscd profile. Fixes LP: #144383. + + [ Kees Cook ] + * abstractions/gnupg: drop bad attempt at general-purpose client rule. + * abstractions/fonts: adjust for new syntax, add more local fonts paths. + * abstractions/nameservice: add mmap permission to some /etc files. + + -- Kees Cook Tue, 25 Sep 2007 10:23:29 -0700 + +apparmor (2.1+993-0ubuntu1) gutsy; urgency=low + + * new merge from upstream: + * fixes to support new audit messages sent by the kernel module. + * bump in minor library version for libapparmor. + * debian/control: Add perl libterm-readkey-perl and librpc-xml-perl + dependencies for apparmor-utils. Fixes LP: #139757, LP: #139091. + * utils/SubDomain.pm: Re-enable RPC client for remote repositories. + * profiles/apparmor.d/sbin.syslogd: update profile. + Fixes LP: #140672, LP: #140274. + + -- Mathias Gug Tue, 18 Sep 2007 11:12:50 -0400 + +apparmor (2.1+961-0ubuntu5) gutsy; urgency=low + + * utils/SubDomain.pm, parser/rc.apparmor.functions: skip .dpkg-dist profiles. + * debian/rules, debian/apparmor.postinst: fix postinst script failure on + upgrades. Fix LP: #139683. + + -- Mathias Gug Fri, 14 Sep 2007 17:20:01 -0400 + +apparmor (2.1+961-0ubuntu4) gutsy; urgency=low + + [ Mathias Gug ] + * debian/rules: Fix libapparmor-dev build. + * apparmor-profiles: remove gnupg.moved. + + [ Kees Cook ] + * abstractions: adjust gnome for new syntax. + * abstractions: adjust aspell to add locking. + + -- Kees Cook Fri, 14 Sep 2007 09:34:15 -0700 + +apparmor (2.1+961-0ubuntu3) gutsy; urgency=low + + [ Mathias Gug ] + * Update avahi-daemon profile: add m permission to /etc/password and + /etc/group. + + [ Kees Cook ] + * Rename libapparmor1-dev back to libapparmor-dev. + + -- Kees Cook Thu, 13 Sep 2007 15:44:30 -0700 + +apparmor (2.1+961-0ubuntu2) gutsy; urgency=low + + [ Mathias Gug ] + * Disable html documentation: Fixes LP: #139091. + * parser/Makefile, debian/rules: disable html documentation building. + * debian/control: remove latex2html dependency. + * profiles/apparmor.d/usr.sbin.avahi-daemon: add sys_chroot capability. + Fixes LP: #139092. + + [ Kees Cook ] + * profiles/apparmor.d/abstractions/user-tmp: adjust directory permissions + for newly unmasked /tmp handling (LP: #138978). + * utils/SubDomain.pm: disable remote repositories until RPC::XML MIR + clears (LP: 139091). + * utils/*.pod: adjust for Ubuntu paths and "aa-" prefixes (LP: #116647). + * Fix upgrades to not unload profiles, which would cause programs to + become unconfined: + - debian/rules: don't stop apparmor on upgrades. + - debian/apparmor.postinst: reload profiles after a configure. + + -- Kees Cook Wed, 12 Sep 2007 13:14:02 -0700 + +apparmor (2.1+961-0ubuntu1) gutsy; urgency=low + + * New upstream version. + * Support resolvconf. Fix LP: #132468. + * Move package maintainance to bzr: + * Apply all patches directly into the tree with dpatch apply-all. + * debian/patches/: remove all patches as they are applied inline now. + * debian/control, debian/control.modules.in: remove dpatch from + Build Depends. + * debian/rules: + * remove dpatch include. + * remove patch and unpatch dependencies + * debian/control: + * Rename libapparmor-dev to libapparmor1-dev. + Add Provides: and Conflict: tags. + * Remove universe component in Section tag. + * Remove apparmor-utils depends on bsdutils. + * Update apparmor-modules Recommends to apparmor-modules-2.1. + * utils/: + * Add audit man page. + * Fix mod_appamor library: remove rpath info. + * debian/rules: remove rpath info. + * debian/control: add chrpath as a build dependency. + * Remove apparmor-modules-source package: + * debian/conrol: remove apparmor-modules-source package. + * debian/apparmor.postinst, debian/apparmor.preinst, + debian/apparmor.prerm: remove error_handler function. + * debian/rules: remove error_handler option from dh_installinit. + * debian/apparmor-modules-_KVERS_.postinst.modules.in, + debian/control.modules.in: remove control and postinst files. + + -- Mathias Gug Tue, 11 Sep 2007 10:44:56 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu25) gutsy; urgency=low + + * debian/rules: move tunables/ and abstractions/ in apparmor package. + Fixes LP: #130114. + + -- Mathias Gug Mon, 06 Aug 2007 14:40:37 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu24) gutsy; urgency=low + + * Cannot Depend on apparmor-modules-* in apparmor due to germinate + issues. Moved to Recommends. + + -- Kees Cook Mon, 23 Jul 2007 11:08:38 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu23) gutsy; urgency=low + + * debian/control: add explicit Depends on l-u-m apparmor kernel modules. + + -- Kees Cook Wed, 18 Jul 2007 21:07:03 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu22) gutsy; urgency=low + + * 13-subdomain.pm-skip-files.dpatch: update isSkippable function in + SubDomain.pm to skip the same files as rc.apparmor.functions (used by the + init script) : .dpkg-old, .dpkg-new and symlinks in disable/ + sub-directory. + + -- Mathias Gug Thu, 12 Jul 2007 06:56:45 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu21) gutsy; urgency=low + + * 07-apparmor-init-script.dpatch, debian/rules: skip profiles that have a + link in /etc/apparmor.d/disable. Update rules file : create + /etc/apparmor.d/disable. + + -- Mathias Gug Mon, 09 Jul 2007 11:07:29 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu20) gutsy; urgency=low + + * debian/control + - fix typo in XS-Vcs. + - adjust apparmor-modules-source to no longer be required and document + the fact that the modules come from the linux-ubuntu-modules package + now. + - add initramfs-tools for loading apparmor modules early. + * debian/apparmor.{initramfs,postinst,prerm}, debian/rules: install + initramfs hook and update-initramfs for adding armor modules for boot. + + -- Kees Cook Fri, 06 Jul 2007 03:41:06 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu19) gutsy; urgency=low + + * Update 11-getprocattr-api.dpatch: pass back the correct string pointer + so as to not corrupt kernel memory (LP: #123081). + * debian/control: add XS-Vcs for bzr branch. + + -- Kees Cook Tue, 03 Jul 2007 09:07:52 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu18) gutsy; urgency=low + + * 02-profile-abstractions-ubuntu.dpatch: add m permission for all libraries + under /usr/lib/**, so that ssl libraries optimized for i686 can be + accessed. + * 09-profile-usr-sbin-mysqld.dpatch: add m permission to /etc/passwd, + /etc/group. + * 12-profile-samba.dpatch: add profile for smbd and nmbd daemons from + samba. + * 99-complain-all-profiles.dpatch: turn complain mode for smbd and nmbd + profiles. + + -- Mathias Gug Fri, 29 Jun 2007 15:19:15 +0200 + +apparmor (2.0.1+510.dfsg-0ubuntu17) gutsy; urgency=low + + * Update 11-getprocattr-api.dpatch: match upstream more closely, check + for errors. + + -- Kees Cook Tue, 26 Jun 2007 16:00:08 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu16) gutsy; urgency=low + + * Added 11-getprocattr-api.dpatch: update kernel module for getprocattr + API change (LP: #122444). + + -- Kees Cook Tue, 26 Jun 2007 15:21:54 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu15) gutsy; urgency=low + + * debian/apparmor.init: do not unload apparmor module on stop, since it + already defaults to capabilities-compatible fall back and we don't want + to lose the started process knowledge of the module for the next load of + the parser. + * Added 10-namespace-header.dpatch: include namespace_sem extern, since + mnt_namespace.h is missing it currently. + * Updated 07-apparmor-init-script.dpatch: ignore .dpkg-old profiles. + + -- Kees Cook Tue, 26 Jun 2007 10:04:54 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu14) gutsy; urgency=low + + * Correct missing libapparmor1 file contents. + + -- Kees Cook Thu, 21 Jun 2007 08:04:42 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu13) gutsy; urgency=low + + * 02-profile-abstractions-ubuntu.dpatch: add /lib/tls/i686/cmov/lib* to base + abstraction to support i686 optimized libraries from libc6-i686 package. + * 09-profile-usr-sbin-mysqld.dpatch: + * add profile usr.sbin.mysqld + * update abstractions/mysql + * debian/rules: remove extras/usr.sbin.mysqld. + * 99-complain-all-profiles.dpatch: + * put mysqld profile in complain mode. + * put named profile in complain mode. + + -- Mathias Gug Wed, 20 Jun 2007 12:12:28 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu12) gutsy; urgency=low + + * Add missing dh_makeshlibs call to rules, fix up libapparmor naming. + + -- Kees Cook Wed, 20 Jun 2007 09:15:48 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu11) gutsy; urgency=low + + * Packaged libapparmor, libapparmor-dev, and libapache2-mod-apparmor. + + -- Kees Cook Mon, 18 Jun 2007 18:27:46 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu10) gutsy; urgency=low + + * 02-profile-abstractions-ubuntu.dpatch, 06-profile-usr-sbin-named.dpatch: + move /dev/random into abstractions/base. + * 06-profile-usr-sbin-named.dpatch: Add sys_chroot capability. + * debian/rules: don't package aa-eventd and Reports.pm as they use perl + modules not maintained in main. + Reports.pm is only used by Yast for now. aa-eventd maintains an + sqlite database of audit messages which is used by Reports.pm. + If configured (not by default), aa-eventd can also send emails when + AppArmor audit messages are emited. + * debian/control: Add universe component to Section: header. Needed to make + it work with PPA. + + -- Mathias Gug Fri, 15 Jun 2007 12:47:05 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu9) gutsy; urgency=low + + * 06-profile-usr-sbin-named.dpatch : Generate a new profile for + /usr/sbin/named to make it work with bind9. + * debian/apparmor.init, 07-apparmor-init-script.dpatch: merge ubuntu + changes with the latest version from upstream. + * 99-complain-all-profiles.dpatch : put all profiles into complain mode by + default. + Add a small script (put-all-profiles-in-complain-mode.sh) in + debian/ that takes care of automatically setting all profiles into + complain mode. This script should be used by the maintainer to set all + profiles in complain mode before packaging them. + + -- Mathias Gug Wed, 6 Jun 2007 13:41:57 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu8) gutsy; urgency=low + + * Start apparmor as early as possible in the boot process : just after + mountall in rcS.d. Add preinst script to remove symlinks previously + installed in rc*.d/. + (LP: #116624). + * Sync 04-apparmor-status.dpatch with upstream apparmor_status. The previous + patch has been merged in upstream. + * Update klogd profile : add /var/run/klogd/klogd.pid and + /var/run/klogd/kmsg to the profile. + + -- Mathias Gug Thu, 31 May 2007 14:26:03 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu7) gutsy; urgency=low + + * 03-profile-usr-sbin-ntpd.dpatch: udpdate profile for ntpd daemon. Add + /var/lib/ntp/ntp.drift and /var/log/ntpstats/peerstats* to the profile. + + * 04-apparmor-status.dpatch: improve apparmor_status script. Report more + detailed information. + + -- Mathias Gug Tue, 29 May 2007 13:05:55 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu6) gutsy; urgency=low + + * 02-profile-abstractions-ubuntu.dpatch: Update abstractions for changes + specific to Gnome, Debian, and 32bit on 64bit environments. + * debian/control: adjust Recommends to apparmor-modules-source + (LP: #113553). + * debian/apparmor.init: moved rmmod/modprobe into init script, and dropped + alias to avoid confusion and move control of the LSM closer to loading + the profiles and work around capability already being loaded in the + initrd (LP: #113887). + + -- Kees Cook Thu, 17 May 2007 20:34:41 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu5) gutsy; urgency=low + + * 01-logger-path.dpatch: Fix path to logger (LP: #112147). + + -- Kees Cook Thu, 03 May 2007 11:59:34 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu4) feisty; urgency=low + + * debian/control: move apparmor-modules to Recommends to Avoid + uninstallable situation when AppArmor modules haven't yet been + compiled/installed. + + -- Kees Cook Wed, 11 Apr 2007 11:39:39 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu3) feisty; urgency=low + + * debian/rules, debian/apparmor.{postinst,prerm}: ignore init script + failures so that they don't block package installs/upgrades/uninstalls. + + -- Kees Cook Wed, 11 Apr 2007 08:52:37 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu2) feisty; urgency=low + + * debian/control: add missing Depend on 'dpatch' for modules-source. + + -- Kees Cook Sat, 7 Apr 2007 09:35:16 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu1) feisty; urgency=low + + * Initial release, thanks to Magnus Runesson and Jesse Michael + (LP: #95334). + + -- Kees Cook Fri, 23 Mar 2007 16:42:01 -0700 --- apparmor-2.1+1075.orig/debian/copyright +++ apparmor-2.1+1075/debian/copyright @@ -0,0 +1,143 @@ +This package was debianized by Kees Cook on +Fri, 23 Mar 2007 13:40:47 -0800, based on packages debianized +by Magnus Runesson on +Sun, 18 Mar 2007 13:40:47 +0100. + +It was downloaded from: + http://forge.novell.com/modules/xfmod/svn/svnpage.php/apparmor/ + +It was bundled from Subversion with "debian/rules get-orig-source" + +---------------------------------------- +main code base: + +Upstream Author: apparmor-general@forge.novell.com + +Copyright: 1998-2007 Novell/SuSE/Immunix + +License: + + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. + +---------------------------------------- +module/apparmor/match/pcre_exec.*, +parser/pcre/*, +module-deprecated/aamatch/pcre_exec.*: + +Upstream Author: Philip Hazel + +Copyright: 1997-2001 University of Cambridge + +License: + +Permission is granted to anyone to use this software for any purpose on any +computer system, and to redistribute it freely, subject to the following +restrictions: + +1. This software is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +2. The origin of this software must not be misrepresented, either by + explicit claim or by omission. + +3. Altered versions must be plainly marked as such, and must not be + misrepresented as being the original software. + +4. If PCRE is embedded in any software that is released under the GNU + General Purpose Licence (GPL), then the terms of that licence shall + supersede any condition above with which it is incompatible. + +---------------------------------------- +profiles/enabled/sbin.syslog-ng: + +Copyright: 2006 Novell, Christian Boltz + +License: + +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. + +---------------------------------------- +profiles/extras/usr.bin.passwd: + +Copyright: 2006 Novell, Volker Kuhlmann + +License: + +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. + +---------------------------------------- +changehat/pam_apparmor: + +Copyright: 2006 Novell + +License: + +Redistribution and use in source and binary forms of Linux-PAM, with +or without modification, are permitted provided that the following +conditions are met: + +1. Redistributions of source code must retain any existing copyright + notice, and this entire permission notice in its entirety, + including the disclaimer of warranties. + +2. Redistributions in binary form must reproduce all prior and current + copyright notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + +3. The name of any author may not be used to endorse or promote + products derived from this software without their specific prior + written permission. + +ALTERNATIVELY, this product may be distributed under the terms of the +GNU General Public License, in which case the provisions of the GNU +GPL are required INSTEAD OF the above restrictions. (This clause is +necessary due to a potential conflict between the GNU GPL and the +restrictions contained in a BSD-style copyright.) + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. + +---------------------------------------- +changehat/libapparmor, changehat/mod_apparmor: + +Copyright: 2003-2006 Novell + +License: GNU Lesser General Public License, version 2.1. + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/LGPL-2.1'. + +---------------------------------------- + +The Debian packaging is (C) 2007, Kees Cook and +is licensed under the GPL, see above. --- apparmor-2.1+1075.orig/debian/apparmor.preinst +++ apparmor-2.1+1075/debian/apparmor.preinst @@ -0,0 +1,19 @@ +#!/bin/sh +# preinst script for apparmor +# +# see: dh_installdeb(1) +set -e + +# Remove symlinks in rc[\d].d. + +if dpkg --compare-versions "${2}" le-nl "2.0.1+510.dfsg-0ubuntu7" +then + update-rc.d -f apparmor remove +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- apparmor-2.1+1075.orig/debian/put-all-profiles-in-complain-mode.sh +++ apparmor-2.1+1075/debian/put-all-profiles-in-complain-mode.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +PROFILE_DIR="../profiles/apparmor.d" + +for f in ${PROFILE_DIR}/* +do + [ ! -f ${f} ] && continue + ! grep -q 'flags=(complain)' $f && sed -i 's/ {$/ flags=(complain) {/' $f +done --- apparmor-2.1+1075.orig/debian/deletable.files +++ apparmor-2.1+1075/debian/deletable.files @@ -0,0 +1,18 @@ +changehat/libapparmor/aclocal.m4 +changehat/libapparmor/compile +changehat/libapparmor/config.h.in +changehat/libapparmor/configure +changehat/libapparmor/depcomp +changehat/libapparmor/install-sh +changehat/libapparmor/missing +changehat/libapparmor/py-compile +changehat/libapparmor/ylwrap +changehat/libapparmor/src/grammar.c +changehat/libapparmor/src/grammar.h +changehat/libapparmor/src/scanner.h +changehat/libapparmor/src/scanner.c +changehat/libapparmor/doc/change_hat.2 +parser/techdoc.aux +parser/techdoc.log +parser/techdoc.pdf +parser/techdoc.toc --- apparmor-2.1+1075.orig/debian/apparmor.init +++ apparmor-2.1+1075/debian/apparmor.init @@ -0,0 +1,120 @@ +#!/bin/sh +# +# $Id: rc.apparmor.debian 703 2007-05-28 04:42:26Z steve-beattie $ +# +# ---------------------------------------------------------------------- +# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 +# NOVELL (All rights reserved) +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- +# rc.apparmor by Steve Beattie +# +# /etc/init.d/apparmor +# +# chkconfig: 2345 01 99 +# description: AppArmor rc file. This rc script inserts the apparmor \ +# module and runs the parser on the /etc/apparmor.d/ \ +# directory. +# +### BEGIN INIT INFO +# Provides: apparmor +# Required-Start: +# Required-Stop: +# Default-Start: 3 4 5 +# Default-Stop: 0 1 2 6 +# Short-Description: AppArmor initialization +# Description: AppArmor rc file. This rc script inserts the apparmor +# module and runs the parser on the /etc/apparmor.d/ +# directory. +### END INIT INFO +APPARMOR_FUNCTIONS=/etc/apparmor/rc.apparmor.functions + +aa_action() { + STRING=$1 + shift + $* + rc=$? + if [ $rc -eq 0 ] ; then + aa_log_success_msg $"$STRING " + else + aa_log_failure_msg $"$STRING " + fi + return $rc +} + +aa_log_success_msg() { + [ -n "$1" ] && echo -n $1 + echo ": done." +} + +aa_log_warning_msg() { + [ -n "$1" ] && echo -n $1 + echo ": Warning." +} + +aa_log_failure_msg() { + [ -n "$1" ] && echo -n $1 + echo ": Failed." +} + +aa_log_skipped_msg() { + [ -n "$1" ] && echo -n $1 + echo ": Skipped." +} + +usage() { + echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}" +} + +# source apparmor function library +if [ -f "${APPARMOR_FUNCTIONS}" ]; then + . ${APPARMOR_FUNCTIONS} +else + aa_log_failure_msg "Unable to find AppArmor initscript functions" + exit 1 +fi + +test -x ${PARSER} || exit 0 # by debian policy + +case "$1" in + start) + apparmor_start + rc=$? + ;; + stop) + apparmor_stop + rc=$? + ;; + restart|reload|force-reload) + apparmor_restart + rc=$? + ;; + try-restart) + apparmor_try_restart + rc=$? + ;; + kill) + apparmor_kill + rc=$? + ;; + status) + apparmor_status + rc=$? + ;; + *) + usage + exit 1 + ;; + esac +exit $rc --- apparmor-2.1+1075.orig/debian/README.Debian +++ apparmor-2.1+1075/debian/README.Debian @@ -0,0 +1,27 @@ +apparmor for Debian +------------------- + +The Debian apparmor source package provides several packages, + + 1) apparmor-modules-source, which provides the source for the kernel modules + 2) apparmor, which provides the user-space to kernel profile parser + 3) apparmor-profiles, which includes a basic default set of profiles + 4) apparmor-utils, which provides additional apparmor utilities + 5) apparmor-docs, which provides additional apparmor documentation + +The apparmor-modules-source package can be used in several ways, + + - Using the module-assistant(8) command, via "m-a a-i apparmor-modules" + + - Using the make-kpkg(1) command provided by the kernel-package Debian + package. This will produce a corresponding apparmor-modules-modules package + for the Debian kernel-image package that you are using. This is "the Debian + way". See the "modules_image" section of the make-kpkg(1) man page. + + - Changing to the /usr/src/modules/apparmor-modules/ directory and building as + the README file instructs using "make; make install". This will build + and install a module specific to the system you are building on and is + not under control of the packaging system. + +For details on using and running AppArmor, please see: + http://developer.novell.com/wiki/index.php/Apparmor_FAQ --- apparmor-2.1+1075.orig/debian/compat +++ apparmor-2.1+1075/debian/compat @@ -0,0 +1 @@ +5 --- apparmor-2.1+1075.orig/debian/apparmor-profiles.postinst +++ apparmor-2.1+1075/debian/apparmor-profiles.postinst @@ -0,0 +1,42 @@ +#!/bin/sh +# postinst script for apparmor-profiles +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + invoke-rc.d apparmor reload || true + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + --- apparmor-2.1+1075.orig/parser/Makefile +++ apparmor-2.1+1075/parser/Makefile @@ -122,7 +122,7 @@ techdoc.txt: techdoc/index.html w3m -dump $< > $@ -all: $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf techdoc/index.html +all: $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf $(Q)make -C po all $(Q)make -s tests --- apparmor-2.1+1075.orig/parser/rc.apparmor.functions +++ apparmor-2.1+1075/parser/rc.apparmor.functions @@ -1,6 +1,6 @@ #!/bin/sh # -# $Id: rc.apparmor.functions 1075 2008-01-03 23:21:07Z jrjohansen $ +# $Id: rc.apparmor.functions 908 2007-08-14 20:19:59Z steve-beattie $ # # ---------------------------------------------------------------------- # Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 @@ -107,7 +107,7 @@ shift while [ $# -gt 0 ] ; do - modules="$modules|$1" + modules="$modules${modules:+|}$1" shift done @@ -129,6 +129,8 @@ "${profile%.rpmsave}" != "${profile}" -o \ "${profile%.dpkg-new}" != "${profile}" -o \ "${profile%.dpkg-old}" != "${profile}" -o \ + "${profile%.dpkg-dist}" != "${profile}" -o \ + -e "${PROFILE_DIR}/disable/`basename ${profile}`" -o \ "${profile%\~}" != "${profile}" ] ; then return 0 fi @@ -136,6 +138,21 @@ return 1 } +force_complain() { + local profile=$1 + + # if profile not in complain mode + if ! egrep -q "^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+{" $profile ; then + local link="${PROFILE_DIR}/force-complain/`basename ${profile}`" + if [ -e "$link" ] ; then + echo "Warning: found $link, forcing complain mode" + return 0 + fi + fi + + return 1 +} + parse_profiles() { # get parser arg case "$1" in @@ -174,7 +191,11 @@ logger -t "AppArmor(init)" -p daemon.warn "Skipping profile $profile" STATUS=2 elif [ -f "${profile}" ] ; then - $PARSER $ABSTRACTIONS $PARSER_ARGS "$profile" > /dev/null + COMPLAIN="" + if force_complain "${profile}" ; then + COMPLAIN="-C" + fi + $PARSER $ABSTRACTIONS $PARSER_ARGS $COMPLAIN "$profile" > /dev/null if [ $? -ne 0 ]; then echo " Profile $profile failed to load" STATUS=1 --- apparmor-2.1+1075.orig/parser/apparmor.pod +++ apparmor-2.1+1075/parser/apparmor.pod @@ -30,12 +30,12 @@ attributes to programs rather than to users. AppArmor confinement is provided via I loaded into the kernel -via apparmor_parser(8), typically through the F +via apparmor_parser(8), typically through the F SysV initscript, which is used like this: - # /etc/init.d/boot.apparmor start - # /etc/init.d/boot.apparmor stop - # /etc/init.d/boot.apparmor restart + # /etc/init.d/apparmor start + # /etc/init.d/apparmor stop + # /etc/init.d/apparmor restart AppArmor can operate in two modes: I, and I: @@ -135,11 +135,11 @@ =over 4 -=item F +=item F =item F -=item F +=item F =item F --- apparmor-2.1+1075.orig/utils/logprof.conf +++ apparmor-2.1+1075/utils/logprof.conf @@ -11,7 +11,7 @@ [settings] profiledir = /etc/apparmor.d /etc/subdomain.d - inactive_profiledir = /etc/apparmor/profiles/extras/ + inactive_profiledir = /usr/share/doc/apparmor-profiles/extras logfiles = /var/log/audit/audit.log /var/log/messages /var/log/syslog parser = /sbin/apparmor_parser /sbin/subdomain_parser @@ -30,9 +30,9 @@ [repository] - distro = opensuse10.3 - url = http://apparmor.opensuse.org/backend/api - preferred_user = novell + distro = ubuntu-gutsy + url = http://apparmor.test.opensuse.org/backend/api + preferred_user = ubuntu [qualifiers] # things will be painfully broken if bash has a profile --- apparmor-2.1+1075.orig/utils/autodep.pod +++ apparmor-2.1+1075/utils/autodep.pod @@ -24,17 +24,17 @@ =head1 NAME -autodep - guess basic AppArmor profile requirements +aa-autodep - guess basic AppArmor profile requirements =head1 SYNOPSIS -BexecutableE> [IexecutableE> ...]> +BexecutableE> [IexecutableE> ...]> =head1 DESCRIPTION -B is used to generate a minimal AppArmor profile for a set of +B is used to generate a minimal AppArmor profile for a set of executables. This program will generate a profile for binary executable -as well as interpreted script programs. At a minimum autodep will provide +as well as interpreted script programs. At a minimum aa-autodep will provide a base profile containing a base include directive which includes basic profile entries needed by most programs. The profile is generated by recursively calling ldd(1) on the executables listed on the command line. @@ -47,7 +47,7 @@ =head1 SEE ALSO -apparmor(7), apparmor.d(5), complain(1), enforce(1), change_hat(2), and +apparmor(7), apparmor.d(5), aa-complain(1), aa-enforce(1), change_hat(2), and L. =cut --- apparmor-2.1+1075.orig/utils/apparmor_status +++ apparmor-2.1+1075/utils/apparmor_status @@ -50,6 +50,7 @@ usage() if $help or ($count_complain + $check_enabled + $count_enforced + $count_profiled + $verbose > 1); sub is_subdomain_loaded() { + return 1 if (-d "/sys/module/apparmor"); if(open(MODULES, "/proc/modules")) { while() { return 1 if m/^(subdomain|apparmor)\s+/; --- apparmor-2.1+1075.orig/utils/complain.pod +++ apparmor-2.1+1075/utils/complain.pod @@ -24,15 +24,15 @@ =head1 NAME -complain - set a AppArmor security profile to I mode. +aa-complain - set a AppArmor security profile to I mode. =head1 SYNOPSIS -BexecutableE> [IexecutableE> ...]> +BexecutableE> [IexecutableE> ...]> =head1 DESCRIPTION -B is used to set the enforcement mode for one or more profiles to complain. +B is used to set the enforcement mode for one or more profiles to complain. In this mode security policy is not enforced but rather access violations are logged to the system log. @@ -43,7 +43,7 @@ =head1 SEE ALSO -apparmor(7), apparmor.d(5), enforce(1), change_hat(2), and +apparmor(7), apparmor.d(5), aa-enforce(1), change_hat(2), and L. =cut --- apparmor-2.1+1075.orig/utils/enforce +++ apparmor-2.1+1075/utils/enforce @@ -106,6 +106,11 @@ print "\n"; setprofileflags($filename, ""); + # remove symlink in $profiledir/complain as well + my $complainlink = $filename; + $complainlink =~ s/^$profiledir/$profiledir\/force-complain/; + -e $complainlink and unlink($complainlink); + system("cat $filename | $parser -I$profiledir -r >/dev/null 2>&1") if check_for_subdomain(); } else { --- apparmor-2.1+1075.orig/utils/SubDomain.pm +++ apparmor-2.1+1075/utils/SubDomain.pm @@ -1786,7 +1786,7 @@ our $logmark; our $seenmark; my $RE_LOG_v2_0_syslog = qr/SubDomain/; -my $RE_LOG_v2_1_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?audit\([\d\.\:]+\):\s+type=150[1-6]/; +my $RE_LOG_v2_1_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?audit\([\d\.\:]+\):\s+(type=150[1-6]|.*\bprofile=)/; my $RE_LOG_v2_0_audit = qr/type=(APPARMOR|UNKNOWN\[1500\]) msg=audit\([\d\.\:]+\):/; my $RE_LOG_v2_1_audit = @@ -2096,6 +2096,10 @@ } } + # Drop user/other split + $e->{requested_mask} =~ s/::// if ($e->{requested_mask}); + $e->{denied_mask} =~ s/::// if ($e->{denied_mask}); + if ($e->{requested_mask} && !validate_log_mode($e->{requested_mask})) { fatal_error(sprintf(gettext('Log contains unknown mode %s.'), $e->{requested_mask})); } @@ -2104,6 +2108,10 @@ fatal_error(sprintf(gettext('Log contains unknown mode %s.'), $e->{denied_mask})); } + # If no 'type' is found, we have a broken kernel, so assume + # everything is a "REJECTING" message. + $e->{type} = "1503" if (!defined($e->{type})); + return $e; } @@ -4077,7 +4085,8 @@ return ($path =~ /(^|\/)\.[^\/]*$/ || $path =~ /\.rpm(save|new)$/ - || $path =~ /\.dpkg-(old|new)$/ + || $path =~ /\.dpkg-(old|new|dist)$/ + || -e "$profiledir/disable/$path" || $path =~ /\~$/); } @@ -4151,7 +4160,6 @@ next if $file =~ /\.rpm(save|new)|README$/; readprofile("$extraprofiledir/$file", \&fatal_error, 0); } - closedir(ESDDIR); } sub readprofile ($$$) { --- apparmor-2.1+1075.orig/utils/unconfined.pod +++ apparmor-2.1+1075/utils/unconfined.pod @@ -24,21 +24,21 @@ =head1 NAME -unconfined - output a list of processes with tcp or udp ports that do +aa-unconfined - output a list of processes with tcp or udp ports that do not have AppArmor profiles loaded =head1 SYNOPSIS -B +B =head1 DESCRIPTION -B will use netstat(8) to determine which processes have open +B will use netstat(8) to determine which processes have open network sockets and do not have AppArmor profiles loaded into the kernel. =head1 BUGS -B must be run as root to retrieve the process executable +B must be run as root to retrieve the process executable link from the F filesystem. This program is susceptible to race conditions of several flavours: an unlinked executable will be mishandled; an executable started before a AppArmor profile is loaded will not --- apparmor-2.1+1075.orig/utils/logprof.pod +++ apparmor-2.1+1075/utils/logprof.pod @@ -24,11 +24,11 @@ =head1 NAME -logprof - utility program for managing AppArmor security profiles +aa-logprof - utility program for managing AppArmor security profiles =head1 SYNOPSIS -B] [I<-f /path/to/logfile>] [I<-m Emark in logfileE>]> +B] [I<-f /path/to/logfile>] [I<-m Emark in logfileE>]> =head1 OPTIONS @@ -43,28 +43,28 @@ B< -m --logmark "mark"> - logprof will ignore all events in the system log before the + aa-logprof will ignore all events in the system log before the specified mark is seen. If the mark contains spaces, it must be surrounded with quotes to work correctly. =head1 DESCRIPTION -B is an interactive tool used to review AppArmor's +B is an interactive tool used to review AppArmor's complain mode output and generate new entries for AppArmor security profiles. -Running logprof will scan the log file and if there are new AppArmor +Running aa-logprof will scan the log file and if there are new AppArmor events that are not covered by the existing profile set, the user will be prompted with suggested modifications to augment the profile. -When logprof exits profile changes are saved to disk. If AppArmor is +When aa-logprof exits profile changes are saved to disk. If AppArmor is running, the updated profiles are reloaded and if any processes that generated AppArmor events are still running in the null-complain-profile, those processes are set to run under their proper profiles. =head2 Responding to AppArmor Events -B will generate a list of suggested profile changes that +B will generate a list of suggested profile changes that the user can choose from, or they can create their own, to modifiy the permission set of the profile so that the generated access violation will not re-occur. @@ -92,9 +92,9 @@ path for this event, they'll be informed and have the option to fix it. If the user selects (G)lob last piece then, taking the currently selected -option, logprof will remove the last path element and replace it with /*. +option, aa-logprof will remove the last path element and replace it with /*. -If the last path element already was /*, logprof will go up a directory +If the last path element already was /*, aa-logprof will go up a directory level and replace it with /**. This new globbed entry is then added to the suggestion list and marked @@ -103,14 +103,14 @@ So /usr/share/themes/foo/bar/baz.gif can be turned into /usr/share/themes/** by hitting "g" three times. -If the user selects (A)llow, logprof will take the current selection +If the user selects (A)llow, aa-logprof will take the current selection and add it to the profile, deleting other entries in the profile that are matched by the new entry. Adding r access to /usr/share/themes/** would delete an entry for r access to /usr/share/themes/foo/*.gif if it exists in the profile. -If (Q)uit is selected at this point, logprof will ignore all new pending +If (Q)uit is selected at this point, aa-logprof will ignore all new pending capability and path accesses. After all of the path accesses have been handled, logrof will write all @@ -119,14 +119,14 @@ =head2 New Process (Execution) Events If there are unhandled x accesses generated by the execve(2) of a -new process, logprof will display the parent profile and the target +new process, aa-logprof will display the parent profile and the target program that's being executed and prompt the user to select and execute modifier. These modifiers will allow a choice for the target to: have it's own profile (px), inherit the parent's profile (ix), run unconstrained (ux), or deny access for the target. See apparmor.d(5) for details. If there is a corresponding entry for the target in the qualifiers -section of /etc/logprof.conf, the presented list will contain only the +section of /etc/apparmor/logprof.conf, the presented list will contain only the allowed modes. The default option for this question is selected using this logic-- @@ -138,7 +138,7 @@ # else # deny is default -logprof will never suggest "ux" as the default. +aa-logprof will never suggest "ux" as the default. =head2 ChangeHat Events @@ -162,7 +162,7 @@ =head1 SEE ALSO klogd(8), auditd(8), apparmor(7), apparmor.d(5), change_hat(2), -logprof.conf(5), genprof(1), complain(1), enforce(1), and +logprof.conf(5), aa-genprof(1), aa-complain(1), aa-enforce(1), and L. =cut --- apparmor-2.1+1075.orig/utils/genprof.pod +++ apparmor-2.1+1075/utils/genprof.pod @@ -24,11 +24,11 @@ =head1 NAME -genprof - profile generation utility for AppArmor +aa-genprof - profile generation utility for AppArmor =head1 SYNOPSIS -BexecutableE> [I<-d /path/to/profiles>]> +BexecutableE> [I<-d /path/to/profiles>]> =head1 OPTIONS @@ -40,12 +40,12 @@ =head1 DESCRIPTION -When running genprof, you must specify a program to profile. If the -specified program is not a fully-qualified path, genprof will search $PATH +When running aa-genprof, you must specify a program to profile. If the +specified program is not a fully-qualified path, aa-genprof will search $PATH in order to find the program. -If a profile does not exist for the program, genprof will create one using -autodep(1). +If a profile does not exist for the program, aa-genprof will create one using +aa-autodep(1). Genprof will then: @@ -59,17 +59,17 @@ It then presents the user with two options, (S)can system log for entries to add to profile and (F)inish. -If the user selects (S)can or hits return, genprof will parse +If the user selects (S)can or hits return, aa-genprof will parse the complain mode logs and iterate through generated violations using logprof(1). After the user finishes selecting profile entries based on violations -that were detected during the program execution, genprof will reload +that were detected during the program execution, aa-genprof will reload the updated profiles in complain mode and again prompt the user for (S)can and (D)one. This cycle can then be repeated as neccesary until all application functionality has been exercised without generating access violations. -When the user eventually hits (F)inish, genprof will set the main profile, +When the user eventually hits (F)inish, aa-genprof will set the main profile, and any other profiles that were generated, into enforce mode and exit. =head1 BUGS @@ -79,8 +79,8 @@ =head1 SEE ALSO -apparmor(7), apparmor.d(5), enforce(1), complain(1), change_hat(2), -logprof(1), logprof.conf(5), and +apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), change_hat(2), +aa-logprof(1), logprof.conf(5), and L. =cut --- apparmor-2.1+1075.orig/utils/audit.pod +++ apparmor-2.1+1075/utils/audit.pod @@ -2,15 +2,15 @@ =head1 NAME -audit - set a AppArmor security profile to I mode. +aa-audit - set a AppArmor security profile to I mode. =head1 SYNOPSIS -BexecutableE> [IexecutableE> ...]> +BexecutableE> [IexecutableE> ...]> =head1 DESCRIPTION -B is used to set the audit mode for one or more profiles to audit. +B is used to set the audit mode for one or more profiles to audit. In this mode security policy is enforced and all access (successes and failures) are logged to the system log. =head1 BUGS @@ -20,7 +20,7 @@ =head1 SEE ALSO -apparmor(7), apparmor.d(5), enforce(1), complain(1), change_hat(2), and +apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), change_hat(2), and L. =cut --- apparmor-2.1+1075.orig/utils/enforce.pod +++ apparmor-2.1+1075/utils/enforce.pod @@ -24,19 +24,19 @@ =head1 NAME -enforce - set an AppArmor security profile to I mode from +aa-enforce - set an AppArmor security profile to I mode from I mode. =head1 SYNOPSIS -BexecutableE> [IexecutableE> ...]> +BexecutableE> [IexecutableE> ...]> =head1 DESCRIPTION -B is used to set the enforcement mode for one or more profiles +B is used to set the enforcement mode for one or more profiles to I. This command is only relevant is conjuction with the utility I which sets a profile to complain mode. The default -mode for a security policy is enforce and the I utility must +mode for a security policy is enforce and the I utility must be run to change this behavior. =head1 BUGS @@ -46,7 +46,7 @@ =head1 SEE ALSO -apparmor(7), apparmor.d(5), complain(1), change_hat(2), and +apparmor(7), apparmor.d(5), aa-complain(1), change_hat(2), and L. =cut --- apparmor-2.1+1075.orig/profiles/apparmor.d/usr.sbin.smbd +++ apparmor-2.1+1075/profiles/apparmor.d/usr.sbin.smbd @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# Last Modified: Wed Jun 20 13:34:25 2007 +#include + +/usr/sbin/smbd flags=(complain) { + #include + #include + #include + #include + #include + #include + #include + + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_resource, + capability sys_tty_config, + + /etc/mtab r, + /etc/printcap r, + /etc/passwd m, + /etc/shadow m, + /etc/group m, + /proc/*/mounts r, + /usr/sbin/smbd mr, + /var/cache/samba/** rwk, + /var/cache/samba/printing/printers.tdb mrw, + /var/lib/samba/** rk, + /var/lib/samba/printers/** rw, + /var/run/cups/cups.sock rw, + /var/run/samba/** rk, + /var/run/samba/smbd.pid rw, + /var/log/samba/cores/smbd/ rw, + /var/log/samba/cores/smbd/** rw, + + @{HOMEDIRS}/** lrw, +} --- apparmor-2.1+1075.orig/profiles/apparmor.d/usr.sbin.traceroute +++ apparmor-2.1+1075/profiles/apparmor.d/usr.sbin.traceroute @@ -11,7 +11,7 @@ # ------------------------------------------------------------------ #include -/usr/sbin/traceroute { +/usr/sbin/traceroute flags=(complain) { #include #include #include --- apparmor-2.1+1075.orig/profiles/apparmor.d/sbin.syslog-ng +++ apparmor-2.1+1075/profiles/apparmor.d/sbin.syslog-ng @@ -12,7 +12,7 @@ #include -/sbin/syslog-ng { +/sbin/syslog-ng flags=(complain) { #include #include #include @@ -21,11 +21,13 @@ capability dac_override, capability fsetid, capability fowner, + capability sys_admin, /dev/log w, /dev/tty10 rw, /dev/xconsole rw, /etc/syslog-ng/* r, + @{PROC}/kmsg r, /sbin/syslog-ng mr, # chrooted applications /var/lib/*/dev/log w, --- apparmor-2.1+1075.orig/profiles/apparmor.d/usr.sbin.mdnsd +++ apparmor-2.1+1075/profiles/apparmor.d/usr.sbin.mdnsd @@ -12,7 +12,7 @@ #include -/usr/sbin/mdnsd { +/usr/sbin/mdnsd flags=(complain) { #include #include #include --- apparmor-2.1+1075.orig/profiles/apparmor.d/usr.sbin.avahi-daemon +++ apparmor-2.1+1075/profiles/apparmor.d/usr.sbin.avahi-daemon @@ -10,6 +10,10 @@ capability kill, capability setuid, capability setgid, + capability sys_chroot, + + /etc/passwd m, + /etc/group m, /etc/avahi/ r, /etc/avahi/avahi-daemon.conf r, --- apparmor-2.1+1075.orig/profiles/apparmor.d/usr.sbin.nmbd +++ apparmor-2.1+1075/profiles/apparmor.d/usr.sbin.nmbd @@ -0,0 +1,19 @@ +# vim:syntax=apparmor +# Last Modified: Wed Jun 20 13:22:50 2007 +#include + +/usr/sbin/nmbd flags=(complain) { + #include + #include + #include + + capability net_bind_service, + + /usr/sbin/nmbd mr, + /var/cache/samba/browse.dat* rw, + /var/lib/samba/wins.dat* rw, + /var/run/samba/** rk, + /var/run/samba/nmbd.pid rw, + /var/log/samba/cores/nmbd/ rw, + /var/log/samba/cores/nmbd/** rw, +} --- apparmor-2.1+1075.orig/profiles/apparmor.d/bin.ping +++ apparmor-2.1+1075/profiles/apparmor.d/bin.ping @@ -11,7 +11,7 @@ # ------------------------------------------------------------------ #include -/bin/ping { +/bin/ping flags=(complain) { #include #include #include --- apparmor-2.1+1075.orig/profiles/apparmor.d/usr.sbin.identd +++ apparmor-2.1+1075/profiles/apparmor.d/usr.sbin.identd @@ -11,7 +11,7 @@ #include -/usr/sbin/identd { +/usr/sbin/identd flags=(complain) { #include #include capability net_bind_service, --- apparmor-2.1+1075.orig/profiles/apparmor.d/usr.sbin.ntpd +++ apparmor-2.1+1075/profiles/apparmor.d/usr.sbin.ntpd @@ -11,7 +11,7 @@ # ------------------------------------------------------------------ #include -/usr/sbin/ntpd { +/usr/sbin/ntpd flags=(complain) { #include #include #include --- apparmor-2.1+1075.orig/profiles/apparmor.d/sbin.syslogd +++ apparmor-2.1+1075/profiles/apparmor.d/sbin.syslogd @@ -11,7 +11,7 @@ #include -/sbin/syslogd { +/sbin/syslogd flags=(complain) { #include #include #include @@ -19,6 +19,11 @@ capability sys_tty_config, capability dac_override, capability dac_read_search, + capability setuid, + capability setgid, + + /etc/passwd m, + /etc/group m, /dev/log wl, /var/lib/*/dev/log wl, @@ -28,7 +33,7 @@ /etc/syslog.conf r, /sbin/syslogd rmix, /var/log/** rw, - /var/run/syslogd.pid rwl, - /var/run/utmp rw, + /var/run/syslogd.pid rwlk, + /var/run/utmp krw, /var/spool/compaq/nic/messages_fifo rw, } --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/samba +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/samba @@ -0,0 +1,8 @@ + + /etc/samba/smb.conf r, + /usr/share/samba/*.dat mr, + /var/lib/samba/**.tdb mrw, + /var/log/samba/cores/* w, + /var/log/samba/log.* w, + /var/run/samba/*.tdb mrw, + --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/authentication +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/authentication @@ -42,3 +42,5 @@ # winbind #include + # likewise + #include --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/python +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/python @@ -21,9 +21,10 @@ /usr/local/lib/python2.[45]/site-packages/ r, # Site-wide configuration - /etc/python2.[45]/site.py r, + /etc/python2.[45]/** r, # python-central paths + /usr/share/pyshared/** r, /usr/share/pycentral/** r, /usr/share/python-support/** r, /var/lib/python-support/** r, --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/ssl_keys +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/ssl_keys @@ -0,0 +1,4 @@ + + #include + /etc/ssl/private/ r, + /etc/ssl/private/* r, --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/fonts +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/fonts @@ -32,8 +32,12 @@ /usr/share/ghostscript/fonts/** r, /usr/share/texmf/*/fonts/** r, + @{HOME}/.fonts/ r, + @{HOME}/.fonts.conf r, @{HOME}/.fonts/** r, @{HOME}/.fonts.cache-2 mr, + @{HOME}/.fontconfig/ r, + @{HOME}/.fontconfig/** r, /usr/local/share/fonts/ r, /usr/local/share/fonts/** r, --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/freedesktop.org +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/freedesktop.org @@ -6,6 +6,10 @@ /usr/share/icons/** r, /usr/share/pixmaps/ r, /usr/share/pixmaps/** r, + /usr/local/share/icons/ r, + /usr/local/share/icons/** r, + /usr/local/share/pixmaps/ r, + /usr/local/share/pixmaps/** r, # this should probably go elsewhere /usr/share/mime/* r, --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/aspell +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/aspell @@ -2,7 +2,7 @@ # aspell permissions # per-user settings and dictionaries - @{HOME}/.aspell.*.{pws,prepl} r, + @{HOME}/.aspell.*.{pws,prepl} rk, # system libraries and dictionaries /usr/lib/aspell/ r, --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/nameservice +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/nameservice @@ -13,14 +13,15 @@ # looking up users by name or id, groups by name or id, hosts by name # or IP, etc. These operations may be performed through files, dns, # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. - /etc/group r, + /etc/group rm, /etc/host.conf r, /etc/hosts r, /etc/ldap.conf r, /etc/ldap.secret r, /etc/nsswitch.conf r, - /etc/passwd r, - /etc/protocols r, + /etc/gai.conf r, + /etc/passwd rm, + /etc/protocols rm, /etc/resolv.conf r, # on systems using resolvconf, /etc/resolv.conf is a symlink to @@ -28,15 +29,18 @@ /var/run/resolvconf/resolv.conf r, /etc/samba/lmhosts r, - /etc/services r, + /etc/services rm, # all openldap config - /etc/openldap/* r, + /etc/ldap/** r, + # db backend + /var/lib/misc/*.db rm, # The Name Service Cache Daemon can cache lookups, sometimes leading # to vast speed increases when working with network-based lookups. /var/run/.nscd_socket rw, /var/run/nscd/socket rw, /var/run/nscd/passwd rmix, /var/run/nscd/group rmix, + /var/db/nscd/{passwd,group,services,hosts} mr, # nscd renames and unlinks files in it's operation that clients will # have open /var/run/nscd/db* rmix, @@ -49,12 +53,18 @@ /usr/lib/libnss_*.so* mr, /etc/default/nss r, + # avahi-daemon is used for mdns4 resolution + /var/run/avahi-daemon/socket w, + # nis #include # winbind #include + # likewise + #include + # mdnsd #include --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/X +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/X @@ -1,3 +1,4 @@ +# vim:syntax=apparmor # $Id: X 948 2007-08-24 00:26:49Z seth_arnold $ # ------------------------------------------------------------------ # @@ -19,9 +20,8 @@ # the unix socket to use to connect to the display /tmp/.X11-unix/* w, - - - /usr/share/X11/ r, - /usr/share/X11/** r, - /usr/include/X11/ r, - /usr/include/X11/** r, + # The X tree changes and is large -- grant read access to the whole thing + /usr/X11R6/** r, + /usr/share/X11/ r, + /usr/share/X11/** r, + /usr/X11R6/**.so* mr, --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/likewise +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/likewise @@ -0,0 +1,4 @@ +# vim:syntax=apparmor +# likewise-open permissions + + /tmp/.lwidentity/pipe rw, --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/audio +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/audio @@ -1,3 +1,4 @@ +# vim:syntax=apparmor # $Id: audio 949 2007-08-28 00:49:51Z seth_arnold $ # ------------------------------------------------------------------ # --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/base +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/base @@ -1,3 +1,4 @@ +# vim:syntax=apparmor # $Id: base 949 2007-08-28 00:49:51Z seth_arnold $ # ------------------------------------------------------------------ # @@ -27,6 +28,7 @@ /etc/localtime r, /usr/share/locale/** r, /usr/share/zoneinfo/** r, + /usr/share/X11/locale/** r, /usr/lib64/locale/** mr, /usr/lib32/gconv/*.so mr, @@ -44,23 +46,28 @@ # available everywhere /etc/ld.so.cache mr, /lib/ld-*.so mrix, + /lib32/ld-*.so mixr, /lib64/ld-*.so mrix, + /lib/ld32-*.so mrix, /lib/ld64-*.so mrix, /lib64/ld64-*.so mrix, /lib32/ld-*.so mrix, /lib/ld32-*.so mrix, /lib32/ld32-*.so mrix, - /lib/tls/i686/cmov/ld-*.so mrix, + /lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix, /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix, + # we might as well allow everything to use common libraries /lib/lib*.so* mr, /lib32/lib*.so* mr, /lib64/lib*.so* mr, /lib/*/lib*.so* mr, - /lib/tls/i686/cmov/lib*.so* mr, + /lib32/*/lib*.so* mr, + /lib/tls/i686/{cmov,nosegneg}/lib*.so* mr, /usr/lib/** r, /lib64/*/lib*.so* mr, + /usr/lib/** r, /usr/lib/*.so* mr, /usr/lib/*/lib*.so* mr, /usr/lib32/** r, @@ -69,13 +76,14 @@ /lib64/lib*.so* mr, /lib64/*/lib*.so* mr, /usr/lib64/*.so* mr, + /usr/lib/**/lib*.so* mr, + /usr/lib32/*/lib*.so* mr, /usr/lib64/*/lib*.so* mr, /usr/lib/sasl2/*.so* mr, /usr/lib/**/lib*.so* mr, /usr/lib32/*/lib*.so* mr, /usr/lib64/sasl2/*.so* mr, - # /dev/null is pretty harmless and frequently used /dev/null rw, # as is /dev/zero @@ -94,3 +102,6 @@ @{PROC}/meminfo r, @{PROC}/stat r, @{PROC}/cpuinfo r, + + # some applications will display license information + /usr/share/common-licenses/** r, --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/kde +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/kde @@ -1,3 +1,4 @@ +# vim:syntax=apparmor # $Id: kde 950 2007-08-28 23:39:52Z seth_arnold $ # ------------------------------------------------------------------ # @@ -15,13 +16,11 @@ #include #include -/etc/X11/kstylerc r, -/etc/X11/qt_plugins_3.3rc r, -/etc/X11/qtrc r, -/etc/kde3rc r, -/etc/opt/kde3/share/config/* r, -/etc/opt/kde3/share/icons/ r, -/etc/opt/kde3/share/icons/** r, +/etc/qt3/kstylerc r, +/etc/qt3/qt_plugins_3.3rc r, +/etc/qt3/qtrc r, +/etc/kderc r, +/etc/kde3/* r, @{HOME}/.DCOPserver_* r, @{HOME}/.ICEauthority r, @@ -29,25 +28,19 @@ @{HOME}/.kde/share/config/kdeglobals rw, @{HOME}/.qt/** rw, -/opt/kde3/lib64/kde3/plugins/styles/ r, -/opt/kde3/lib64/kde3/plugins/styles/* mr, -/opt/kde3/lib64/lib*so* mr, -/opt/kde3/lib/kde3/plugins/styles/ r, -/opt/kde3/lib/kde3/plugins/styles/* mr, -/opt/kde3/lib/lib*so* mr, - -/opt/kde3/share/config/kdeglobals r, -/opt/kde3/share/icons/ r, -/opt/kde3/share/icons/** r, -/usr/X11R6/lib64/X11/XKeysymDB r, -/usr/X11R6/lib64/X11/icons/** r, -/usr/X11R6/lib/X11/XKeysymDB r, -/usr/X11R6/lib/X11/icons/** r, -/usr/lib/X11/XKeysymDB r, - -/usr/lib/qt3/lib64/lib*so* mr, -/usr/lib64/qt3/plugins/** mr, -/usr/lib/qt3/lib/lib*so* mr, -/usr/lib/qt3/plugins/** mr, - -/usr/share/YaST2/theme/** r, +/usr/lib*/kde3/plugins/styles/ r, +/usr/lib*/kde3/plugins/styles/* mr, +/usr/lib*/kde3/lib*so* mr, + +/usr/share/icons/ r, +/usr/share/icons/** r, +/usr/share/X11/XKeysymDB r, + +/usr/lib*/qt3/lib*/lib*so* mr, +/usr/lib*/qt3/plugins/** mr, + +/usr/lib*/libqt-mt*so* mr, +/usr/lib*/libqui*so* mr, +/usr/lib*/qt3/plugins/** mr, +/usr/share/qt3/lib*/libqt-mt*so* mr, +/usr/share/qt3/lib*/libqui*so* mr, --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/gnome +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/gnome @@ -15,7 +15,6 @@ #include #include - # systemwide gtk defaults /etc/gnome/gtkrc* r, /etc/gtk/* r, @@ -51,6 +50,6 @@ /usr/share/**/icon-theme.cache r, # gnome VFS modules - /etc/gnome-vfs-2.0/modules r, + /etc/gnome-vfs-2.0/modules/ r, /etc/gnome-vfs-2.0/modules/* r, /usr/lib/gnome-vfs-2.0/modules/*.so mr, --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/user-tmp +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/user-tmp @@ -11,10 +11,10 @@ # per-user tmp directories @{HOME}/tmp/** rwl, - @{HOME}/tmp/ r, + @{HOME}/tmp/ rw, # global tmp directories /var/tmp/** rwl, - /var/tmp/ r, + /var/tmp/ rw, /tmp/** rwl, - /tmp/ r, + /tmp/ rw, --- apparmor-2.1+1075.orig/profiles/apparmor.d/abstractions/cups-client +++ apparmor-2.1+1075/profiles/apparmor.d/abstractions/cups-client @@ -0,0 +1,7 @@ +# vim:syntax=apparmor +# CUPS client access + + # discoverable system configuration for non-local cupsd + /etc/cups/client.conf r, + # client should be able to talk the local cupsd + /var/run/cups/cups.sock w, --- apparmor-2.1+1075.orig/profiles/apparmor.d/usr.sbin.nscd +++ apparmor-2.1+1075/profiles/apparmor.d/usr.sbin.nscd @@ -11,7 +11,7 @@ # ------------------------------------------------------------------ #include -/usr/sbin/nscd { +/usr/sbin/nscd flags=(complain) { #include #include #include @@ -32,6 +32,7 @@ /var/run/nscd/db* wl, /var/run/nscd/socket wl, /var/run/nscd/{passwd,group,services,hosts} rw, + /var/db/nscd/{passwd,group,services,hosts} mrw, /var/run/{nscd/,}nscd.pid rwl, @{PROC}/[0-9]*/fd/ r, @{PROC}/[0-9]*/fd/* r, --- apparmor-2.1+1075.orig/profiles/apparmor.d/sbin.klogd +++ apparmor-2.1+1075/profiles/apparmor.d/sbin.klogd @@ -11,13 +11,14 @@ #include -/sbin/klogd { +/sbin/klogd flags=(complain) { #include capability sys_admin, /boot/System.map* r, @{PROC}/kmsg r, + @{PROC}/kallsyms r, /sbin/klogd rmix, /var/log/boot.msg rwl, /var/run/klogd.pid krwl,