binutils/Makefile | 2 +- parser/Makefile | 10 +- parser/apparmor.systemd | 29 ++++- parser/profile-load | 4 +- parser/rc.apparmor.functions | 1 + profiles/Makefile | 4 +- profiles/apparmor.d/abstractions/X | 5 +- profiles/apparmor.d/abstractions/authentication | 13 +-- profiles/apparmor.d/abstractions/base | 23 ++-- profiles/apparmor.d/abstractions/bash | 2 +- profiles/apparmor.d/abstractions/dri-common | 3 +- profiles/apparmor.d/abstractions/exo-open | 2 +- profiles/apparmor.d/abstractions/fonts | 1 - profiles/apparmor.d/abstractions/gio-open | 2 +- profiles/apparmor.d/abstractions/gnome | 21 ++-- profiles/apparmor.d/abstractions/gnupg | 1 - profiles/apparmor.d/abstractions/kde | 12 --- profiles/apparmor.d/abstractions/kde-open5 | 1 - profiles/apparmor.d/abstractions/kerberosclient | 12 +-- profiles/apparmor.d/abstractions/mir | 22 ---- profiles/apparmor.d/abstractions/nameservice | 1 - profiles/apparmor.d/abstractions/opencl-intel | 2 +- profiles/apparmor.d/abstractions/opencl-mesa | 1 - profiles/apparmor.d/abstractions/opencl-pocl | 5 - profiles/apparmor.d/abstractions/p11-kit | 1 - profiles/apparmor.d/abstractions/perl | 2 - profiles/apparmor.d/abstractions/postfix-common | 7 +- profiles/apparmor.d/abstractions/qt5 | 10 +- profiles/apparmor.d/abstractions/ssl_certs | 12 +-- profiles/apparmor.d/abstractions/ssl_keys | 4 +- .../abstractions/ubuntu-bittorrent-clients | 22 ---- profiles/apparmor.d/abstractions/ubuntu-browsers | 41 ------- .../ubuntu-browsers.d/chromium-browser | 26 ----- .../apparmor.d/abstractions/ubuntu-browsers.d/java | 118 --------------------- .../apparmor.d/abstractions/ubuntu-browsers.d/kde | 9 -- .../abstractions/ubuntu-browsers.d/mailto | 11 -- .../abstractions/ubuntu-browsers.d/multimedia | 51 --------- .../abstractions/ubuntu-browsers.d/plugins-common | 18 ---- .../abstractions/ubuntu-browsers.d/productivity | 26 ----- .../abstractions/ubuntu-browsers.d/text-editors | 16 --- .../ubuntu-browsers.d/ubuntu-integration | 37 ------- .../ubuntu-browsers.d/ubuntu-integration-xul | 8 -- .../abstractions/ubuntu-browsers.d/user-files | 31 ------ .../abstractions/ubuntu-console-browsers | 23 ---- .../apparmor.d/abstractions/ubuntu-console-email | 23 ---- profiles/apparmor.d/abstractions/ubuntu-email | 29 ----- .../apparmor.d/abstractions/ubuntu-feed-readers | 15 --- .../apparmor.d/abstractions/ubuntu-gnome-terminal | 15 --- profiles/apparmor.d/abstractions/ubuntu-helpers | 93 ---------------- profiles/apparmor.d/abstractions/ubuntu-konsole | 22 ---- .../apparmor.d/abstractions/ubuntu-media-players | 65 ------------ .../apparmor.d/abstractions/ubuntu-unity7-base | 105 ------------------ .../apparmor.d/abstractions/ubuntu-unity7-launcher | 12 --- .../abstractions/ubuntu-unity7-messaging | 12 --- profiles/apparmor.d/abstractions/ubuntu-xterm | 18 ---- profiles/apparmor.d/tunables/global | 1 - profiles/apparmor.d/tunables/multiarch | 17 --- .../apparmor.d/tunables/multiarch.d/site.local | 14 --- profiles/apparmor.d/usr.sbin.smbd | 3 - .../profiles/extras/usr.bin.chromium-browser | 7 -- profiles/apparmor/profiles/extras/usr.bin.skype | 1 - .../apparmor/profiles/extras/usr.bin.wireshark | 3 - utils/logprof.conf | 1 - utils/test/logprof.conf | 1 - utils/test/test-aa.py | 1 - utils/test/test-severity.py | 2 - 66 files changed, 82 insertions(+), 1030 deletions(-) diff --git a/binutils/Makefile b/binutils/Makefile index 3f1d0011..6538daea 100644 --- a/binutils/Makefile +++ b/binutils/Makefile @@ -53,7 +53,7 @@ HDRS = BINTOOLS = aa-enabled aa-exec aa-features-abi SBINTOOLS = aa-status -AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread +AALIB = -lapparmor -lpthread ifdef WITH_LIBINTL AALIB += -lintl diff --git a/parser/Makefile b/parser/Makefile index 15f9d975..e9475c1f 100644 --- a/parser/Makefile +++ b/parser/Makefile @@ -26,7 +26,7 @@ DESTDIR=/ APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor SBINDIR=${DESTDIR}/sbin USR_SBINDIR=${DESTDIR}/usr/sbin -SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system +SYSTEMD_UNIT_DIR=${DESTDIR}/lib/systemd/system CONFDIR=/etc/apparmor INSTALL_CONFDIR=${DESTDIR}${CONFDIR} LOCALEDIR=/usr/share/locale @@ -112,8 +112,8 @@ OBJECTS = $(patsubst %.cc, %.o, $(SRCS:.c=.o)) AAREDIR= libapparmor_re AAREOBJECT = ${AAREDIR}/libapparmor_re.a AAREOBJECTS = $(AAREOBJECT) -AARE_LDFLAGS = -static-libgcc -static-libstdc++ -L. $(LDFLAGS) -AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread +AARE_LDFLAGS = -L. $(LDFLAGS) +AALIB = -lapparmor -lpthread ifdef WITH_LIBINTL AALIB += -lintl @@ -408,6 +408,7 @@ endif install: $(MAKE) install-indep $(MAKE) install-arch + $(MAKE) install-systemd .PHONY: install-arch install-arch: $(INSTALLDEPS) @@ -429,7 +430,8 @@ install-indep: indep install-systemd: install -m 755 -d $(SYSTEMD_UNIT_DIR) install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR) - install -m 755 apparmor.systemd $(APPARMOR_BIN_PREFIX) + install -m 755 apparmor.systemd -D $(DESTDIR)/etc/rc.d/init.d/apparmor + ln -rs $(DESTDIR)/etc/rc.d/init.d/apparmor $(APPARMOR_BIN_PREFIX)/apparmor.systemd install -m 755 -d $(USR_SBINDIR) install -m 755 aa-teardown $(USR_SBINDIR) diff --git a/parser/apparmor.systemd b/parser/apparmor.systemd index 09d57924..92808795 100644 --- a/parser/apparmor.systemd +++ b/parser/apparmor.systemd @@ -14,6 +14,24 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, contact Novell, Inc. # ---------------------------------------------------------------------- +# chkconfig: 2345 01 99 +# description: AppArmor rc file. This rc script inserts the apparmor \ +# module and runs the parser on the /etc/apparmor.d/ \ +# directory. +# +### BEGIN INIT INFO +# Provides: apparmor +# Required-Start: +# Required-Stop: +# Should-Start: $local_fs +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: +# Short-Description: AppArmor initialization +# Description: AppArmor rc file. This rc script inserts the apparmor +# module and runs the parser on the /etc/apparmor.d/ +# directory. +### END INIT INFO APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions @@ -69,10 +87,11 @@ else exit 1 fi +SD_DETECT_VIRT=/usr/bin/systemd-detect-virt case "$1" in start) - if [ -x /usr/bin/systemd-detect-virt ] && \ - systemd-detect-virt --quiet --container && \ + if [ -x "$SD_DETECT_VIRT" ] && \ + "$SD_DETECT_VIRT" --quiet --container && \ ! is_container_with_internal_policy; then aa_log_daemon_msg "Not starting AppArmor in container" aa_log_end_msg 0 @@ -86,8 +105,8 @@ case "$1" in rc=$? ;; restart|reload|force-reload) - if [ -x /usr/bin/systemd-detect-virt ] && \ - systemd-detect-virt --quiet --container && \ + if [ -x "$SD_DETECT_VIRT" ] && \ + "$SD_DETECT_VIRT" --quiet --container && \ ! is_container_with_internal_policy; then aa_log_daemon_msg "Not starting AppArmor in container" aa_log_end_msg 0 @@ -96,7 +115,7 @@ case "$1" in apparmor_restart rc=$? ;; - try-restart) + try-restart|condrestart) apparmor_try_restart rc=$? ;; diff --git a/parser/profile-load b/parser/profile-load index 2663c04d..784da090 100755 --- a/parser/profile-load +++ b/parser/profile-load @@ -23,8 +23,10 @@ . /lib/apparmor/rc.apparmor.functions +SD_DETECT_VIRT=/usr/bin/systemd-detect-virt + # do not load in a container -[ -x /usr/bin/systemd-detect-virt ] && systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true +[ -x $SD_DETECT_VIRT ] && $SD_DETECT_VIRT --quiet --container && ! is_container_with_internal_policy && exit 0 || true [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load if running liveCD diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions index c11a5a93..eda3e5af 100644 --- a/parser/rc.apparmor.functions +++ b/parser/rc.apparmor.functions @@ -82,6 +82,7 @@ is_apparmor_present() { # container's boot process to experience failed policy loads but the boot # process should continue without any loss of functionality. This is an # unsupported configuration that cannot be properly handled by this function. +SD_DETECT_VIRT=/usr/bin/systemd-detect-virt is_container_with_internal_policy() { # this function is sometimes called independently of # is_apparmor_loaded(), so also define this here. diff --git a/profiles/Makefile b/profiles/Makefile index f8fa10be..e3ee99cf 100644 --- a/profiles/Makefile +++ b/profiles/Makefile @@ -92,11 +92,9 @@ install: local for dir in ${SUBDIRS} ; do \ install -m 755 -d "${PROFILES_DEST}/$${dir#${PROFILES_SOURCE}}" ; \ done - for file in $$(find ${PROFILES_SOURCE} -type f -print) ; do \ + for file in $$(find ${ABSTRACTIONS_SOURCE} ${PROFILES_SOURCE}/abi ${PROFILES_SOURCE}/tunables -type f -print) ; do \ install -m 644 "$${file}" "${PROFILES_DEST}/$$(dirname $${file#${PROFILES_SOURCE}})" ; \ done - install -m 755 -d ${EXTRAS_DEST} - install -m 644 ${EXTRAS_SOURCE}/* ${EXTRAS_DEST} LOCAL_ADDITIONS=$(filter-out ${PROFILES_SOURCE}/local/README, $(wildcard ${PROFILES_SOURCE}/local/*)) .PHONY: clean diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X index ead10d9a..7f0774cd 100644 --- a/profiles/apparmor.d/abstractions/X +++ b/profiles/apparmor.d/abstractions/X @@ -42,13 +42,12 @@ /usr/include/X11/** r, # The X tree changes and is large -- grant read access to the whole thing - /usr/X11R6/** r, /usr/share/X11/ r, /usr/share/X11/** r, - /usr/X11R6/**.so* mr, + /usr/lib{,64}/X11/**.so* mr, # EGL - /usr/lib/@{multiarch}/egl/*.so* mr, + /usr/lib{,64}/egl/*.so* mr, # Xcompose owner @{HOME}/.XCompose r, diff --git a/profiles/apparmor.d/abstractions/authentication b/profiles/apparmor.d/abstractions/authentication index d5dbd83a..f779b31d 100644 --- a/profiles/apparmor.d/abstractions/authentication +++ b/profiles/apparmor.d/abstractions/authentication @@ -22,19 +22,16 @@ @{etc_ro}/security/* r, @{etc_ro}/shadow r, @{etc_ro}/gshadow r, + @{etc_ro}/tcb/*/shadow r, + @{etc_ro}/pwdb.conf r, @{etc_ro}/pwdb.conf r, - /{usr/,}lib{,32,64}/security/pam_filter/* mr, - /{usr/,}lib{,32,64}/security/pam_*.so mr, - /{usr/,}lib{,32,64}/security/ r, - /{usr/,}lib/@{multiarch}/security/pam_filter/* mr, - /{usr/,}lib/@{multiarch}/security/pam_*.so mr, - /{usr/,}lib/@{multiarch}/security/ r, + /{usr/,}lib{,64}/security/pam_filter/* mr, + /{usr/,}lib{,64}/security/pam_*.so mr, + /{usr/,}lib{,64}/security/ r, # kerberos include - # SuSE's pwdutils are different: - @{etc_ro}/default/passwd r, @{etc_ro}/login.defs r, @{etc_ro}/login.defs.d/ r, @{etc_ro}/login.defs.d/*.defs r, diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base index f36a5f86..c901b91f 100644 --- a/profiles/apparmor.d/abstractions/base +++ b/profiles/apparmor.d/abstractions/base @@ -47,11 +47,9 @@ # anything when reading so this is ok. @{run}/systemd/journal/stdout rw, - /usr/lib{,32,64}/locale/** mr, - /usr/lib{,32,64}/gconv/*.so mr, - /usr/lib{,32,64}/gconv/gconv-modules* mr, - /usr/lib/@{multiarch}/gconv/*.so mr, - /usr/lib/@{multiarch}/gconv/gconv-modules* mr, + /usr/lib{,64}/locale/** mr, + /usr/lib{,64}/gconv/*.so mr, + /usr/lib{,64}/gconv/gconv-modules* mr, # used by glibc when binding to ephemeral ports @{etc_ro}/bindresvport.blacklist r, @@ -62,24 +60,17 @@ @{etc_ro}/ld.so.conf r, @{etc_ro}/ld.so.conf.d/{,*.conf} r, @{etc_ro}/ld.so.preload r, - /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr, - /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr, + /{usr/,}lib{,64}/ld{,64}-*.so mr, /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr, - /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr, - /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, # we might as well allow everything to use common libraries - /{usr/,}lib{,32,64}/** r, - /{usr/,}lib{,32,64}/**.so* mr, - /{usr/,}lib/@{multiarch}/** r, - /{usr/,}lib/@{multiarch}/**.so* mr, + /{usr/,}lib{,64}/** r, + /{usr/,}lib{,64}/**.so* mr, /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr, - /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr, # FIPS-140-2 versions of some crypto libraries need to access their # associated integrity verification file, or they will abort. - /{usr/,}lib{,32,64}/.lib*.so*.hmac r, - /{usr/,}lib/@{multiarch}/.lib*.so*.hmac r, + /{usr/,}lib{,64}/.lib*.so*.hmac r, # /dev/null is pretty harmless and frequently used /dev/null rw, diff --git a/profiles/apparmor.d/abstractions/bash b/profiles/apparmor.d/abstractions/bash index 89c1cf1e..692e7d70 100644 --- a/profiles/apparmor.d/abstractions/bash +++ b/profiles/apparmor.d/abstractions/bash @@ -18,7 +18,6 @@ @{HOME}/.bash_history rw, # system-wide bash configuration - /etc/profile.dos r, /etc/profile r, /etc/profile.d/ r, /etc/profile.d/* r, @@ -28,6 +27,7 @@ /etc/bash_completion r, /etc/bash_completion.d/ r, /etc/bash_completion.d/* r, + /usr/share/bash_completion.d/** r, # bash relies on system-wide readline configuration /etc/inputrc r, diff --git a/profiles/apparmor.d/abstractions/dri-common b/profiles/apparmor.d/abstractions/dri-common index cd9542b0..9d857e24 100644 --- a/profiles/apparmor.d/abstractions/dri-common +++ b/profiles/apparmor.d/abstractions/dri-common @@ -5,8 +5,7 @@ # This file contains common DRI-specific rules useful for GUI applications # (needed by libdrm and similar). - /usr/lib{,32,64}/dri/** mr, - /usr/lib/@{multiarch}/dri/** mr, + /usr/lib{,64}/dri/** mr, /usr/lib/fglrx/dri/** mr, /dev/dri/ r, /dev/dri/** rw, diff --git a/profiles/apparmor.d/abstractions/exo-open b/profiles/apparmor.d/abstractions/exo-open index 2ce38e5f..0090c446 100644 --- a/profiles/apparmor.d/abstractions/exo-open +++ b/profiles/apparmor.d/abstractions/exo-open @@ -45,7 +45,7 @@ # Main executables /usr/bin/exo-open rix, - /usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix, + /usr/lib{,64}/xfce4/exo-[0-9]/exo-helper-[0-9] ix, # Other executables diff --git a/profiles/apparmor.d/abstractions/fonts b/profiles/apparmor.d/abstractions/fonts index 46324dbb..a0c76840 100644 --- a/profiles/apparmor.d/abstractions/fonts +++ b/profiles/apparmor.d/abstractions/fonts @@ -14,7 +14,6 @@ /usr/share/AbiSuite/fonts/** r, - /usr/lib/xorg/modules/fonts/**.so* mr, /usr/share/fonts/{,**} r, /usr/share/fonts-*/{,**} r, diff --git a/profiles/apparmor.d/abstractions/gio-open b/profiles/apparmor.d/abstractions/gio-open index fda1fb9e..e13bf5bb 100644 --- a/profiles/apparmor.d/abstractions/gio-open +++ b/profiles/apparmor.d/abstractions/gio-open @@ -39,7 +39,7 @@ /usr/bin/gio rix, /usr/bin/gio-launch-desktop ix, # for OpenSUSE - /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix, + /usr/lib{,64}/glib-[0-9]*/gio-launch-desktop ix, # System files diff --git a/profiles/apparmor.d/abstractions/gnome b/profiles/apparmor.d/abstractions/gnome index 94f3da63..0b84b3cf 100644 --- a/profiles/apparmor.d/abstractions/gnome +++ b/profiles/apparmor.d/abstractions/gnome @@ -23,13 +23,11 @@ # systemwide gtk defaults /etc/gnome/gtkrc* r, /etc/gtk/* r, - /usr/lib{,32,64}/gtk/** mr, - /usr/lib/@{multiarch}/gtk/** mr, - /usr/lib{,32,64}/gtk-[0-9]*/** mr, - /usr/lib/@{multiarch}/gtk-[0-9]*/** mr, + /usr/lib{,64}/gtk/** mr, + /usr/lib{,64}/gtk-[0-9]*/** mr, /usr/share/themes/ r, /usr/share/themes/** r, - /usr/share/gtk-3.0/settings.ini r, + /usr/share/gtk-[0-9]*/settings.ini r, # for gnome 1 applications /etc/orbitrc r, @@ -38,12 +36,9 @@ /etc/fonts/* r, /etc/gtk-*/* r, /etc/pango/* r, - /usr/lib{,32,64}/pango/** mr, - /usr/lib{,32,64}/gtk-*/** mr, - /usr/lib{,32,64}/gdk-pixbuf-*/** mr, - /usr/lib/@{multiarch}/pango/** mr, - /usr/lib/@{multiarch}/gtk-*/** mr, - /usr/lib/@{multiarch}/gdk-pixbuf-*/** mr, + /usr/lib{,64}/pango/** mr, + /usr/lib{,64}/gtk-*/** mr, + /usr/lib{,64}/gdk-pixbuf-*/** mr, # per-user gtk configuration owner @{HOME}/.config/gtk-3.0/ w, @@ -72,6 +67,7 @@ # GtkComposeTable owner @{HOME}/.cache/gtk-3.0/** r, + owner @{HOME}/.cache/gtk-4.0/** r, # icon caches /var/cache/**/icon-theme.cache r, @@ -84,8 +80,7 @@ # gnome VFS modules /etc/gnome-vfs-2.0/modules/ r, /etc/gnome-vfs-2.0/modules/* r, - /usr/lib/gnome-vfs-2.0/modules/*.so mr, - /usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr, + /usr/lib{,64}/gnome-vfs-2.0/modules/*.so mr, # gvfs /usr/share/gvfs/remote-volume-monitors/ r, diff --git a/profiles/apparmor.d/abstractions/gnupg b/profiles/apparmor.d/abstractions/gnupg index 050f0435..27e83a07 100644 --- a/profiles/apparmor.d/abstractions/gnupg +++ b/profiles/apparmor.d/abstractions/gnupg @@ -9,7 +9,6 @@ owner @{HOME}/.gnupg/pubring.kbx r, owner @{HOME}/.gnupg/random_seed rw, owner @{HOME}/.gnupg/secring.gpg r, - owner @{HOME}/.gnupg/so/*.x86_64 mr, owner @{HOME}/.gnupg/trustdb.gpg rw, # Include additions to the abstraction diff --git a/profiles/apparmor.d/abstractions/kde b/profiles/apparmor.d/abstractions/kde index 5514e632..aaf895f2 100644 --- a/profiles/apparmor.d/abstractions/kde +++ b/profiles/apparmor.d/abstractions/kde @@ -54,17 +54,10 @@ owner @{HOME}/.config/trashrc r, # Used by KFileWidget /usr/lib*/kde3/plugins/styles/ r, /usr/lib*/kde3/plugins/styles/* mr, /usr/lib*/kde3/lib*so* mr, -/usr/lib/@{multiarch}/kde3/plugins/styles/ r, -/usr/lib/@{multiarch}/kde3/plugins/styles/* mr, -/usr/lib/@{multiarch}/kde3/lib*so* mr, /usr/lib*/qt3/lib*/lib*so* mr, /usr/lib*/qt3/plugins/** mr, -/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr, -/usr/lib/@{multiarch}/qt3/plugins/** mr, /usr/lib*/libqt-mt*so* mr, /usr/lib*/libqui*so* mr, -/usr/lib/@{multiarch}/libqt-mt*so* mr, -/usr/lib/@{multiarch}/libqui*so* mr, /usr/share/qt3/lib*/libqt-mt*so* mr, /usr/share/qt3/lib*/libqui*so* mr, @@ -72,13 +65,8 @@ owner @{HOME}/.config/trashrc r, # Used by KFileWidget /usr/lib*/kde4/plugins/*/*.so mr, /usr/lib*/kde4/plugins/*/ r, /usr/lib*/kde4/lib*so* mr, -/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr, -/usr/lib/@{multiarch}/kde4/plugins/*/ r, -/usr/lib/@{multiarch}/kde4/lib*so* mr, /usr/lib*/qt4/lib*/lib*so* mr, /usr/lib*/qt4/plugins/** mr, -/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr, -/usr/lib/@{multiarch}/qt4/plugins/** mr, /usr/share/qt4/** r, # Include additions to the abstraction diff --git a/profiles/apparmor.d/abstractions/kde-open5 b/profiles/apparmor.d/abstractions/kde-open5 index 5f4e0f75..819316b9 100644 --- a/profiles/apparmor.d/abstractions/kde-open5 +++ b/profiles/apparmor.d/abstractions/kde-open5 @@ -58,7 +58,6 @@ # Main executables /usr/bin/kde-open5 rix, - /usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix, # DBus diff --git a/profiles/apparmor.d/abstractions/kerberosclient b/profiles/apparmor.d/abstractions/kerberosclient index 386e8c11..c1104906 100644 --- a/profiles/apparmor.d/abstractions/kerberosclient +++ b/profiles/apparmor.d/abstractions/kerberosclient @@ -12,15 +12,11 @@ abi , # files required by kerberos client programs - /usr/lib{,32,64}/krb5/plugins/libkrb5/ r, - /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr, - /usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r, - /usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr, + /usr/lib{,64}/krb5/plugins/libkrb5/ r, + /usr/lib{,64}/krb5/plugins/libkrb5/* mr, - /usr/lib{,32,64}/krb5/plugins/preauth/ r, - /usr/lib{,32,64}/krb5/plugins/preauth/* mr, - /usr/lib/@{multiarch}/krb5/plugins/preauth/ r, - /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr, + /usr/lib{,64}/krb5/plugins/preauth/ r, + /usr/lib{,64}/krb5/plugins/preauth/* mr, /etc/krb5.keytab rk, /etc/krb5.conf r, diff --git a/profiles/apparmor.d/abstractions/mir b/profiles/apparmor.d/abstractions/mir deleted file mode 100644 index 4ccc22ee..00000000 --- a/profiles/apparmor.d/abstractions/mir +++ /dev/null @@ -1,22 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2015 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - - abi , - - # mir libraries sometimes do not have a lib prefix - # see LP: #1422521 - /usr/lib/@{multiarch}/mir/*.so* mr, - /usr/lib/@{multiarch}/mir/**/*.so* mr, - - # unprivileged mir socket for clients - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice index 7f53f2eb..1893795f 100644 --- a/profiles/apparmor.d/abstractions/nameservice +++ b/profiles/apparmor.d/abstractions/nameservice @@ -62,7 +62,6 @@ # The nss libraries are sometimes used in addition to PAM; make sure # they are available /{usr/,}lib{,32,64}/libnss_*.so* mr, - /{usr/,}lib/@{multiarch}/libnss_*.so* mr, @{etc_ro}/default/nss r, # avahi-daemon is used for mdns4 resolution diff --git a/profiles/apparmor.d/abstractions/opencl-intel b/profiles/apparmor.d/abstractions/opencl-intel index 4d047233..cb07984c 100644 --- a/profiles/apparmor.d/abstractions/opencl-intel +++ b/profiles/apparmor.d/abstractions/opencl-intel @@ -16,7 +16,7 @@ /dev/dri/card[0-9]* rw, # beignet/libcl.so @{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?) - /usr/lib/@{multiarch}/beignet/** r, + /usr/lib{,64}/beignet/** r, # Include additions to the abstraction diff --git a/profiles/apparmor.d/abstractions/opencl-mesa b/profiles/apparmor.d/abstractions/opencl-mesa index a5cada61..7704c371 100644 --- a/profiles/apparmor.d/abstractions/opencl-mesa +++ b/profiles/apparmor.d/abstractions/opencl-mesa @@ -8,7 +8,6 @@ # Additional libraries - /usr/lib/@{multiarch}/gallium-pipe/*.so mr, # libMesaOpenCL.so /usr/lib{,64}/gallium-pipe/*.so mr, # libMesaOpenCL.so on openSUSE # System files diff --git a/profiles/apparmor.d/abstractions/opencl-pocl b/profiles/apparmor.d/abstractions/opencl-pocl index 8b93b0dc..6fc14d07 100644 --- a/profiles/apparmor.d/abstractions/opencl-pocl +++ b/profiles/apparmor.d/abstractions/opencl-pocl @@ -7,7 +7,6 @@ # Executables - /usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld, /usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang, # System files @@ -47,8 +46,6 @@ # Main executables - /usr/bin/{,@{multiarch}-}ld.bfd mr, - # User files owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw, @@ -64,8 +61,6 @@ # Additional executables - /usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile? - # System files /etc/debian-version r, diff --git a/profiles/apparmor.d/abstractions/p11-kit b/profiles/apparmor.d/abstractions/p11-kit index 29696815..d0c34066 100644 --- a/profiles/apparmor.d/abstractions/p11-kit +++ b/profiles/apparmor.d/abstractions/p11-kit @@ -16,7 +16,6 @@ /etc/pkcs11/modules/* r, /usr/lib{,32,64}/pkcs11/*.so mr, - /usr/lib/@{multiarch}/pkcs11/*.so mr, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/* r, diff --git a/profiles/apparmor.d/abstractions/perl b/profiles/apparmor.d/abstractions/perl index 39718535..2d74006f 100644 --- a/profiles/apparmor.d/abstractions/perl +++ b/profiles/apparmor.d/abstractions/perl @@ -17,8 +17,6 @@ /usr/lib{,32,64}/perl5/** r, /usr/lib{,32,64}/perl{,5}/**.so* mr, - /usr/lib/@{multiarch}/perl{,5,-base}/** r, - /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr, /usr/share/perl/** r, /usr/share/perl5/** r, diff --git a/profiles/apparmor.d/abstractions/postfix-common b/profiles/apparmor.d/abstractions/postfix-common index 68d4f7a8..072c1096 100644 --- a/profiles/apparmor.d/abstractions/postfix-common +++ b/profiles/apparmor.d/abstractions/postfix-common @@ -29,15 +29,12 @@ /etc/postfix/*.lmdb rk, @{PROC}/net/if_inet6 r, /usr/lib/postfix/*.so mr, - /usr/lib{,32,64}/sasl2/* mr, - /usr/lib{,32,64}/sasl2/ r, - /usr/lib/@{multiarch}/sasl2/* mr, - /usr/lib/@{multiarch}/sasl2/ r, + /usr/lib{,32,64}/sasl2*/* mr, + /usr/lib{,32,64}/sasl2*/ r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /var/spool/postfix/etc/* r, /var/spool/postfix/lib/lib*.so* mr, - /var/spool/postfix/lib/@{multiarch}/lib*.so* mr, /etc/postfix/dynamicmaps.cf.d/ r, diff --git a/profiles/apparmor.d/abstractions/qt5 b/profiles/apparmor.d/abstractions/qt5 index 83dc00c4..5e35b21c 100644 --- a/profiles/apparmor.d/abstractions/qt5 +++ b/profiles/apparmor.d/abstractions/qt5 @@ -5,16 +5,16 @@ # Additional libraries - /usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr, - /usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr, - /usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules + /usr/lib{,64}/qt5/plugins/**.so mr, + /usr/lib{,64}/qt5/qml/**.so mr, + /usr/lib{,64}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules # System files /etc/xdg/QtProject/qtlogging.ini r, /usr/share/qt5/translations/*.qm r, - /usr/lib{,64,/@{multiarch}}/qt5/plugins/** r, - /usr/lib{,64,/@{multiarch}}/qt5/qml/** r, + /usr/lib{,64}/qt5/plugins/** r, + /usr/lib{,64}/qt5/qml/** r, # User files diff --git a/profiles/apparmor.d/abstractions/ssl_certs b/profiles/apparmor.d/abstractions/ssl_certs index 82e532b3..95e02bec 100644 --- a/profiles/apparmor.d/abstractions/ssl_certs +++ b/profiles/apparmor.d/abstractions/ssl_certs @@ -12,15 +12,15 @@ abi , /etc/ca-certificates/{,**} r, - /etc/{,libre}ssl/ r, - /etc/{,libre}ssl/cert.pem r, - /etc/{,libre}ssl/certs/{,**} r, + /etc/{open,libre}ssl/ r, + /etc/{open,libre}ssl/cert.pem r, + /etc/{open,libre}ssl/certs/{,**} r, /{etc,usr/share}/pki/bl[ao]cklist/{,*} r, - /{etc,usr/share}/pki/trust/{,*} r, - /{etc,usr/share}/pki/trust/{bl[oa]cklist,anchors}/{,**} r, + /{etc,usr/share}/pki/ca-trust/{,*} r, + /{etc,usr/share}/pki/ca-trust/{bl[oa]cklist,anchors,extracted}/{,**} r, /usr/share/ca-certificates/{,**} r, /usr/share/ssl/certs/ca-bundle.crt r, - /usr/local/share/ca-certificates/{,**} r, + /usr/share/ca-certificates/{,**} r, /var/lib/ca-certificates/{,**} r, # acmetool diff --git a/profiles/apparmor.d/abstractions/ssl_keys b/profiles/apparmor.d/abstractions/ssl_keys index f310bb5a..e866df76 100644 --- a/profiles/apparmor.d/abstractions/ssl_keys +++ b/profiles/apparmor.d/abstractions/ssl_keys @@ -15,8 +15,8 @@ # Just include the whole /etc/ssl directory if we should have access to # private keys too - /etc/ssl/ r, - /etc/ssl/** r, + /etc/openssl/ r, + /etc/openssl/** r, # acmetool /var/lib/acme/live/* r, diff --git a/profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients b/profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients deleted file mode 100644 index 0d929ad6..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients +++ /dev/null @@ -1,22 +0,0 @@ -# vim:syntax=apparmor -# -# abstraction for allowing graphical bittorrent clients in Ubuntu -# -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - /usr/bin/azureus Cxr -> sanitized_helper, - /usr/bin/bitstormlite Cxr -> sanitized_helper, - /usr/bin/btmaketorrentgui Cxr -> sanitized_helper, - /usr/bin/deluge{,-gtk,-console} Cxr -> sanitized_helper, - /usr/bin/gnome-btdownload Cxr -> sanitized_helper, - /usr/bin/kget Cxr -> sanitized_helper, - /usr/bin/ktorrent Cxr -> sanitized_helper, - /usr/bin/qbittorrent Cxr -> sanitized_helper, - /usr/bin/transmission{,-gtk,-qt,-cli} Cxr -> sanitized_helper, - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers b/profiles/apparmor.d/abstractions/ubuntu-browsers deleted file mode 100644 index c2c710a1..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers +++ /dev/null @@ -1,41 +0,0 @@ -# vim:syntax=apparmor -# -# abstraction for allowing access to graphical browsers in Ubuntu -# -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - /usr/bin/arora Cx -> sanitized_helper, - /usr/bin/dillo Cx -> sanitized_helper, - /usr/bin/Dooble Cx -> sanitized_helper, - /usr/bin/epiphany Cx -> sanitized_helper, - /usr/bin/epiphany-browser Cx -> sanitized_helper, - /usr/bin/epiphany-webkit Cx -> sanitized_helper, - /usr/lib/fennec-*/fennec Cx -> sanitized_helper, - /usr/bin/kazehakase Cx -> sanitized_helper, - /usr/bin/konqueror Cx -> sanitized_helper, - /usr/bin/midori Cx -> sanitized_helper, - /usr/bin/netsurf Cx -> sanitized_helper, - /usr/bin/seamonkey Cx -> sanitized_helper, - /usr/bin/sensible-browser Pixr, - - /usr/bin/chromium{,-browser} Cx -> sanitized_helper, - /usr/lib{,64}/chromium{,-browser}/chromium{,-browser} Cx -> sanitized_helper, - - # this should cover all firefox browsers and versions (including shiretoko - # and abrowser) - /usr/bin/firefox Cxr -> sanitized_helper, - /usr/lib{,64}/firefox*/firefox* Cx -> sanitized_helper, - - # Iceweasel - /usr/bin/iceweasel Cxr -> sanitized_helper, - /usr/lib/iceweasel/iceweasel Cx -> sanitized_helper, - - # some unpackaged, but popular browsers - /usr/lib/icecat-*/icecat Cx -> sanitized_helper, - /usr/bin/opera Cx -> sanitized_helper, - /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper, - /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser deleted file mode 100644 index 95724f1a..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser +++ /dev/null @@ -1,26 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2020 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# Author: Jamie Strandboge - -# For site-specific adjustments, please see: -# /etc/apparmor.d/local/chromium-browser - -abi , - -include -include -include -include -include -include -include -include -include diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java deleted file mode 100644 index 507d62a0..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java +++ /dev/null @@ -1,118 +0,0 @@ -# vim:syntax=apparmor - - abi , - - # Java plugin - owner @{HOME}/.java/deployment/deployment.properties k, - /etc/java-*/ r, - /etc/java-*/** r, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk, - /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java, - /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java, - /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java, - owner /{,var/}run/user/*/icedteaplugin-*/ rw, - owner /{,var/}run/user/*/icedteaplugin-*/** rwk, - - # Profile for the supported OpenJDK in Ubuntu. This doesn't require the - # unfortunate workarounds of the proprietary Javas, so have a separate - # profile. - profile browser_openjdk { - include - include - include - include - include - include - include - include - - network inet stream, - network inet6 stream, - @{PROC}/@{pid}/net/if_inet6 r, - @{PROC}/@{pid}/net/ipv6_route r, - - /etc/java-*/ r, - /etc/java-*/** r, - /etc/lsb-release r, - /etc/ssl/certs/java/* r, - /etc/timezone r, - - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/filesystems r, - @{sys}/devices/system/cpu/ r, - @{sys}/devices/system/cpu/** r, - /usr/share/** r, - /var/lib/dbus/machine-id r, - - /usr/bin/env ix, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix, - /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m, - - # Why would java need this? - deny /usr/bin/gconftool-2 x, - - owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw, - owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r, - owner @{HOME}/ r, - owner @{HOME}/** rwk, - } - - # Profile for commercial Javas. These need workarounds to work right (eg - # Sun's forcing of an executable stack (LP: #535247)). - profile browser_java { - include - include - include - include - include - include - include - include - - network inet stream, - network inet6 stream, - @{PROC}/@{pid}/net/if_inet6 r, - @{PROC}/@{pid}/net/ipv6_route r, - @{PROC}/loadavg r, - - /etc/debian_version r, - /etc/java-*/ r, - /etc/java-*/** r, - /etc/lsb-release r, - /etc/ssl/certs/java/* r, - /etc/timezone r, - - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/filesystems r, - @{sys}/devices/system/cpu/ r, - @{sys}/devices/system/cpu/** r, - /usr/share/** r, - /var/lib/dbus/machine-id r, - - /usr/bin/env ix, - /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix, - /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m, - /usr/lib/j2*-ibm/jre/bin/java ix, - - # noisy, can't write here anyway - deny /etc/.java/ w, - deny /etc/.java/** w, - - deny /usr/bin/gconftool-2 x, - - owner @{HOME}/ r, - owner @{HOME}/** rwk, - - # These are seriously unfortunate, but required due to LP: #535247 - /etc/passwd m, - owner @{HOME}/.java/**/cache/** m, - owner /tmp/** m, - /usr/lib{,32,64}/jvm/**/*.jar mr, - /usr/share/fonts/** m, - } diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde deleted file mode 100644 index bdac331e..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde +++ /dev/null @@ -1,9 +0,0 @@ -# vim:syntax=apparmor -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - include - /usr/bin/kde4-config Cx -> sanitized_helper, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto deleted file mode 100644 index 8d157098..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto +++ /dev/null @@ -1,11 +0,0 @@ -# vim:syntax=apparmor - - abi , - - # for mailto: - include - include - - # Terminals for using console applications. These abstractions should ideally - # have 'ix' to restrct access to what only firefox is allowed to do - include diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia deleted file mode 100644 index f2eb23ef..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia +++ /dev/null @@ -1,51 +0,0 @@ -# vim:syntax=apparmor -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - include - - # Pulseaudio - /usr/bin/pulseaudio Pixr, - - # Image viewers - /usr/bin/eog Cxr -> sanitized_helper, - /usr/bin/gimp* Cxr -> sanitized_helper, - /usr/bin/shotwell Cxr -> sanitized_helper, - /usr/bin/digikam Cxr -> sanitized_helper, - /usr/bin/gwenview Cxr -> sanitized_helper, - - include - owner @{HOME}/.adobe/ w, - owner @{HOME}/.adobe/** rw, - owner @{HOME}/.macromedia/ w, - owner @{HOME}/.macromedia/** rw, - /opt/real/RealPlayer/mozilla/nphelix.so rm, - /usr/bin/lpstat Cxr -> sanitized_helper, - /usr/bin/lpr Cxr -> sanitized_helper, - - # Bittorrent clients - include - - # Archivers - /usr/bin/ark Cxr -> sanitized_helper, - /usr/bin/file-roller Cxr -> sanitized_helper, - /usr/bin/xarchiver Cxr -> sanitized_helper, - /usr/local/lib{,32,64}/*.so* mr, - - # News feed readers - include - - # If we allow the above, nvidia based systems will also need this - include - - # Virus scanners - /usr/bin/clamscan Cx -> sanitized_helper, - - # gxine (LP: #1057642) - /var/lib/xine/gxine.desktop r, - - # For WebRTC camera access (LP: #1665535) - /dev/video[0-9]* rw, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common deleted file mode 100644 index 5d93b262..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common +++ /dev/null @@ -1,18 +0,0 @@ -# vim:syntax=apparmor - - abi , - - # - # Plugins/helpers - # - @{PROC}/@{pid}/fd/ r, - /usr/lib/** rm, - /{,usr/}bin/bash ixr, - /{,usr/}bin/dash ixr, - /{,usr/}bin/grep ixr, - /{,usr/}bin/sed ixr, - /usr/bin/m4 ixr, - - # Since all the ubuntu-browsers.d abstractions need this, just include it - # here - include diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity deleted file mode 100644 index 1fc67a84..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity +++ /dev/null @@ -1,26 +0,0 @@ -# vim:syntax=apparmor -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - # Openoffice.org - /usr/bin/ooffice Cxr -> sanitized_helper, - /usr/bin/oocalc Cxr -> sanitized_helper, - /usr/bin/oodraw Cxr -> sanitized_helper, - /usr/bin/ooimpress Cxr -> sanitized_helper, - /usr/bin/oowriter Cxr -> sanitized_helper, - /usr/lib/openoffice/program/soffice Cxr -> sanitized_helper, - - # LibreOffice - /usr/bin/libreoffice Cxr -> sanitized_helper, - /usr/bin/localc Cxr -> sanitized_helper, - /usr/bin/lodraw Cxr -> sanitized_helper, - /usr/bin/loimpress Cxr -> sanitized_helper, - /usr/bin/lowriter Cxr -> sanitized_helper, - /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper, - - # PDFs - /usr/bin/evince Cxr -> sanitized_helper, - /usr/bin/okular Cxr -> sanitized_helper, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors deleted file mode 100644 index e04c6b80..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors +++ /dev/null @@ -1,16 +0,0 @@ -# vim:syntax=apparmor -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125]) - /usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper, - /usr/bin/emacsclient.emacs2[2-9] Cxr -> sanitized_helper, - /usr/bin/emacs-snapshot-gtk Cxr -> sanitized_helper, - /usr/bin/gedit Cxr -> sanitized_helper, - /usr/bin/vim.gnome Cxr -> sanitized_helper, - /usr/bin/leafpad Cxr -> sanitized_helper, - /usr/bin/mousepad Cxr -> sanitized_helper, - /usr/bin/kate Cxr -> sanitized_helper, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration deleted file mode 100644 index cdbd47cd..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration +++ /dev/null @@ -1,37 +0,0 @@ -# vim:syntax=apparmor -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - # Apport - /usr/bin/apport-bug Cx -> sanitized_helper, - - # Package installation - /usr/bin/apturl Cxr -> sanitized_helper, - /usr/share/software-center/software-center Cxr -> sanitized_helper, - - # Input Methods - /usr/bin/scim Cx -> sanitized_helper, - /usr/bin/scim-bridge Cx -> sanitized_helper, - - # File managers - /usr/bin/nautilus Cxr -> sanitized_helper, - /usr/bin/{t,T}hunar Cxr -> sanitized_helper, - /usr/bin/dolphin Cxr -> sanitized_helper, - - # Themes - /usr/bin/gnome-appearance-properties Cxr -> sanitized_helper, - - # Kubuntu - /usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper, - - # Exo-aware applications - include - - # unity webapps integration. Could go in its own abstraction - owner /run/user/*/dconf/user rw, - owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk, - /usr/bin/debconf-communicate Cxr -> sanitized_helper, - owner @{HOME}/.config/libaccounts-glib/accounts.db rk, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul deleted file mode 100644 index c6a8eedd..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul +++ /dev/null @@ -1,8 +0,0 @@ -# vim:syntax=apparmor - - abi , - - # firefox-notify - include - /usr/bin/python2.[4567] ix, - /usr/share/xul-ext/notify/**/download_complete_notify.py ix, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files deleted file mode 100644 index f0454552..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files +++ /dev/null @@ -1,31 +0,0 @@ -# vim:syntax=apparmor - - abi , - - # Allow read to all files user has DAC access to and write access to all - # files owned by the user in $HOME. - @{HOME}/ r, - @{HOME}/** r, - owner @{HOME}/** w, - - # Do not allow read and/or write to particularly sensitive/problematic files - include - audit deny @{HOME}/.ssh/{,**} mrwkl, - audit deny @{HOME}/.gnome2_private/{,**} mrwkl, - audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w, - audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, - audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl, - - # Comment this out if using gpg plugin/addons - audit deny @{HOME}/.gnupg/{,**} mrwkl, - - # Allow read to all files user has DAC access to and write for files the user - # owns on removable media and filesystems. - /media/** r, - /mnt/** r, - /srv/** r, - /net/** r, - owner /media/** w, - owner /mnt/** w, - owner /srv/** w, - owner /net/** w, diff --git a/profiles/apparmor.d/abstractions/ubuntu-console-browsers b/profiles/apparmor.d/abstractions/ubuntu-console-browsers deleted file mode 100644 index 8f6687ae..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-console-browsers +++ /dev/null @@ -1,23 +0,0 @@ -# vim:syntax=apparmor -# -# abstraction for allowing access to text-only browsers in Ubuntu. These will -# typically also need a terminal, so when using this abstraction, should also -# do something like: -# -# include -# -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - /usr/bin/elinks Cx -> sanitized_helper, - /usr/bin/links Cx -> sanitized_helper, - /usr/bin/lynx.cur Cx -> sanitized_helper, - /usr/bin/netrik Cx -> sanitized_helper, - /usr/bin/w3m Cx -> sanitized_helper, - - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/ubuntu-console-email b/profiles/apparmor.d/abstractions/ubuntu-console-email deleted file mode 100644 index ee741fdf..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-console-email +++ /dev/null @@ -1,23 +0,0 @@ -# vim:syntax=apparmor -# -# abstraction for allowing console email clients in Ubuntu. These will -# typically also need a terminal, so when using this abstraction, should also -# do something like: -# -# include -# -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - /usr/bin/alpine Cx -> sanitized_helper, - /usr/bin/citadel Cx -> sanitized_helper, - /usr/bin/cone Cx -> sanitized_helper, - /usr/bin/elmo Cx -> sanitized_helper, - /usr/bin/mutt Cx -> sanitized_helper, - - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/ubuntu-email b/profiles/apparmor.d/abstractions/ubuntu-email deleted file mode 100644 index 45f02eba..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-email +++ /dev/null @@ -1,29 +0,0 @@ -# vim:syntax=apparmor -# -# abstraction for allowing graphical email clients in Ubuntu -# -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - /usr/bin/anjal Cx -> sanitized_helper, - /usr/bin/balsa Cx -> sanitized_helper, - /usr/bin/claws-mail Cx -> sanitized_helper, - /usr/bin/evolution Cx -> sanitized_helper, - /usr/bin/geary Cx -> sanitized_helper, - /usr/bin/gnome-gmail Cx -> sanitized_helper, - /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper, - /usr/bin/kmail Cx -> sanitized_helper, - /usr/bin/mailody Cx -> sanitized_helper, - /usr/bin/modest Cx -> sanitized_helper, - /usr/bin/seamonkey Cx -> sanitized_helper, - /usr/bin/sylpheed Cx -> sanitized_helper, - /usr/bin/tkrat Cx -> sanitized_helper, - - /usr/bin/thunderbird Cx -> sanitized_helper, # used by gio-launch-desktop - /usr/lib/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper, - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/ubuntu-feed-readers b/profiles/apparmor.d/abstractions/ubuntu-feed-readers deleted file mode 100644 index e8b89b1d..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-feed-readers +++ /dev/null @@ -1,15 +0,0 @@ -# vim:syntax=apparmor -# -# abstraction for allowing graphical news feed readers in Ubuntu -# -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - /usr/bin/akregator Cxr -> sanitized_helper, - /usr/bin/liferea-add-feed Cxr -> sanitized_helper, - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal b/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal deleted file mode 100644 index c6280b0e..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal +++ /dev/null @@ -1,15 +0,0 @@ -# vim:syntax=apparmor -# -# for allowing access to gnome-terminal -# - - abi , - - include - - # do not use ux or PUx here. Use at a minimum ix - /usr/bin/gnome-terminal ix, - - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/ubuntu-helpers b/profiles/apparmor.d/abstractions/ubuntu-helpers deleted file mode 100644 index 7e07ef43..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-helpers +++ /dev/null @@ -1,93 +0,0 @@ -# Lenient profile that is intended to be used when 'Ux' is desired but -# does not provide enough environment sanitizing. This effectively is an -# open profile that blacklists certain known dangerous files and also -# does not allow any capabilities. For example, it will not allow 'm' on files -# owned be the user invoking the program. While this provides some additional -# protection, please use with care as applications running under this profile -# are effectively running without any AppArmor protection. Use this profile -# only if the process absolutely must be run (effectively) unconfined. -# -# Usage: -# Because this abstraction defines the sanitized_helper profile, it must only -# be included once. Therefore this abstraction should typically not be -# included in other abstractions so as to avoid parser errors regarding -# multiple definitions. -# -# Limitations: -# 1. This does not work for root owned processes, because of the way we use -# owner matching in the sanitized helper. We could do a better job with -# this to support root, but it would make the policy harder to understand -# and going unconfined as root is not desirable any way. -# -# 2. For this sanitized_helper to work, the program running in the sanitized -# environment must open symlinks directly in order for AppArmor to mediate -# it. This is confirmed to work with: -# - compiled code which can load shared libraries -# - python imports -# It is known not to work with: -# - perl includes -# 3. Sanitizing ruby and java -# -# Use at your own risk. This profile was developed as an interim workaround for -# LP: #851986 until AppArmor utilizes proper environment filtering. - - abi , - -profile sanitized_helper { - include - include - - # Allow all networking - network inet, - network inet6, - - # Allow all DBus communications - include - include - dbus, - - # Needed for Google Chrome - ptrace (trace) peer=**//sanitized_helper, - - # Allow exec of anything, but under this profile. Allow transition - # to other profiles if they exist. - /{usr/,usr/local/,}{bin,sbin}/* Pixr, - - # Allow exec of libexec applications in /usr/lib* and /usr/local/lib* - /usr/{,local/}lib*/{,**/}* Pixr, - - # Allow exec of software-center scripts. We may need to allow wider - # permissions for /usr/share, but for now just do this. (LP: #972367) - /usr/share/software-center/* Pixr, - - # Allow exec of texlive font build scripts (LP: #1010909) - /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr, - - # While the chromium and chrome sandboxes are setuid root, they only link - # in limited libraries so glibc's secure execution should be enough to not - # require the santized_helper (ie, LD_PRELOAD will only use standard system - # paths (man ld.so)). - /usr/lib/chromium-browser/chromium-browser-sandbox PUxr, - /usr/lib/chromium{,-browser}/chrome-sandbox PUxr, - /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr, - /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr, - /opt/google/chrome{,-beta,-unstable}/chrome Pixr, - /opt/google/chrome{,-beta,-unstable}/chrome_crashpad_handler Pixr, - /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m, - - # The same is needed for Brave - /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr, - /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr, - /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr, - /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr, - /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m, - - # Full access - / r, - /** rwkl, - /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m, - - # Dangerous files - audit deny owner /**/* m, # compiled libraries - audit deny owner /**/*.py* r, # python imports -} diff --git a/profiles/apparmor.d/abstractions/ubuntu-konsole b/profiles/apparmor.d/abstractions/ubuntu-konsole deleted file mode 100644 index 4ece2bd3..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-konsole +++ /dev/null @@ -1,22 +0,0 @@ -# vim:syntax=apparmor -# -# for allowing access to konsole -# - - abi , - - include - include - capability sys_ptrace, - @{PROC}/@{pid}/status r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/cmdline r, - /{,var/}run/utmp r, - /dev/ptmx rw, - - # do not use ux or Ux here. Use at a minimum ix - /usr/bin/konsole ix, - - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/ubuntu-media-players b/profiles/apparmor.d/abstractions/ubuntu-media-players deleted file mode 100644 index 5fa48e75..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-media-players +++ /dev/null @@ -1,65 +0,0 @@ -# vim:syntax=apparmor -# -# abstraction for allowing access to media players in Ubuntu -# -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - /usr/bin/amarok Cxr -> sanitized_helper, - /usr/bin/audacious2 Cxr -> sanitized_helper, - /usr/bin/audacity Cxr -> sanitized_helper, - /usr/bin/bangarang Cxr -> sanitized_helper, - /usr/bin/banshee Cxr -> sanitized_helper, - /usr/bin/banshee-1 Cxr -> sanitized_helper, - /usr/bin/decibel Cxr -> sanitized_helper, - /usr/bin/dragon Cxr -> sanitized_helper, - /usr/bin/esperanza Cxr -> sanitized_helper, - /usr/bin/exaile Cxr -> sanitized_helper, - /usr/bin/freevo Cxr -> sanitized_helper, - /usr/bin/gmerlin Cxr -> sanitized_helper, - /usr/bin/gxmms Cxr -> sanitized_helper, - /usr/bin/gxmms2 Cxr -> sanitized_helper, - /usr/bin/hornsey Cxr -> sanitized_helper, - /usr/bin/jlgui Cxr -> sanitized_helper, - /usr/bin/juk Cxr -> sanitized_helper, - /usr/bin/kaffeine Cxr -> sanitized_helper, - /usr/bin/listen Cxr -> sanitized_helper, - /usr/share/minirok/minirok.py Cxr -> sanitized_helper, - - # mplayer - /etc/mplayerplug-in.conf r, - /usr/bin/gmplayer Cxr -> sanitized_helper, - /usr/bin/gnome-mplayer Cxr -> sanitized_helper, - /usr/bin/kmplayer Cxr -> sanitized_helper, - /usr/bin/mplayer Cxr -> sanitized_helper, - /usr/bin/smplayer Cxr -> sanitized_helper, - - /usr/bin/muine Cxr -> sanitized_helper, - /usr/bin/potamus Cxr -> sanitized_helper, - /usr/bin/promoe Cxr -> sanitized_helper, - /usr/bin/qmmp Cxr -> sanitized_helper, - /usr/bin/quodlibet Cxr -> sanitized_helper, - /usr/bin/rhythmbox Cxr -> sanitized_helper, - /usr/bin/strange-quark Cxr -> sanitized_helper, - /usr/bin/swfdec-player Cxr -> sanitized_helper, - /usr/bin/timidity Cxr -> sanitized_helper, - /usr/lib/totem/** ixr, - /usr/bin/totem-gstreamer Cxr -> sanitized_helper, - /usr/bin/totem-xine Cxr -> sanitized_helper, - /usr/bin/totem Cxr -> sanitized_helper, - /usr/bin/vlc Cxr -> sanitized_helper, - /usr/bin/xfmedia Cxr -> sanitized_helper, - /usr/bin/xmms Cxr -> sanitized_helper, - - # gnash - /usr/bin/gtk-gnash ixr, - /etc/gnashrc r, - /etc/gnashpluginrc r, - owner @{HOME}/.gnash/ rw, - owner @{HOME}/.gnash/** rw, - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/ubuntu-unity7-base b/profiles/apparmor.d/abstractions/ubuntu-unity7-base deleted file mode 100644 index 6e207b28..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-unity7-base +++ /dev/null @@ -1,105 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2013-2014 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - - abi , - -# -# Rules common to applications running under Unity 7 -# - -include - -include -include - - # - # Access required for connecting to/communication with Unity HUD - # - dbus (send) - bus=session - path="/com/canonical/hud", - dbus (send) - bus=session - interface="com.canonical.hud.*", - dbus (send) - bus=session - path="/com/canonical/hud/applications/*", - dbus (receive) - bus=session - path="/com/canonical/hud", - dbus (receive) - bus=session - interface="com.canonical.hud.*", - - # - # Allow access for connecting to/communication with the appmenu - # - # dbusmenu - dbus (send) - bus=session - interface="com.canonical.AppMenu.*", - dbus (receive, send) - bus=session - path=/com/canonical/menu/**, - - # gmenu - dbus (receive, send) - bus=session - interface=org.gtk.Actions, - dbus (receive, send) - bus=session - interface=org.gtk.Menus, - - # - # Access required for using freedesktop notifications - # - dbus (send) - bus=session - path=/org/freedesktop/Notifications - member=GetCapabilities, - dbus (send) - bus=session - path=/org/freedesktop/Notifications - member=GetServerInformation, - dbus (send) - bus=session - path=/org/freedesktop/Notifications - member=Notify, - dbus (receive) - bus=session - member="Notify" - peer=(name="org.freedesktop.DBus"), - dbus (receive) - bus=session - path=/org/freedesktop/Notifications - member=NotificationClosed, - dbus (send) - bus=session - path=/org/freedesktop/Notifications - member=CloseNotification, - - # accessibility - dbus (send) - bus=session - peer=(name=org.a11y.Bus), - dbus (receive) - bus=session - interface=org.a11y.atspi*, - dbus (receive, send) - bus=accessibility, - - # - # Deny potentially dangerous access - # - deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**, - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/ubuntu-unity7-launcher b/profiles/apparmor.d/abstractions/ubuntu-unity7-launcher deleted file mode 100644 index eb2f070d..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-unity7-launcher +++ /dev/null @@ -1,12 +0,0 @@ - abi , - - # - # Access required for connecting to/communicating with the Unity Launcher - # - dbus (send) - bus=session - interface="com.canonical.Unity.LauncherEntry" - member="Update", - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/ubuntu-unity7-messaging b/profiles/apparmor.d/abstractions/ubuntu-unity7-messaging deleted file mode 100644 index 21de3ff0..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-unity7-messaging +++ /dev/null @@ -1,12 +0,0 @@ - abi , - - # - # Access required for connecting to/communicating with the Unity messaging - # indicator - # - dbus (receive, send) - bus=session - path="/com/canonical/indicator/messages/*", - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/abstractions/ubuntu-xterm b/profiles/apparmor.d/abstractions/ubuntu-xterm deleted file mode 100644 index 07eacaba..00000000 --- a/profiles/apparmor.d/abstractions/ubuntu-xterm +++ /dev/null @@ -1,18 +0,0 @@ -# vim:syntax=apparmor -# -# for allowing access to xterm -# - - abi , - - include - /dev/ptmx rw, - /{,var/}run/utmp r, - /etc/X11/app-defaults/XTerm r, - - # do not use ux or Ux here. Use at a minimum ix - /usr/bin/xterm ix, - - - # Include additions to the abstraction - include if exists diff --git a/profiles/apparmor.d/tunables/global b/profiles/apparmor.d/tunables/global index 3dd4bfdb..72311764 100644 --- a/profiles/apparmor.d/tunables/global +++ b/profiles/apparmor.d/tunables/global @@ -13,7 +13,6 @@ # should be included here include -include include include include diff --git a/profiles/apparmor.d/tunables/multiarch b/profiles/apparmor.d/tunables/multiarch deleted file mode 100644 index 32fd1aa1..00000000 --- a/profiles/apparmor.d/tunables/multiarch +++ /dev/null @@ -1,17 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -# @{multiarch} is the set of patterns matching multi-arch library -# install prefixes. -@{multiarch}=*-linux-gnu* - -# Also, include files in tunables/multiarch.d for site and packaging -# specific adjustments to @{multiarch}. -include diff --git a/profiles/apparmor.d/tunables/multiarch.d/site.local b/profiles/apparmor.d/tunables/multiarch.d/site.local deleted file mode 100644 index 91877e2a..00000000 --- a/profiles/apparmor.d/tunables/multiarch.d/site.local +++ /dev/null @@ -1,14 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2011 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -# The following is a space-separated list of where additional multipath -# prefixes are stored, each should not have a trailing '/'. Directories -# added here are appended to @{multiarch}. See tunables/mutliarch for details. Eg: -#@{multiarch}+=*-freebsd* s390-hurd-zomg diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd index c4e6d70c..c73ab39a 100644 --- a/profiles/apparmor.d/usr.sbin.smbd +++ b/profiles/apparmor.d/usr.sbin.smbd @@ -41,9 +41,6 @@ profile smbd /usr/{bin,sbin}/smbd { /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd, /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd, /usr/lib*/samba/{lowcase,upcase,valid}.dat r, - /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr, - /usr/lib/@{multiarch}/samba/**/ r, - /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr, /usr/share/samba/** r, /usr/{bin,sbin}/smbd mr, /usr/{bin,sbin}/smbldap-useradd Px, diff --git a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser index b47b6f72..2c7b636a 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser +++ b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser @@ -275,22 +275,15 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne profile sandbox { # Be fanatical since it is setuid root and don't use an abstraction /{usr/,}lib{,32,64}/libgcc_s.so* mr, - /{usr/,}lib{,32,64}/@{multiarch}/libgcc_s.so* mr, /{usr/,}lib{,32,64}/libm-*.so* mr, - /{usr/,}lib/@{multiarch}/libm-*.so* mr, /{usr/,}lib{,32,64}/libpthread-*.so* mr, - /{usr/,}lib/@{multiarch}/libpthread-*.so* mr, /{usr/,}lib{,32,64}/libc-*.so* mr, - /{usr/,}lib/@{multiarch}/libc-*.so* mr, /{usr/,}lib{,32,64}/libld-*.so* mr, - /{usr/,}lib/@{multiarch}/libld-*.so* mr, /{usr/,}lib{,32,64}/ld-*.so* mr, - /{usr/,}lib{,32,64}/@{multiarch}/ld-*.so* mr, /{usr/,}lib{,32,64}/tls/*/{cmov,nosegneg}/libm-*.so* mr, /{usr/,}lib{,32,64}/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, /{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, /usr/lib{,32,64}/libstdc++.so* mr, - /usr/lib{,32,64}/@{multiarch}/libstdc++.so* mr, /etc/ld.so.cache r, # Required for dropping into PID namespace. Keep in mind that until the diff --git a/profiles/apparmor/profiles/extras/usr.bin.skype b/profiles/apparmor/profiles/extras/usr.bin.skype index dce23e34..1ee381b6 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.skype +++ b/profiles/apparmor/profiles/extras/usr.bin.skype @@ -50,7 +50,6 @@ include /usr/share/skype/** kr, /usr/share/skype/**/*.qm mr, /usr/share/skype/sounds/*.wav kr, - /usr/lib/@{multiarch}/pango/** mr, # For opening links in the browser (still requires explicit access to execute # the browser) diff --git a/profiles/apparmor/profiles/extras/usr.bin.wireshark b/profiles/apparmor/profiles/extras/usr.bin.wireshark index a835afb3..f52b51d4 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.wireshark +++ b/profiles/apparmor/profiles/extras/usr.bin.wireshark @@ -86,9 +86,6 @@ include /usr/share/wireshark/** r, /usr/share/GeoIP/ r, /usr/share/GeoIP/** r, - /usr/lib/@{multiarch}/wireshark/extcap/* ix, - /usr/lib/@{multiarch}/wireshark/plugins/**/ r, - /usr/lib/@{multiarch}/wireshark/plugins/**.so mr, /usr/bin/dumpcap Px, diff --git a/utils/logprof.conf b/utils/logprof.conf index 88e2209b..0c779860 100644 --- a/utils/logprof.conf +++ b/utils/logprof.conf @@ -149,7 +149,6 @@ # if they use any perl modules, grant access to all ^/usr/lib/perl5/.+$ = /usr/lib/perl5/** - ^/usr/lib/[^\/]+/perl5?/.+$ = /usr/lib/@{multiarch}/perl{,5}/** # locale foo ^/usr/lib/locale/.+$ = /usr/lib/locale/** diff --git a/utils/test/logprof.conf b/utils/test/logprof.conf index 71b50e48..e53f8332 100644 --- a/utils/test/logprof.conf +++ b/utils/test/logprof.conf @@ -101,7 +101,6 @@ # if they use any perl modules, grant access to all ^/usr/lib/perl5/.+$ = /usr/lib/perl5/** - ^/usr/lib/[^\/]+/perl5?/.+$ = /usr/lib/@{multiarch}/perl{,5}/** # locale foo ^/usr/lib/locale/.+$ = /usr/lib/locale/** diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py index 89a5c3da..1fdf9da5 100644 --- a/utils/test/test-aa.py +++ b/utils/test/test-aa.py @@ -494,7 +494,6 @@ class AaTest_is_skippable_dir(AATest): ('/etc/apparmor.d/local/', False), ('tunables', False), ('/etc/apparmor.d/tunables', False), - ('/etc/apparmor.d/tunables/multiarch.d', False), ('/etc/apparmor.d/tunables/xdg-user-dirs.d', False), ('/etc/apparmor.d/tunables/home.d', False), ('/etc/apparmor.d/abstractions', False), diff --git a/utils/test/test-severity.py b/utils/test/test-severity.py index 1e80ff10..d47d04f1 100755 --- a/utils/test/test-severity.py +++ b/utils/test/test-severity.py @@ -78,7 +78,6 @@ class SeverityVarsTest(SeverityBaseTest): tests = [ (['@{PROC}/sys/vm/overcommit_memory', 'r'], 6), (['@{HOME}/sys/@{PROC}/overcommit_memory', 'r'], 4), - (['/overco@{multiarch}mmit_memory', 'r'], 'unknown'), (['@{PROC}/sys/@{TFTP_DIR}/overcommit_memory', 'r'], 6), (['@{somepaths}/somefile', 'r'], 7), ] @@ -87,7 +86,6 @@ class SeverityVarsTest(SeverityBaseTest): vars = { '@{HOME}': {'@{HOMEDIRS}/*/', '/root/'}, '@{HOMEDIRS}': {'/home/', '/storage/'}, - '@{multiarch}': {'*-linux-gnu*'}, '@{TFTP_DIR}': {'/var/tftp /srv/tftpboot'}, '@{PROC}': {'/proc/'}, '@{somepaths}': {'/home/foo/downloads', '@{HOMEDIRS}/foo/.ssh/'},