Группа :: Система/Основа
Пакет: apparmor
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: apparmor-3.0.9-alt1.patch
Скачать
Скачать
binutils/Makefile | 2 +-
parser/Makefile | 10 +-
parser/apparmor.systemd | 29 ++++-
parser/profile-load | 4 +-
parser/rc.apparmor.functions | 1 +
profiles/Makefile | 4 +-
profiles/apparmor.d/abstractions/X | 5 +-
profiles/apparmor.d/abstractions/authentication | 13 +--
profiles/apparmor.d/abstractions/base | 23 ++--
profiles/apparmor.d/abstractions/bash | 2 +-
profiles/apparmor.d/abstractions/dri-common | 3 +-
profiles/apparmor.d/abstractions/exo-open | 2 +-
profiles/apparmor.d/abstractions/fonts | 1 -
profiles/apparmor.d/abstractions/gio-open | 2 +-
profiles/apparmor.d/abstractions/gnome | 21 ++--
profiles/apparmor.d/abstractions/gnupg | 1 -
profiles/apparmor.d/abstractions/kde | 12 ---
profiles/apparmor.d/abstractions/kde-open5 | 1 -
profiles/apparmor.d/abstractions/kerberosclient | 12 +--
profiles/apparmor.d/abstractions/mir | 22 ----
profiles/apparmor.d/abstractions/nameservice | 1 -
profiles/apparmor.d/abstractions/opencl-intel | 2 +-
profiles/apparmor.d/abstractions/opencl-mesa | 1 -
profiles/apparmor.d/abstractions/opencl-pocl | 5 -
profiles/apparmor.d/abstractions/p11-kit | 1 -
profiles/apparmor.d/abstractions/perl | 2 -
profiles/apparmor.d/abstractions/postfix-common | 7 +-
profiles/apparmor.d/abstractions/qt5 | 10 +-
profiles/apparmor.d/abstractions/ssl_certs | 12 +--
profiles/apparmor.d/abstractions/ssl_keys | 4 +-
.../abstractions/ubuntu-bittorrent-clients | 22 ----
profiles/apparmor.d/abstractions/ubuntu-browsers | 41 -------
.../ubuntu-browsers.d/chromium-browser | 26 -----
.../apparmor.d/abstractions/ubuntu-browsers.d/java | 118 ---------------------
.../apparmor.d/abstractions/ubuntu-browsers.d/kde | 9 --
.../abstractions/ubuntu-browsers.d/mailto | 11 --
.../abstractions/ubuntu-browsers.d/multimedia | 51 ---------
.../abstractions/ubuntu-browsers.d/plugins-common | 18 ----
.../abstractions/ubuntu-browsers.d/productivity | 26 -----
.../abstractions/ubuntu-browsers.d/text-editors | 16 ---
.../ubuntu-browsers.d/ubuntu-integration | 37 -------
.../ubuntu-browsers.d/ubuntu-integration-xul | 8 --
.../abstractions/ubuntu-browsers.d/user-files | 31 ------
.../abstractions/ubuntu-console-browsers | 23 ----
.../apparmor.d/abstractions/ubuntu-console-email | 23 ----
profiles/apparmor.d/abstractions/ubuntu-email | 29 -----
.../apparmor.d/abstractions/ubuntu-feed-readers | 15 ---
.../apparmor.d/abstractions/ubuntu-gnome-terminal | 15 ---
profiles/apparmor.d/abstractions/ubuntu-helpers | 93 ----------------
profiles/apparmor.d/abstractions/ubuntu-konsole | 22 ----
.../apparmor.d/abstractions/ubuntu-media-players | 65 ------------
.../apparmor.d/abstractions/ubuntu-unity7-base | 105 ------------------
.../apparmor.d/abstractions/ubuntu-unity7-launcher | 12 ---
.../abstractions/ubuntu-unity7-messaging | 12 ---
profiles/apparmor.d/abstractions/ubuntu-xterm | 18 ----
profiles/apparmor.d/tunables/global | 1 -
profiles/apparmor.d/tunables/multiarch | 17 ---
.../apparmor.d/tunables/multiarch.d/site.local | 14 ---
profiles/apparmor.d/usr.sbin.smbd | 3 -
.../profiles/extras/usr.bin.chromium-browser | 7 --
profiles/apparmor/profiles/extras/usr.bin.skype | 1 -
.../apparmor/profiles/extras/usr.bin.wireshark | 3 -
utils/logprof.conf | 1 -
utils/test/logprof.conf | 1 -
utils/test/test-aa.py | 1 -
utils/test/test-severity.py | 2 -
66 files changed, 82 insertions(+), 1030 deletions(-)
diff --git a/binutils/Makefile b/binutils/Makefile
index 3f1d0011..6538daea 100644
--- a/binutils/Makefile
+++ b/binutils/Makefile
@@ -53,7 +53,7 @@ HDRS =
BINTOOLS = aa-enabled aa-exec aa-features-abi
SBINTOOLS = aa-status
-AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
+AALIB = -lapparmor -lpthread
ifdef WITH_LIBINTL
AALIB += -lintl
diff --git a/parser/Makefile b/parser/Makefile
index 15f9d975..e9475c1f 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -26,7 +26,7 @@ DESTDIR=/
APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor
SBINDIR=${DESTDIR}/sbin
USR_SBINDIR=${DESTDIR}/usr/sbin
-SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system
+SYSTEMD_UNIT_DIR=${DESTDIR}/lib/systemd/system
CONFDIR=/etc/apparmor
INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
LOCALEDIR=/usr/share/locale
@@ -112,8 +112,8 @@ OBJECTS = $(patsubst %.cc, %.o, $(SRCS:.c=.o))
AAREDIR= libapparmor_re
AAREOBJECT = ${AAREDIR}/libapparmor_re.a
AAREOBJECTS = $(AAREOBJECT)
-AARE_LDFLAGS = -static-libgcc -static-libstdc++ -L. $(LDFLAGS)
-AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
+AARE_LDFLAGS = -L. $(LDFLAGS)
+AALIB = -lapparmor -lpthread
ifdef WITH_LIBINTL
AALIB += -lintl
@@ -408,6 +408,7 @@ endif
install:
$(MAKE) install-indep
$(MAKE) install-arch
+ $(MAKE) install-systemd
.PHONY: install-arch
install-arch: $(INSTALLDEPS)
@@ -429,7 +430,8 @@ install-indep: indep
install-systemd:
install -m 755 -d $(SYSTEMD_UNIT_DIR)
install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
- install -m 755 apparmor.systemd $(APPARMOR_BIN_PREFIX)
+ install -m 755 apparmor.systemd -D $(DESTDIR)/etc/rc.d/init.d/apparmor
+ ln -rs $(DESTDIR)/etc/rc.d/init.d/apparmor $(APPARMOR_BIN_PREFIX)/apparmor.systemd
install -m 755 -d $(USR_SBINDIR)
install -m 755 aa-teardown $(USR_SBINDIR)
diff --git a/parser/apparmor.systemd b/parser/apparmor.systemd
index 09d57924..92808795 100644
--- a/parser/apparmor.systemd
+++ b/parser/apparmor.systemd
@@ -14,6 +14,24 @@
# You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc.
# ----------------------------------------------------------------------
+# chkconfig: 2345 01 99
+# description: AppArmor rc file. This rc script inserts the apparmor \
+# module and runs the parser on the /etc/apparmor.d/ \
+# directory.
+#
+### BEGIN INIT INFO
+# Provides: apparmor
+# Required-Start:
+# Required-Stop:
+# Should-Start: $local_fs
+# Should-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop:
+# Short-Description: AppArmor initialization
+# Description: AppArmor rc file. This rc script inserts the apparmor
+# module and runs the parser on the /etc/apparmor.d/
+# directory.
+### END INIT INFO
APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
@@ -69,10 +87,11 @@ else
exit 1
fi
+SD_DETECT_VIRT=/usr/bin/systemd-detect-virt
case "$1" in
start)
- if [ -x /usr/bin/systemd-detect-virt ] && \
- systemd-detect-virt --quiet --container && \
+ if [ -x "$SD_DETECT_VIRT" ] && \
+ "$SD_DETECT_VIRT" --quiet --container && \
! is_container_with_internal_policy; then
aa_log_daemon_msg "Not starting AppArmor in container"
aa_log_end_msg 0
@@ -86,8 +105,8 @@ case "$1" in
rc=$?
;;
restart|reload|force-reload)
- if [ -x /usr/bin/systemd-detect-virt ] && \
- systemd-detect-virt --quiet --container && \
+ if [ -x "$SD_DETECT_VIRT" ] && \
+ "$SD_DETECT_VIRT" --quiet --container && \
! is_container_with_internal_policy; then
aa_log_daemon_msg "Not starting AppArmor in container"
aa_log_end_msg 0
@@ -96,7 +115,7 @@ case "$1" in
apparmor_restart
rc=$?
;;
- try-restart)
+ try-restart|condrestart)
apparmor_try_restart
rc=$?
;;
diff --git a/parser/profile-load b/parser/profile-load
index 2663c04d..784da090 100755
--- a/parser/profile-load
+++ b/parser/profile-load
@@ -23,8 +23,10 @@
. /lib/apparmor/rc.apparmor.functions
+SD_DETECT_VIRT=/usr/bin/systemd-detect-virt
+
# do not load in a container
-[ -x /usr/bin/systemd-detect-virt ] && systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
+[ -x $SD_DETECT_VIRT ] && $SD_DETECT_VIRT --quiet --container && ! is_container_with_internal_policy && exit 0 || true
[ -d /rofs/etc/apparmor.d ] && exit 0 # do not load if running liveCD
diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions
index c11a5a93..eda3e5af 100644
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -82,6 +82,7 @@ is_apparmor_present() {
# container's boot process to experience failed policy loads but the boot
# process should continue without any loss of functionality. This is an
# unsupported configuration that cannot be properly handled by this function.
+SD_DETECT_VIRT=/usr/bin/systemd-detect-virt
is_container_with_internal_policy() {
# this function is sometimes called independently of
# is_apparmor_loaded(), so also define this here.
diff --git a/profiles/Makefile b/profiles/Makefile
index f8fa10be..e3ee99cf 100644
--- a/profiles/Makefile
+++ b/profiles/Makefile
@@ -92,11 +92,9 @@ install: local
for dir in ${SUBDIRS} ; do \
install -m 755 -d "${PROFILES_DEST}/$${dir#${PROFILES_SOURCE}}" ; \
done
- for file in $$(find ${PROFILES_SOURCE} -type f -print) ; do \
+ for file in $$(find ${ABSTRACTIONS_SOURCE} ${PROFILES_SOURCE}/abi ${PROFILES_SOURCE}/tunables -type f -print) ; do \
install -m 644 "$${file}" "${PROFILES_DEST}/$$(dirname $${file#${PROFILES_SOURCE}})" ; \
done
- install -m 755 -d ${EXTRAS_DEST}
- install -m 644 ${EXTRAS_SOURCE}/* ${EXTRAS_DEST}
LOCAL_ADDITIONS=$(filter-out ${PROFILES_SOURCE}/local/README, $(wildcard ${PROFILES_SOURCE}/local/*))
.PHONY: clean
diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X
index ead10d9a..7f0774cd 100644
--- a/profiles/apparmor.d/abstractions/X
+++ b/profiles/apparmor.d/abstractions/X
@@ -42,13 +42,12 @@
/usr/include/X11/** r,
# The X tree changes and is large -- grant read access to the whole thing
- /usr/X11R6/** r,
/usr/share/X11/ r,
/usr/share/X11/** r,
- /usr/X11R6/**.so* mr,
+ /usr/lib{,64}/X11/**.so* mr,
# EGL
- /usr/lib/@{multiarch}/egl/*.so* mr,
+ /usr/lib{,64}/egl/*.so* mr,
# Xcompose
owner @{HOME}/.XCompose r,
diff --git a/profiles/apparmor.d/abstractions/authentication b/profiles/apparmor.d/abstractions/authentication
index d5dbd83a..f779b31d 100644
--- a/profiles/apparmor.d/abstractions/authentication
+++ b/profiles/apparmor.d/abstractions/authentication
@@ -22,19 +22,16 @@
@{etc_ro}/security/* r,
@{etc_ro}/shadow r,
@{etc_ro}/gshadow r,
+ @{etc_ro}/tcb/*/shadow r,
+ @{etc_ro}/pwdb.conf r,
@{etc_ro}/pwdb.conf r,
- /{usr/,}lib{,32,64}/security/pam_filter/* mr,
- /{usr/,}lib{,32,64}/security/pam_*.so mr,
- /{usr/,}lib{,32,64}/security/ r,
- /{usr/,}lib/@{multiarch}/security/pam_filter/* mr,
- /{usr/,}lib/@{multiarch}/security/pam_*.so mr,
- /{usr/,}lib/@{multiarch}/security/ r,
+ /{usr/,}lib{,64}/security/pam_filter/* mr,
+ /{usr/,}lib{,64}/security/pam_*.so mr,
+ /{usr/,}lib{,64}/security/ r,
# kerberos
include <abstractions/kerberosclient>
- # SuSE's pwdutils are different:
- @{etc_ro}/default/passwd r,
@{etc_ro}/login.defs r,
@{etc_ro}/login.defs.d/ r,
@{etc_ro}/login.defs.d/*.defs r,
diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base
index f36a5f86..c901b91f 100644
--- a/profiles/apparmor.d/abstractions/base
+++ b/profiles/apparmor.d/abstractions/base
@@ -47,11 +47,9 @@
# anything when reading so this is ok.
@{run}/systemd/journal/stdout rw,
- /usr/lib{,32,64}/locale/** mr,
- /usr/lib{,32,64}/gconv/*.so mr,
- /usr/lib{,32,64}/gconv/gconv-modules* mr,
- /usr/lib/@{multiarch}/gconv/*.so mr,
- /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
+ /usr/lib{,64}/locale/** mr,
+ /usr/lib{,64}/gconv/*.so mr,
+ /usr/lib{,64}/gconv/gconv-modules* mr,
# used by glibc when binding to ephemeral ports
@{etc_ro}/bindresvport.blacklist r,
@@ -62,24 +60,17 @@
@{etc_ro}/ld.so.conf r,
@{etc_ro}/ld.so.conf.d/{,*.conf} r,
@{etc_ro}/ld.so.preload r,
- /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
- /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
+ /{usr/,}lib{,64}/ld{,64}-*.so mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
- /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
- /opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
# we might as well allow everything to use common libraries
- /{usr/,}lib{,32,64}/** r,
- /{usr/,}lib{,32,64}/**.so* mr,
- /{usr/,}lib/@{multiarch}/** r,
- /{usr/,}lib/@{multiarch}/**.so* mr,
+ /{usr/,}lib{,64}/** r,
+ /{usr/,}lib{,64}/**.so* mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
- /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
# FIPS-140-2 versions of some crypto libraries need to access their
# associated integrity verification file, or they will abort.
- /{usr/,}lib{,32,64}/.lib*.so*.hmac r,
- /{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
+ /{usr/,}lib{,64}/.lib*.so*.hmac r,
# /dev/null is pretty harmless and frequently used
/dev/null rw,
diff --git a/profiles/apparmor.d/abstractions/bash b/profiles/apparmor.d/abstractions/bash
index 89c1cf1e..692e7d70 100644
--- a/profiles/apparmor.d/abstractions/bash
+++ b/profiles/apparmor.d/abstractions/bash
@@ -18,7 +18,6 @@
@{HOME}/.bash_history rw,
# system-wide bash configuration
- /etc/profile.dos r,
/etc/profile r,
/etc/profile.d/ r,
/etc/profile.d/* r,
@@ -28,6 +27,7 @@
/etc/bash_completion r,
/etc/bash_completion.d/ r,
/etc/bash_completion.d/* r,
+ /usr/share/bash_completion.d/** r,
# bash relies on system-wide readline configuration
/etc/inputrc r,
diff --git a/profiles/apparmor.d/abstractions/dri-common b/profiles/apparmor.d/abstractions/dri-common
index cd9542b0..9d857e24 100644
--- a/profiles/apparmor.d/abstractions/dri-common
+++ b/profiles/apparmor.d/abstractions/dri-common
@@ -5,8 +5,7 @@
# This file contains common DRI-specific rules useful for GUI applications
# (needed by libdrm and similar).
- /usr/lib{,32,64}/dri/** mr,
- /usr/lib/@{multiarch}/dri/** mr,
+ /usr/lib{,64}/dri/** mr,
/usr/lib/fglrx/dri/** mr,
/dev/dri/ r,
/dev/dri/** rw,
diff --git a/profiles/apparmor.d/abstractions/exo-open b/profiles/apparmor.d/abstractions/exo-open
index 2ce38e5f..0090c446 100644
--- a/profiles/apparmor.d/abstractions/exo-open
+++ b/profiles/apparmor.d/abstractions/exo-open
@@ -45,7 +45,7 @@
# Main executables
/usr/bin/exo-open rix,
- /usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
+ /usr/lib{,64}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
# Other executables
diff --git a/profiles/apparmor.d/abstractions/fonts b/profiles/apparmor.d/abstractions/fonts
index 46324dbb..a0c76840 100644
--- a/profiles/apparmor.d/abstractions/fonts
+++ b/profiles/apparmor.d/abstractions/fonts
@@ -14,7 +14,6 @@
/usr/share/AbiSuite/fonts/** r,
- /usr/lib/xorg/modules/fonts/**.so* mr,
/usr/share/fonts/{,**} r,
/usr/share/fonts-*/{,**} r,
diff --git a/profiles/apparmor.d/abstractions/gio-open b/profiles/apparmor.d/abstractions/gio-open
index fda1fb9e..e13bf5bb 100644
--- a/profiles/apparmor.d/abstractions/gio-open
+++ b/profiles/apparmor.d/abstractions/gio-open
@@ -39,7 +39,7 @@
/usr/bin/gio rix,
/usr/bin/gio-launch-desktop ix, # for OpenSUSE
- /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
+ /usr/lib{,64}/glib-[0-9]*/gio-launch-desktop ix,
# System files
diff --git a/profiles/apparmor.d/abstractions/gnome b/profiles/apparmor.d/abstractions/gnome
index 94f3da63..0b84b3cf 100644
--- a/profiles/apparmor.d/abstractions/gnome
+++ b/profiles/apparmor.d/abstractions/gnome
@@ -23,13 +23,11 @@
# systemwide gtk defaults
/etc/gnome/gtkrc* r,
/etc/gtk/* r,
- /usr/lib{,32,64}/gtk/** mr,
- /usr/lib/@{multiarch}/gtk/** mr,
- /usr/lib{,32,64}/gtk-[0-9]*/** mr,
- /usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
+ /usr/lib{,64}/gtk/** mr,
+ /usr/lib{,64}/gtk-[0-9]*/** mr,
/usr/share/themes/ r,
/usr/share/themes/** r,
- /usr/share/gtk-3.0/settings.ini r,
+ /usr/share/gtk-[0-9]*/settings.ini r,
# for gnome 1 applications
/etc/orbitrc r,
@@ -38,12 +36,9 @@
/etc/fonts/* r,
/etc/gtk-*/* r,
/etc/pango/* r,
- /usr/lib{,32,64}/pango/** mr,
- /usr/lib{,32,64}/gtk-*/** mr,
- /usr/lib{,32,64}/gdk-pixbuf-*/** mr,
- /usr/lib/@{multiarch}/pango/** mr,
- /usr/lib/@{multiarch}/gtk-*/** mr,
- /usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
+ /usr/lib{,64}/pango/** mr,
+ /usr/lib{,64}/gtk-*/** mr,
+ /usr/lib{,64}/gdk-pixbuf-*/** mr,
# per-user gtk configuration
owner @{HOME}/.config/gtk-3.0/ w,
@@ -72,6 +67,7 @@
# GtkComposeTable
owner @{HOME}/.cache/gtk-3.0/** r,
+ owner @{HOME}/.cache/gtk-4.0/** r,
# icon caches
/var/cache/**/icon-theme.cache r,
@@ -84,8 +80,7 @@
# gnome VFS modules
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/* r,
- /usr/lib/gnome-vfs-2.0/modules/*.so mr,
- /usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr,
+ /usr/lib{,64}/gnome-vfs-2.0/modules/*.so mr,
# gvfs
/usr/share/gvfs/remote-volume-monitors/ r,
diff --git a/profiles/apparmor.d/abstractions/gnupg b/profiles/apparmor.d/abstractions/gnupg
index 050f0435..27e83a07 100644
--- a/profiles/apparmor.d/abstractions/gnupg
+++ b/profiles/apparmor.d/abstractions/gnupg
@@ -9,7 +9,6 @@
owner @{HOME}/.gnupg/pubring.kbx r,
owner @{HOME}/.gnupg/random_seed rw,
owner @{HOME}/.gnupg/secring.gpg r,
- owner @{HOME}/.gnupg/so/*.x86_64 mr,
owner @{HOME}/.gnupg/trustdb.gpg rw,
# Include additions to the abstraction
diff --git a/profiles/apparmor.d/abstractions/kde b/profiles/apparmor.d/abstractions/kde
index 5514e632..aaf895f2 100644
--- a/profiles/apparmor.d/abstractions/kde
+++ b/profiles/apparmor.d/abstractions/kde
@@ -54,17 +54,10 @@ owner @{HOME}/.config/trashrc r, # Used by KFileWidget
/usr/lib*/kde3/plugins/styles/ r,
/usr/lib*/kde3/plugins/styles/* mr,
/usr/lib*/kde3/lib*so* mr,
-/usr/lib/@{multiarch}/kde3/plugins/styles/ r,
-/usr/lib/@{multiarch}/kde3/plugins/styles/* mr,
-/usr/lib/@{multiarch}/kde3/lib*so* mr,
/usr/lib*/qt3/lib*/lib*so* mr,
/usr/lib*/qt3/plugins/** mr,
-/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr,
-/usr/lib/@{multiarch}/qt3/plugins/** mr,
/usr/lib*/libqt-mt*so* mr,
/usr/lib*/libqui*so* mr,
-/usr/lib/@{multiarch}/libqt-mt*so* mr,
-/usr/lib/@{multiarch}/libqui*so* mr,
/usr/share/qt3/lib*/libqt-mt*so* mr,
/usr/share/qt3/lib*/libqui*so* mr,
@@ -72,13 +65,8 @@ owner @{HOME}/.config/trashrc r, # Used by KFileWidget
/usr/lib*/kde4/plugins/*/*.so mr,
/usr/lib*/kde4/plugins/*/ r,
/usr/lib*/kde4/lib*so* mr,
-/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr,
-/usr/lib/@{multiarch}/kde4/plugins/*/ r,
-/usr/lib/@{multiarch}/kde4/lib*so* mr,
/usr/lib*/qt4/lib*/lib*so* mr,
/usr/lib*/qt4/plugins/** mr,
-/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
-/usr/lib/@{multiarch}/qt4/plugins/** mr,
/usr/share/qt4/** r,
# Include additions to the abstraction
diff --git a/profiles/apparmor.d/abstractions/kde-open5 b/profiles/apparmor.d/abstractions/kde-open5
index 5f4e0f75..819316b9 100644
--- a/profiles/apparmor.d/abstractions/kde-open5
+++ b/profiles/apparmor.d/abstractions/kde-open5
@@ -58,7 +58,6 @@
# Main executables
/usr/bin/kde-open5 rix,
- /usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
# DBus
diff --git a/profiles/apparmor.d/abstractions/kerberosclient b/profiles/apparmor.d/abstractions/kerberosclient
index 386e8c11..c1104906 100644
--- a/profiles/apparmor.d/abstractions/kerberosclient
+++ b/profiles/apparmor.d/abstractions/kerberosclient
@@ -12,15 +12,11 @@
abi <abi/3.0>,
# files required by kerberos client programs
- /usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
- /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
- /usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r,
- /usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr,
+ /usr/lib{,64}/krb5/plugins/libkrb5/ r,
+ /usr/lib{,64}/krb5/plugins/libkrb5/* mr,
- /usr/lib{,32,64}/krb5/plugins/preauth/ r,
- /usr/lib{,32,64}/krb5/plugins/preauth/* mr,
- /usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
- /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
+ /usr/lib{,64}/krb5/plugins/preauth/ r,
+ /usr/lib{,64}/krb5/plugins/preauth/* mr,
/etc/krb5.keytab rk,
/etc/krb5.conf r,
diff --git a/profiles/apparmor.d/abstractions/mir b/profiles/apparmor.d/abstractions/mir
deleted file mode 100644
index 4ccc22ee..00000000
--- a/profiles/apparmor.d/abstractions/mir
+++ /dev/null
@@ -1,22 +0,0 @@
-# vim:syntax=apparmor
-# ------------------------------------------------------------------
-#
-# Copyright (C) 2015 Canonical Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-
- abi <abi/3.0>,
-
- # mir libraries sometimes do not have a lib prefix
- # see LP: #1422521
- /usr/lib/@{multiarch}/mir/*.so* mr,
- /usr/lib/@{multiarch}/mir/**/*.so* mr,
-
- # unprivileged mir socket for clients
-
- # Include additions to the abstraction
- include if exists <abstractions/mir.d>
diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
index 7f53f2eb..1893795f 100644
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -62,7 +62,6 @@
# The nss libraries are sometimes used in addition to PAM; make sure
# they are available
/{usr/,}lib{,32,64}/libnss_*.so* mr,
- /{usr/,}lib/@{multiarch}/libnss_*.so* mr,
@{etc_ro}/default/nss r,
# avahi-daemon is used for mdns4 resolution
diff --git a/profiles/apparmor.d/abstractions/opencl-intel b/profiles/apparmor.d/abstractions/opencl-intel
index 4d047233..cb07984c 100644
--- a/profiles/apparmor.d/abstractions/opencl-intel
+++ b/profiles/apparmor.d/abstractions/opencl-intel
@@ -16,7 +16,7 @@
/dev/dri/card[0-9]* rw, # beignet/libcl.so
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
- /usr/lib/@{multiarch}/beignet/** r,
+ /usr/lib{,64}/beignet/** r,
# Include additions to the abstraction
diff --git a/profiles/apparmor.d/abstractions/opencl-mesa b/profiles/apparmor.d/abstractions/opencl-mesa
index a5cada61..7704c371 100644
--- a/profiles/apparmor.d/abstractions/opencl-mesa
+++ b/profiles/apparmor.d/abstractions/opencl-mesa
@@ -8,7 +8,6 @@
# Additional libraries
- /usr/lib/@{multiarch}/gallium-pipe/*.so mr, # libMesaOpenCL.so
/usr/lib{,64}/gallium-pipe/*.so mr, # libMesaOpenCL.so on openSUSE
# System files
diff --git a/profiles/apparmor.d/abstractions/opencl-pocl b/profiles/apparmor.d/abstractions/opencl-pocl
index 8b93b0dc..6fc14d07 100644
--- a/profiles/apparmor.d/abstractions/opencl-pocl
+++ b/profiles/apparmor.d/abstractions/opencl-pocl
@@ -7,7 +7,6 @@
# Executables
- /usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld,
/usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang,
# System files
@@ -47,8 +46,6 @@
# Main executables
- /usr/bin/{,@{multiarch}-}ld.bfd mr,
-
# User files
owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw,
@@ -64,8 +61,6 @@
# Additional executables
- /usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile?
-
# System files
/etc/debian-version r,
diff --git a/profiles/apparmor.d/abstractions/p11-kit b/profiles/apparmor.d/abstractions/p11-kit
index 29696815..d0c34066 100644
--- a/profiles/apparmor.d/abstractions/p11-kit
+++ b/profiles/apparmor.d/abstractions/p11-kit
@@ -16,7 +16,6 @@
/etc/pkcs11/modules/* r,
/usr/lib{,32,64}/pkcs11/*.so mr,
- /usr/lib/@{multiarch}/pkcs11/*.so mr,
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/* r,
diff --git a/profiles/apparmor.d/abstractions/perl b/profiles/apparmor.d/abstractions/perl
index 39718535..2d74006f 100644
--- a/profiles/apparmor.d/abstractions/perl
+++ b/profiles/apparmor.d/abstractions/perl
@@ -17,8 +17,6 @@
/usr/lib{,32,64}/perl5/** r,
/usr/lib{,32,64}/perl{,5}/**.so* mr,
- /usr/lib/@{multiarch}/perl{,5,-base}/** r,
- /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
/usr/share/perl/** r,
/usr/share/perl5/** r,
diff --git a/profiles/apparmor.d/abstractions/postfix-common b/profiles/apparmor.d/abstractions/postfix-common
index 68d4f7a8..072c1096 100644
--- a/profiles/apparmor.d/abstractions/postfix-common
+++ b/profiles/apparmor.d/abstractions/postfix-common
@@ -29,15 +29,12 @@
/etc/postfix/*.lmdb rk,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix/*.so mr,
- /usr/lib{,32,64}/sasl2/* mr,
- /usr/lib{,32,64}/sasl2/ r,
- /usr/lib/@{multiarch}/sasl2/* mr,
- /usr/lib/@{multiarch}/sasl2/ r,
+ /usr/lib{,32,64}/sasl2*/* mr,
+ /usr/lib{,32,64}/sasl2*/ r,
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
/var/spool/postfix/etc/* r,
/var/spool/postfix/lib/lib*.so* mr,
- /var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
/etc/postfix/dynamicmaps.cf.d/ r,
diff --git a/profiles/apparmor.d/abstractions/qt5 b/profiles/apparmor.d/abstractions/qt5
index 83dc00c4..5e35b21c 100644
--- a/profiles/apparmor.d/abstractions/qt5
+++ b/profiles/apparmor.d/abstractions/qt5
@@ -5,16 +5,16 @@
# Additional libraries
- /usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
- /usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr,
- /usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
+ /usr/lib{,64}/qt5/plugins/**.so mr,
+ /usr/lib{,64}/qt5/qml/**.so mr,
+ /usr/lib{,64}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
# System files
/etc/xdg/QtProject/qtlogging.ini r,
/usr/share/qt5/translations/*.qm r,
- /usr/lib{,64,/@{multiarch}}/qt5/plugins/** r,
- /usr/lib{,64,/@{multiarch}}/qt5/qml/** r,
+ /usr/lib{,64}/qt5/plugins/** r,
+ /usr/lib{,64}/qt5/qml/** r,
# User files
diff --git a/profiles/apparmor.d/abstractions/ssl_certs b/profiles/apparmor.d/abstractions/ssl_certs
index 82e532b3..95e02bec 100644
--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -12,15 +12,15 @@
abi <abi/3.0>,
/etc/ca-certificates/{,**} r,
- /etc/{,libre}ssl/ r,
- /etc/{,libre}ssl/cert.pem r,
- /etc/{,libre}ssl/certs/{,**} r,
+ /etc/{open,libre}ssl/ r,
+ /etc/{open,libre}ssl/cert.pem r,
+ /etc/{open,libre}ssl/certs/{,**} r,
/{etc,usr/share}/pki/bl[ao]cklist/{,*} r,
- /{etc,usr/share}/pki/trust/{,*} r,
- /{etc,usr/share}/pki/trust/{bl[oa]cklist,anchors}/{,**} r,
+ /{etc,usr/share}/pki/ca-trust/{,*} r,
+ /{etc,usr/share}/pki/ca-trust/{bl[oa]cklist,anchors,extracted}/{,**} r,
/usr/share/ca-certificates/{,**} r,
/usr/share/ssl/certs/ca-bundle.crt r,
- /usr/local/share/ca-certificates/{,**} r,
+ /usr/share/ca-certificates/{,**} r,
/var/lib/ca-certificates/{,**} r,
# acmetool
diff --git a/profiles/apparmor.d/abstractions/ssl_keys b/profiles/apparmor.d/abstractions/ssl_keys
index f310bb5a..e866df76 100644
--- a/profiles/apparmor.d/abstractions/ssl_keys
+++ b/profiles/apparmor.d/abstractions/ssl_keys
@@ -15,8 +15,8 @@
# Just include the whole /etc/ssl directory if we should have access to
# private keys too
- /etc/ssl/ r,
- /etc/ssl/** r,
+ /etc/openssl/ r,
+ /etc/openssl/** r,
# acmetool
/var/lib/acme/live/* r,
diff --git a/profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients b/profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients
deleted file mode 100644
index 0d929ad6..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients
+++ /dev/null
@@ -1,22 +0,0 @@
-# vim:syntax=apparmor
-#
-# abstraction for allowing graphical bittorrent clients in Ubuntu
-#
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- /usr/bin/azureus Cxr -> sanitized_helper,
- /usr/bin/bitstormlite Cxr -> sanitized_helper,
- /usr/bin/btmaketorrentgui Cxr -> sanitized_helper,
- /usr/bin/deluge{,-gtk,-console} Cxr -> sanitized_helper,
- /usr/bin/gnome-btdownload Cxr -> sanitized_helper,
- /usr/bin/kget Cxr -> sanitized_helper,
- /usr/bin/ktorrent Cxr -> sanitized_helper,
- /usr/bin/qbittorrent Cxr -> sanitized_helper,
- /usr/bin/transmission{,-gtk,-qt,-cli} Cxr -> sanitized_helper,
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-bittorrent-clients.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers b/profiles/apparmor.d/abstractions/ubuntu-browsers
deleted file mode 100644
index c2c710a1..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers
+++ /dev/null
@@ -1,41 +0,0 @@
-# vim:syntax=apparmor
-#
-# abstraction for allowing access to graphical browsers in Ubuntu
-#
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- /usr/bin/arora Cx -> sanitized_helper,
- /usr/bin/dillo Cx -> sanitized_helper,
- /usr/bin/Dooble Cx -> sanitized_helper,
- /usr/bin/epiphany Cx -> sanitized_helper,
- /usr/bin/epiphany-browser Cx -> sanitized_helper,
- /usr/bin/epiphany-webkit Cx -> sanitized_helper,
- /usr/lib/fennec-*/fennec Cx -> sanitized_helper,
- /usr/bin/kazehakase Cx -> sanitized_helper,
- /usr/bin/konqueror Cx -> sanitized_helper,
- /usr/bin/midori Cx -> sanitized_helper,
- /usr/bin/netsurf Cx -> sanitized_helper,
- /usr/bin/seamonkey Cx -> sanitized_helper,
- /usr/bin/sensible-browser Pixr,
-
- /usr/bin/chromium{,-browser} Cx -> sanitized_helper,
- /usr/lib{,64}/chromium{,-browser}/chromium{,-browser} Cx -> sanitized_helper,
-
- # this should cover all firefox browsers and versions (including shiretoko
- # and abrowser)
- /usr/bin/firefox Cxr -> sanitized_helper,
- /usr/lib{,64}/firefox*/firefox* Cx -> sanitized_helper,
-
- # Iceweasel
- /usr/bin/iceweasel Cxr -> sanitized_helper,
- /usr/lib/iceweasel/iceweasel Cx -> sanitized_helper,
-
- # some unpackaged, but popular browsers
- /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
- /usr/bin/opera Cx -> sanitized_helper,
- /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
- /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper,
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
deleted file mode 100644
index 95724f1a..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
+++ /dev/null
@@ -1,26 +0,0 @@
-# vim:syntax=apparmor
-# ------------------------------------------------------------------
-#
-# Copyright (C) 2020 Canonical Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-# Author: Jamie Strandboge <jamie@canonical.com>
-
-# For site-specific adjustments, please see:
-# /etc/apparmor.d/local/chromium-browser
-
-abi <abi/3.0>,
-
-include <abstractions/ubuntu-browsers.d/plugins-common>
-include <abstractions/ubuntu-browsers.d/mailto>
-include <abstractions/ubuntu-browsers.d/multimedia>
-include <abstractions/ubuntu-browsers.d/productivity>
-include <abstractions/ubuntu-browsers.d/java>
-include <abstractions/ubuntu-browsers.d/kde>
-include <abstractions/ubuntu-browsers.d/text-editors>
-include <abstractions/ubuntu-browsers.d/ubuntu-integration>
-include <abstractions/ubuntu-browsers.d/user-files>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
deleted file mode 100644
index 507d62a0..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
+++ /dev/null
@@ -1,118 +0,0 @@
-# vim:syntax=apparmor
-
- abi <abi/3.0>,
-
- # Java plugin
- owner @{HOME}/.java/deployment/deployment.properties k,
- /etc/java-*/ r,
- /etc/java-*/** r,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk,
- /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
- /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
- /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
- owner /{,var/}run/user/*/icedteaplugin-*/ rw,
- owner /{,var/}run/user/*/icedteaplugin-*/** rwk,
-
- # Profile for the supported OpenJDK in Ubuntu. This doesn't require the
- # unfortunate workarounds of the proprietary Javas, so have a separate
- # profile.
- profile browser_openjdk {
- include <abstractions/base>
- include <abstractions/fonts>
- include <abstractions/gnome>
- include <abstractions/kde>
- include <abstractions/nameservice>
- include <abstractions/ssl_certs>
- include <abstractions/user-tmp>
- include <abstractions/private-files-strict>
-
- network inet stream,
- network inet6 stream,
- @{PROC}/@{pid}/net/if_inet6 r,
- @{PROC}/@{pid}/net/ipv6_route r,
-
- /etc/java-*/ r,
- /etc/java-*/** r,
- /etc/lsb-release r,
- /etc/ssl/certs/java/* r,
- /etc/timezone r,
-
- @{PROC}/@{pid}/ r,
- @{PROC}/@{pid}/fd/ r,
- @{PROC}/filesystems r,
- @{sys}/devices/system/cpu/ r,
- @{sys}/devices/system/cpu/** r,
- /usr/share/** r,
- /var/lib/dbus/machine-id r,
-
- /usr/bin/env ix,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix,
- /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
-
- # Why would java need this?
- deny /usr/bin/gconftool-2 x,
-
- owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw,
- owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r,
- owner @{HOME}/ r,
- owner @{HOME}/** rwk,
- }
-
- # Profile for commercial Javas. These need workarounds to work right (eg
- # Sun's forcing of an executable stack (LP: #535247)).
- profile browser_java {
- include <abstractions/base>
- include <abstractions/fonts>
- include <abstractions/gnome>
- include <abstractions/kde>
- include <abstractions/nameservice>
- include <abstractions/ssl_certs>
- include <abstractions/user-tmp>
- include <abstractions/private-files-strict>
-
- network inet stream,
- network inet6 stream,
- @{PROC}/@{pid}/net/if_inet6 r,
- @{PROC}/@{pid}/net/ipv6_route r,
- @{PROC}/loadavg r,
-
- /etc/debian_version r,
- /etc/java-*/ r,
- /etc/java-*/** r,
- /etc/lsb-release r,
- /etc/ssl/certs/java/* r,
- /etc/timezone r,
-
- @{PROC}/@{pid}/ r,
- @{PROC}/@{pid}/fd/ r,
- @{PROC}/filesystems r,
- @{sys}/devices/system/cpu/ r,
- @{sys}/devices/system/cpu/** r,
- /usr/share/** r,
- /var/lib/dbus/machine-id r,
-
- /usr/bin/env ix,
- /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
- /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,
- /usr/lib/j2*-ibm/jre/bin/java ix,
-
- # noisy, can't write here anyway
- deny /etc/.java/ w,
- deny /etc/.java/** w,
-
- deny /usr/bin/gconftool-2 x,
-
- owner @{HOME}/ r,
- owner @{HOME}/** rwk,
-
- # These are seriously unfortunate, but required due to LP: #535247
- /etc/passwd m,
- owner @{HOME}/.java/**/cache/** m,
- owner /tmp/** m,
- /usr/lib{,32,64}/jvm/**/*.jar mr,
- /usr/share/fonts/** m,
- }
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde
deleted file mode 100644
index bdac331e..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde
+++ /dev/null
@@ -1,9 +0,0 @@
-# vim:syntax=apparmor
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- include <abstractions/kde>
- /usr/bin/kde4-config Cx -> sanitized_helper,
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto
deleted file mode 100644
index 8d157098..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto
+++ /dev/null
@@ -1,11 +0,0 @@
-# vim:syntax=apparmor
-
- abi <abi/3.0>,
-
- # for mailto:
- include <abstractions/ubuntu-email>
- include <abstractions/ubuntu-console-email>
-
- # Terminals for using console applications. These abstractions should ideally
- # have 'ix' to restrct access to what only firefox is allowed to do
- include <abstractions/ubuntu-gnome-terminal>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
deleted file mode 100644
index f2eb23ef..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
+++ /dev/null
@@ -1,51 +0,0 @@
-# vim:syntax=apparmor
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- include <abstractions/X>
-
- # Pulseaudio
- /usr/bin/pulseaudio Pixr,
-
- # Image viewers
- /usr/bin/eog Cxr -> sanitized_helper,
- /usr/bin/gimp* Cxr -> sanitized_helper,
- /usr/bin/shotwell Cxr -> sanitized_helper,
- /usr/bin/digikam Cxr -> sanitized_helper,
- /usr/bin/gwenview Cxr -> sanitized_helper,
-
- include <abstractions/ubuntu-media-players>
- owner @{HOME}/.adobe/ w,
- owner @{HOME}/.adobe/** rw,
- owner @{HOME}/.macromedia/ w,
- owner @{HOME}/.macromedia/** rw,
- /opt/real/RealPlayer/mozilla/nphelix.so rm,
- /usr/bin/lpstat Cxr -> sanitized_helper,
- /usr/bin/lpr Cxr -> sanitized_helper,
-
- # Bittorrent clients
- include <abstractions/ubuntu-bittorrent-clients>
-
- # Archivers
- /usr/bin/ark Cxr -> sanitized_helper,
- /usr/bin/file-roller Cxr -> sanitized_helper,
- /usr/bin/xarchiver Cxr -> sanitized_helper,
- /usr/local/lib{,32,64}/*.so* mr,
-
- # News feed readers
- include <abstractions/ubuntu-feed-readers>
-
- # If we allow the above, nvidia based systems will also need this
- include <abstractions/nvidia>
-
- # Virus scanners
- /usr/bin/clamscan Cx -> sanitized_helper,
-
- # gxine (LP: #1057642)
- /var/lib/xine/gxine.desktop r,
-
- # For WebRTC camera access (LP: #1665535)
- /dev/video[0-9]* rw,
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
deleted file mode 100644
index 5d93b262..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
+++ /dev/null
@@ -1,18 +0,0 @@
-# vim:syntax=apparmor
-
- abi <abi/3.0>,
-
- #
- # Plugins/helpers
- #
- @{PROC}/@{pid}/fd/ r,
- /usr/lib/** rm,
- /{,usr/}bin/bash ixr,
- /{,usr/}bin/dash ixr,
- /{,usr/}bin/grep ixr,
- /{,usr/}bin/sed ixr,
- /usr/bin/m4 ixr,
-
- # Since all the ubuntu-browsers.d abstractions need this, just include it
- # here
- include <abstractions/ubuntu-helpers>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity
deleted file mode 100644
index 1fc67a84..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity
+++ /dev/null
@@ -1,26 +0,0 @@
-# vim:syntax=apparmor
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- # Openoffice.org
- /usr/bin/ooffice Cxr -> sanitized_helper,
- /usr/bin/oocalc Cxr -> sanitized_helper,
- /usr/bin/oodraw Cxr -> sanitized_helper,
- /usr/bin/ooimpress Cxr -> sanitized_helper,
- /usr/bin/oowriter Cxr -> sanitized_helper,
- /usr/lib/openoffice/program/soffice Cxr -> sanitized_helper,
-
- # LibreOffice
- /usr/bin/libreoffice Cxr -> sanitized_helper,
- /usr/bin/localc Cxr -> sanitized_helper,
- /usr/bin/lodraw Cxr -> sanitized_helper,
- /usr/bin/loimpress Cxr -> sanitized_helper,
- /usr/bin/lowriter Cxr -> sanitized_helper,
- /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
-
- # PDFs
- /usr/bin/evince Cxr -> sanitized_helper,
- /usr/bin/okular Cxr -> sanitized_helper,
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
deleted file mode 100644
index e04c6b80..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
+++ /dev/null
@@ -1,16 +0,0 @@
-# vim:syntax=apparmor
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125])
- /usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper,
- /usr/bin/emacsclient.emacs2[2-9] Cxr -> sanitized_helper,
- /usr/bin/emacs-snapshot-gtk Cxr -> sanitized_helper,
- /usr/bin/gedit Cxr -> sanitized_helper,
- /usr/bin/vim.gnome Cxr -> sanitized_helper,
- /usr/bin/leafpad Cxr -> sanitized_helper,
- /usr/bin/mousepad Cxr -> sanitized_helper,
- /usr/bin/kate Cxr -> sanitized_helper,
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
deleted file mode 100644
index cdbd47cd..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
+++ /dev/null
@@ -1,37 +0,0 @@
-# vim:syntax=apparmor
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- # Apport
- /usr/bin/apport-bug Cx -> sanitized_helper,
-
- # Package installation
- /usr/bin/apturl Cxr -> sanitized_helper,
- /usr/share/software-center/software-center Cxr -> sanitized_helper,
-
- # Input Methods
- /usr/bin/scim Cx -> sanitized_helper,
- /usr/bin/scim-bridge Cx -> sanitized_helper,
-
- # File managers
- /usr/bin/nautilus Cxr -> sanitized_helper,
- /usr/bin/{t,T}hunar Cxr -> sanitized_helper,
- /usr/bin/dolphin Cxr -> sanitized_helper,
-
- # Themes
- /usr/bin/gnome-appearance-properties Cxr -> sanitized_helper,
-
- # Kubuntu
- /usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper,
-
- # Exo-aware applications
- include <abstractions/exo-open>
-
- # unity webapps integration. Could go in its own abstraction
- owner /run/user/*/dconf/user rw,
- owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk,
- /usr/bin/debconf-communicate Cxr -> sanitized_helper,
- owner @{HOME}/.config/libaccounts-glib/accounts.db rk,
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
deleted file mode 100644
index c6a8eedd..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
+++ /dev/null
@@ -1,8 +0,0 @@
-# vim:syntax=apparmor
-
- abi <abi/3.0>,
-
- # firefox-notify
- include <abstractions/python>
- /usr/bin/python2.[4567] ix,
- /usr/share/xul-ext/notify/**/download_complete_notify.py ix,
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files
deleted file mode 100644
index f0454552..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files
+++ /dev/null
@@ -1,31 +0,0 @@
-# vim:syntax=apparmor
-
- abi <abi/3.0>,
-
- # Allow read to all files user has DAC access to and write access to all
- # files owned by the user in $HOME.
- @{HOME}/ r,
- @{HOME}/** r,
- owner @{HOME}/** w,
-
- # Do not allow read and/or write to particularly sensitive/problematic files
- include <abstractions/private-files>
- audit deny @{HOME}/.ssh/{,**} mrwkl,
- audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
- audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
- audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
- audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl,
-
- # Comment this out if using gpg plugin/addons
- audit deny @{HOME}/.gnupg/{,**} mrwkl,
-
- # Allow read to all files user has DAC access to and write for files the user
- # owns on removable media and filesystems.
- /media/** r,
- /mnt/** r,
- /srv/** r,
- /net/** r,
- owner /media/** w,
- owner /mnt/** w,
- owner /srv/** w,
- owner /net/** w,
diff --git a/profiles/apparmor.d/abstractions/ubuntu-console-browsers b/profiles/apparmor.d/abstractions/ubuntu-console-browsers
deleted file mode 100644
index 8f6687ae..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-console-browsers
+++ /dev/null
@@ -1,23 +0,0 @@
-# vim:syntax=apparmor
-#
-# abstraction for allowing access to text-only browsers in Ubuntu. These will
-# typically also need a terminal, so when using this abstraction, should also
-# do something like:
-#
-# include <abstractions/ubuntu-gnome-terminal>
-#
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- /usr/bin/elinks Cx -> sanitized_helper,
- /usr/bin/links Cx -> sanitized_helper,
- /usr/bin/lynx.cur Cx -> sanitized_helper,
- /usr/bin/netrik Cx -> sanitized_helper,
- /usr/bin/w3m Cx -> sanitized_helper,
-
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-console-browsers.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-console-email b/profiles/apparmor.d/abstractions/ubuntu-console-email
deleted file mode 100644
index ee741fdf..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-console-email
+++ /dev/null
@@ -1,23 +0,0 @@
-# vim:syntax=apparmor
-#
-# abstraction for allowing console email clients in Ubuntu. These will
-# typically also need a terminal, so when using this abstraction, should also
-# do something like:
-#
-# include <abstractions/ubuntu-gnome-terminal>
-#
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- /usr/bin/alpine Cx -> sanitized_helper,
- /usr/bin/citadel Cx -> sanitized_helper,
- /usr/bin/cone Cx -> sanitized_helper,
- /usr/bin/elmo Cx -> sanitized_helper,
- /usr/bin/mutt Cx -> sanitized_helper,
-
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-console-email.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-email b/profiles/apparmor.d/abstractions/ubuntu-email
deleted file mode 100644
index 45f02eba..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-email
+++ /dev/null
@@ -1,29 +0,0 @@
-# vim:syntax=apparmor
-#
-# abstraction for allowing graphical email clients in Ubuntu
-#
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- /usr/bin/anjal Cx -> sanitized_helper,
- /usr/bin/balsa Cx -> sanitized_helper,
- /usr/bin/claws-mail Cx -> sanitized_helper,
- /usr/bin/evolution Cx -> sanitized_helper,
- /usr/bin/geary Cx -> sanitized_helper,
- /usr/bin/gnome-gmail Cx -> sanitized_helper,
- /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper,
- /usr/bin/kmail Cx -> sanitized_helper,
- /usr/bin/mailody Cx -> sanitized_helper,
- /usr/bin/modest Cx -> sanitized_helper,
- /usr/bin/seamonkey Cx -> sanitized_helper,
- /usr/bin/sylpheed Cx -> sanitized_helper,
- /usr/bin/tkrat Cx -> sanitized_helper,
-
- /usr/bin/thunderbird Cx -> sanitized_helper, # used by gio-launch-desktop
- /usr/lib/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-email.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-feed-readers b/profiles/apparmor.d/abstractions/ubuntu-feed-readers
deleted file mode 100644
index e8b89b1d..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-feed-readers
+++ /dev/null
@@ -1,15 +0,0 @@
-# vim:syntax=apparmor
-#
-# abstraction for allowing graphical news feed readers in Ubuntu
-#
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- /usr/bin/akregator Cxr -> sanitized_helper,
- /usr/bin/liferea-add-feed Cxr -> sanitized_helper,
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-feed-readers.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal b/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal
deleted file mode 100644
index c6280b0e..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal
+++ /dev/null
@@ -1,15 +0,0 @@
-# vim:syntax=apparmor
-#
-# for allowing access to gnome-terminal
-#
-
- abi <abi/3.0>,
-
- include <abstractions/gnome>
-
- # do not use ux or PUx here. Use at a minimum ix
- /usr/bin/gnome-terminal ix,
-
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-gnome-terminal.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-helpers b/profiles/apparmor.d/abstractions/ubuntu-helpers
deleted file mode 100644
index 7e07ef43..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-helpers
+++ /dev/null
@@ -1,93 +0,0 @@
-# Lenient profile that is intended to be used when 'Ux' is desired but
-# does not provide enough environment sanitizing. This effectively is an
-# open profile that blacklists certain known dangerous files and also
-# does not allow any capabilities. For example, it will not allow 'm' on files
-# owned be the user invoking the program. While this provides some additional
-# protection, please use with care as applications running under this profile
-# are effectively running without any AppArmor protection. Use this profile
-# only if the process absolutely must be run (effectively) unconfined.
-#
-# Usage:
-# Because this abstraction defines the sanitized_helper profile, it must only
-# be included once. Therefore this abstraction should typically not be
-# included in other abstractions so as to avoid parser errors regarding
-# multiple definitions.
-#
-# Limitations:
-# 1. This does not work for root owned processes, because of the way we use
-# owner matching in the sanitized helper. We could do a better job with
-# this to support root, but it would make the policy harder to understand
-# and going unconfined as root is not desirable any way.
-#
-# 2. For this sanitized_helper to work, the program running in the sanitized
-# environment must open symlinks directly in order for AppArmor to mediate
-# it. This is confirmed to work with:
-# - compiled code which can load shared libraries
-# - python imports
-# It is known not to work with:
-# - perl includes
-# 3. Sanitizing ruby and java
-#
-# Use at your own risk. This profile was developed as an interim workaround for
-# LP: #851986 until AppArmor utilizes proper environment filtering.
-
- abi <abi/3.0>,
-
-profile sanitized_helper {
- include <abstractions/base>
- include <abstractions/X>
-
- # Allow all networking
- network inet,
- network inet6,
-
- # Allow all DBus communications
- include <abstractions/dbus-session-strict>
- include <abstractions/dbus-strict>
- dbus,
-
- # Needed for Google Chrome
- ptrace (trace) peer=**//sanitized_helper,
-
- # Allow exec of anything, but under this profile. Allow transition
- # to other profiles if they exist.
- /{usr/,usr/local/,}{bin,sbin}/* Pixr,
-
- # Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
- /usr/{,local/}lib*/{,**/}* Pixr,
-
- # Allow exec of software-center scripts. We may need to allow wider
- # permissions for /usr/share, but for now just do this. (LP: #972367)
- /usr/share/software-center/* Pixr,
-
- # Allow exec of texlive font build scripts (LP: #1010909)
- /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,
-
- # While the chromium and chrome sandboxes are setuid root, they only link
- # in limited libraries so glibc's secure execution should be enough to not
- # require the santized_helper (ie, LD_PRELOAD will only use standard system
- # paths (man ld.so)).
- /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
- /usr/lib/chromium{,-browser}/chrome-sandbox PUxr,
- /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr,
- /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
- /opt/google/chrome{,-beta,-unstable}/chrome Pixr,
- /opt/google/chrome{,-beta,-unstable}/chrome_crashpad_handler Pixr,
- /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
-
- # The same is needed for Brave
- /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
- /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
- /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
- /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr,
- /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
-
- # Full access
- / r,
- /** rwkl,
- /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
-
- # Dangerous files
- audit deny owner /**/* m, # compiled libraries
- audit deny owner /**/*.py* r, # python imports
-}
diff --git a/profiles/apparmor.d/abstractions/ubuntu-konsole b/profiles/apparmor.d/abstractions/ubuntu-konsole
deleted file mode 100644
index 4ece2bd3..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-konsole
+++ /dev/null
@@ -1,22 +0,0 @@
-# vim:syntax=apparmor
-#
-# for allowing access to konsole
-#
-
- abi <abi/3.0>,
-
- include <abstractions/consoles>
- include <abstractions/kde>
- capability sys_ptrace,
- @{PROC}/@{pid}/status r,
- @{PROC}/@{pid}/stat r,
- @{PROC}/@{pid}/cmdline r,
- /{,var/}run/utmp r,
- /dev/ptmx rw,
-
- # do not use ux or Ux here. Use at a minimum ix
- /usr/bin/konsole ix,
-
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-konsole.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-media-players b/profiles/apparmor.d/abstractions/ubuntu-media-players
deleted file mode 100644
index 5fa48e75..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-media-players
+++ /dev/null
@@ -1,65 +0,0 @@
-# vim:syntax=apparmor
-#
-# abstraction for allowing access to media players in Ubuntu
-#
-# Users of this abstraction need to include the ubuntu-helpers abstraction
-# in the toplevel profile. Eg:
-# include <abstractions/ubuntu-helpers>
-
- abi <abi/3.0>,
-
- /usr/bin/amarok Cxr -> sanitized_helper,
- /usr/bin/audacious2 Cxr -> sanitized_helper,
- /usr/bin/audacity Cxr -> sanitized_helper,
- /usr/bin/bangarang Cxr -> sanitized_helper,
- /usr/bin/banshee Cxr -> sanitized_helper,
- /usr/bin/banshee-1 Cxr -> sanitized_helper,
- /usr/bin/decibel Cxr -> sanitized_helper,
- /usr/bin/dragon Cxr -> sanitized_helper,
- /usr/bin/esperanza Cxr -> sanitized_helper,
- /usr/bin/exaile Cxr -> sanitized_helper,
- /usr/bin/freevo Cxr -> sanitized_helper,
- /usr/bin/gmerlin Cxr -> sanitized_helper,
- /usr/bin/gxmms Cxr -> sanitized_helper,
- /usr/bin/gxmms2 Cxr -> sanitized_helper,
- /usr/bin/hornsey Cxr -> sanitized_helper,
- /usr/bin/jlgui Cxr -> sanitized_helper,
- /usr/bin/juk Cxr -> sanitized_helper,
- /usr/bin/kaffeine Cxr -> sanitized_helper,
- /usr/bin/listen Cxr -> sanitized_helper,
- /usr/share/minirok/minirok.py Cxr -> sanitized_helper,
-
- # mplayer
- /etc/mplayerplug-in.conf r,
- /usr/bin/gmplayer Cxr -> sanitized_helper,
- /usr/bin/gnome-mplayer Cxr -> sanitized_helper,
- /usr/bin/kmplayer Cxr -> sanitized_helper,
- /usr/bin/mplayer Cxr -> sanitized_helper,
- /usr/bin/smplayer Cxr -> sanitized_helper,
-
- /usr/bin/muine Cxr -> sanitized_helper,
- /usr/bin/potamus Cxr -> sanitized_helper,
- /usr/bin/promoe Cxr -> sanitized_helper,
- /usr/bin/qmmp Cxr -> sanitized_helper,
- /usr/bin/quodlibet Cxr -> sanitized_helper,
- /usr/bin/rhythmbox Cxr -> sanitized_helper,
- /usr/bin/strange-quark Cxr -> sanitized_helper,
- /usr/bin/swfdec-player Cxr -> sanitized_helper,
- /usr/bin/timidity Cxr -> sanitized_helper,
- /usr/lib/totem/** ixr,
- /usr/bin/totem-gstreamer Cxr -> sanitized_helper,
- /usr/bin/totem-xine Cxr -> sanitized_helper,
- /usr/bin/totem Cxr -> sanitized_helper,
- /usr/bin/vlc Cxr -> sanitized_helper,
- /usr/bin/xfmedia Cxr -> sanitized_helper,
- /usr/bin/xmms Cxr -> sanitized_helper,
-
- # gnash
- /usr/bin/gtk-gnash ixr,
- /etc/gnashrc r,
- /etc/gnashpluginrc r,
- owner @{HOME}/.gnash/ rw,
- owner @{HOME}/.gnash/** rw,
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-media-players.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-unity7-base b/profiles/apparmor.d/abstractions/ubuntu-unity7-base
deleted file mode 100644
index 6e207b28..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-unity7-base
+++ /dev/null
@@ -1,105 +0,0 @@
-# vim:syntax=apparmor
-# ------------------------------------------------------------------
-#
-# Copyright (C) 2013-2014 Canonical Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-
- abi <abi/3.0>,
-
-#
-# Rules common to applications running under Unity 7
-#
-
-include <abstractions/gnome>
-
-include <abstractions/dbus-session-strict>
-include <abstractions/dbus-strict>
-
- #
- # Access required for connecting to/communication with Unity HUD
- #
- dbus (send)
- bus=session
- path="/com/canonical/hud",
- dbus (send)
- bus=session
- interface="com.canonical.hud.*",
- dbus (send)
- bus=session
- path="/com/canonical/hud/applications/*",
- dbus (receive)
- bus=session
- path="/com/canonical/hud",
- dbus (receive)
- bus=session
- interface="com.canonical.hud.*",
-
- #
- # Allow access for connecting to/communication with the appmenu
- #
- # dbusmenu
- dbus (send)
- bus=session
- interface="com.canonical.AppMenu.*",
- dbus (receive, send)
- bus=session
- path=/com/canonical/menu/**,
-
- # gmenu
- dbus (receive, send)
- bus=session
- interface=org.gtk.Actions,
- dbus (receive, send)
- bus=session
- interface=org.gtk.Menus,
-
- #
- # Access required for using freedesktop notifications
- #
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=GetCapabilities,
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=GetServerInformation,
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=Notify,
- dbus (receive)
- bus=session
- member="Notify"
- peer=(name="org.freedesktop.DBus"),
- dbus (receive)
- bus=session
- path=/org/freedesktop/Notifications
- member=NotificationClosed,
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=CloseNotification,
-
- # accessibility
- dbus (send)
- bus=session
- peer=(name=org.a11y.Bus),
- dbus (receive)
- bus=session
- interface=org.a11y.atspi*,
- dbus (receive, send)
- bus=accessibility,
-
- #
- # Deny potentially dangerous access
- #
- deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**,
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-unity7-base.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-unity7-launcher b/profiles/apparmor.d/abstractions/ubuntu-unity7-launcher
deleted file mode 100644
index eb2f070d..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-unity7-launcher
+++ /dev/null
@@ -1,12 +0,0 @@
- abi <abi/3.0>,
-
- #
- # Access required for connecting to/communicating with the Unity Launcher
- #
- dbus (send)
- bus=session
- interface="com.canonical.Unity.LauncherEntry"
- member="Update",
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-unity7-launcher.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-unity7-messaging b/profiles/apparmor.d/abstractions/ubuntu-unity7-messaging
deleted file mode 100644
index 21de3ff0..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-unity7-messaging
+++ /dev/null
@@ -1,12 +0,0 @@
- abi <abi/3.0>,
-
- #
- # Access required for connecting to/communicating with the Unity messaging
- # indicator
- #
- dbus (receive, send)
- bus=session
- path="/com/canonical/indicator/messages/*",
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-unity7-messaging.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-xterm b/profiles/apparmor.d/abstractions/ubuntu-xterm
deleted file mode 100644
index 07eacaba..00000000
--- a/profiles/apparmor.d/abstractions/ubuntu-xterm
+++ /dev/null
@@ -1,18 +0,0 @@
-# vim:syntax=apparmor
-#
-# for allowing access to xterm
-#
-
- abi <abi/3.0>,
-
- include <abstractions/consoles>
- /dev/ptmx rw,
- /{,var/}run/utmp r,
- /etc/X11/app-defaults/XTerm r,
-
- # do not use ux or Ux here. Use at a minimum ix
- /usr/bin/xterm ix,
-
-
- # Include additions to the abstraction
- include if exists <abstractions/ubuntu-xterm.d>
diff --git a/profiles/apparmor.d/tunables/global b/profiles/apparmor.d/tunables/global
index 3dd4bfdb..72311764 100644
--- a/profiles/apparmor.d/tunables/global
+++ b/profiles/apparmor.d/tunables/global
@@ -13,7 +13,6 @@
# should be included here
include <tunables/home>
-include <tunables/multiarch>
include <tunables/proc>
include <tunables/alias>
include <tunables/kernelvars>
diff --git a/profiles/apparmor.d/tunables/multiarch b/profiles/apparmor.d/tunables/multiarch
deleted file mode 100644
index 32fd1aa1..00000000
--- a/profiles/apparmor.d/tunables/multiarch
+++ /dev/null
@@ -1,17 +0,0 @@
-# ------------------------------------------------------------------
-#
-# Copyright (C) 2010 Canonical Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-
-# @{multiarch} is the set of patterns matching multi-arch library
-# install prefixes.
-@{multiarch}=*-linux-gnu*
-
-# Also, include files in tunables/multiarch.d for site and packaging
-# specific adjustments to @{multiarch}.
-include <tunables/multiarch.d>
diff --git a/profiles/apparmor.d/tunables/multiarch.d/site.local b/profiles/apparmor.d/tunables/multiarch.d/site.local
deleted file mode 100644
index 91877e2a..00000000
--- a/profiles/apparmor.d/tunables/multiarch.d/site.local
+++ /dev/null
@@ -1,14 +0,0 @@
-# ------------------------------------------------------------------
-#
-# Copyright (C) 2011 Canonical Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-
-# The following is a space-separated list of where additional multipath
-# prefixes are stored, each should not have a trailing '/'. Directories
-# added here are appended to @{multiarch}. See tunables/mutliarch for details. Eg:
-#@{multiarch}+=*-freebsd* s390-hurd-zomg
diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd
index c4e6d70c..c73ab39a 100644
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -41,9 +41,6 @@ profile smbd /usr/{bin,sbin}/smbd {
/usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
/usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
/usr/lib*/samba/{lowcase,upcase,valid}.dat r,
- /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
- /usr/lib/@{multiarch}/samba/**/ r,
- /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,
/usr/share/samba/** r,
/usr/{bin,sbin}/smbd mr,
/usr/{bin,sbin}/smbldap-useradd Px,
diff --git a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
index b47b6f72..2c7b636a 100644
--- a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
+++ b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
@@ -275,22 +275,15 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
profile sandbox {
# Be fanatical since it is setuid root and don't use an abstraction
/{usr/,}lib{,32,64}/libgcc_s.so* mr,
- /{usr/,}lib{,32,64}/@{multiarch}/libgcc_s.so* mr,
/{usr/,}lib{,32,64}/libm-*.so* mr,
- /{usr/,}lib/@{multiarch}/libm-*.so* mr,
/{usr/,}lib{,32,64}/libpthread-*.so* mr,
- /{usr/,}lib/@{multiarch}/libpthread-*.so* mr,
/{usr/,}lib{,32,64}/libc-*.so* mr,
- /{usr/,}lib/@{multiarch}/libc-*.so* mr,
/{usr/,}lib{,32,64}/libld-*.so* mr,
- /{usr/,}lib/@{multiarch}/libld-*.so* mr,
/{usr/,}lib{,32,64}/ld-*.so* mr,
- /{usr/,}lib{,32,64}/@{multiarch}/ld-*.so* mr,
/{usr/,}lib{,32,64}/tls/*/{cmov,nosegneg}/libm-*.so* mr,
/{usr/,}lib{,32,64}/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
/{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
/usr/lib{,32,64}/libstdc++.so* mr,
- /usr/lib{,32,64}/@{multiarch}/libstdc++.so* mr,
/etc/ld.so.cache r,
# Required for dropping into PID namespace. Keep in mind that until the
diff --git a/profiles/apparmor/profiles/extras/usr.bin.skype b/profiles/apparmor/profiles/extras/usr.bin.skype
index dce23e34..1ee381b6 100644
--- a/profiles/apparmor/profiles/extras/usr.bin.skype
+++ b/profiles/apparmor/profiles/extras/usr.bin.skype
@@ -50,7 +50,6 @@ include <tunables/global>
/usr/share/skype/** kr,
/usr/share/skype/**/*.qm mr,
/usr/share/skype/sounds/*.wav kr,
- /usr/lib/@{multiarch}/pango/** mr,
# For opening links in the browser (still requires explicit access to execute
# the browser)
diff --git a/profiles/apparmor/profiles/extras/usr.bin.wireshark b/profiles/apparmor/profiles/extras/usr.bin.wireshark
index a835afb3..f52b51d4 100644
--- a/profiles/apparmor/profiles/extras/usr.bin.wireshark
+++ b/profiles/apparmor/profiles/extras/usr.bin.wireshark
@@ -86,9 +86,6 @@ include <tunables/global>
/usr/share/wireshark/** r,
/usr/share/GeoIP/ r,
/usr/share/GeoIP/** r,
- /usr/lib/@{multiarch}/wireshark/extcap/* ix,
- /usr/lib/@{multiarch}/wireshark/plugins/**/ r,
- /usr/lib/@{multiarch}/wireshark/plugins/**.so mr,
/usr/bin/dumpcap Px,
diff --git a/utils/logprof.conf b/utils/logprof.conf
index 88e2209b..0c779860 100644
--- a/utils/logprof.conf
+++ b/utils/logprof.conf
@@ -149,7 +149,6 @@
# if they use any perl modules, grant access to all
^/usr/lib/perl5/.+$ = /usr/lib/perl5/**
- ^/usr/lib/[^\/]+/perl5?/.+$ = /usr/lib/@{multiarch}/perl{,5}/**
# locale foo
^/usr/lib/locale/.+$ = /usr/lib/locale/**
diff --git a/utils/test/logprof.conf b/utils/test/logprof.conf
index 71b50e48..e53f8332 100644
--- a/utils/test/logprof.conf
+++ b/utils/test/logprof.conf
@@ -101,7 +101,6 @@
# if they use any perl modules, grant access to all
^/usr/lib/perl5/.+$ = /usr/lib/perl5/**
- ^/usr/lib/[^\/]+/perl5?/.+$ = /usr/lib/@{multiarch}/perl{,5}/**
# locale foo
^/usr/lib/locale/.+$ = /usr/lib/locale/**
diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py
index 89a5c3da..1fdf9da5 100644
--- a/utils/test/test-aa.py
+++ b/utils/test/test-aa.py
@@ -494,7 +494,6 @@ class AaTest_is_skippable_dir(AATest):
('/etc/apparmor.d/local/', False),
('tunables', False),
('/etc/apparmor.d/tunables', False),
- ('/etc/apparmor.d/tunables/multiarch.d', False),
('/etc/apparmor.d/tunables/xdg-user-dirs.d', False),
('/etc/apparmor.d/tunables/home.d', False),
('/etc/apparmor.d/abstractions', False),
diff --git a/utils/test/test-severity.py b/utils/test/test-severity.py
index 1e80ff10..d47d04f1 100755
--- a/utils/test/test-severity.py
+++ b/utils/test/test-severity.py
@@ -78,7 +78,6 @@ class SeverityVarsTest(SeverityBaseTest):
tests = [
(['@{PROC}/sys/vm/overcommit_memory', 'r'], 6),
(['@{HOME}/sys/@{PROC}/overcommit_memory', 'r'], 4),
- (['/overco@{multiarch}mmit_memory', 'r'], 'unknown'),
(['@{PROC}/sys/@{TFTP_DIR}/overcommit_memory', 'r'], 6),
(['@{somepaths}/somefile', 'r'], 7),
]
@@ -87,7 +86,6 @@ class SeverityVarsTest(SeverityBaseTest):
vars = {
'@{HOME}': {'@{HOMEDIRS}/*/', '/root/'},
'@{HOMEDIRS}': {'/home/', '/storage/'},
- '@{multiarch}': {'*-linux-gnu*'},
'@{TFTP_DIR}': {'/var/tftp /srv/tftpboot'},
'@{PROC}': {'/proc/'},
'@{somepaths}': {'/home/foo/downloads', '@{HOMEDIRS}/foo/.ssh/'},