lp://staging/~cmiller/apparmor/chromiumbrowser-fcitx-abstraction

Branch merges

Propose for merging

No branches dependent on this one.

Rejected for merging into lp://staging/apparmor/2.12

Tyler Hicks: Needs Fixing on 2016-01-11

Diff: 59 lines (+43/-1)

2 files modified

profiles/apparmor.d/abstractions/dbus-accessibility-strict (+1/-1)
profiles/apparmor.d/abstractions/fcitx (+42/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Bug #1532902: chromium-browser profile complains about fcitx input method

Undecided

In Progress

Link a bug report

Related blueprints

3338. By Chad Miller on 2016-01-15

Finish separating accessibility rules.

3337. By Chad Miller on 2016-01-11

Un-splitting. Reverting dbus-accessibility-strict.

Remove unneeded rules.

3336. By Chad Miller on 2016-01-11

Split into two pieces. The first updates the strict ruleset for the
accessibility facilities' dbus access, and adds some missing member calls like
Hello. The other groups members in fcitx abstraction together nicer.

3335. By Chad Miller on 2016-01-11

Create a new input-method abstraction: pass through dbus method calls and
responses relating to the FCITX input method

3334. By Tyler Hicks on 2016-01-08

libapparmor: Fix minor formatting issue in the aa_query_label(2) man

Remove extra leading parenthesis from some of the function prototypes.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: John Johansen <email address hidden>

3333. By Tyler Hicks on 2016-01-08

libapparmor: Reorder SYNOPSIS section of aa_query_label(2) man

Swap aa_query_link_path_len() and aa_query_link_path() to match the
order of aa_query_file_path() and aa_query_file_path_len().

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: John Johansen <email address hidden>

3332. By Tyler Hicks on 2016-01-08

libapparmor: Fix line wrapping of the aa_query_label(2) man

Doing manual line wraps resulted in an unreadable SYNOPSIS section.
Allow man to handle line wrapping the function prototypes itself.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: John Johansen <email address hidden>

3331. By Tyler Hicks on 2016-01-08

libapparmor: Add funcs to the NAME section of the aa_query_label(2) man

aa_query_file_path, aa_query_file_path_len, aa_query_link_path, and
aa_query_link_path_len were omitted from the NAME section.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: John Johansen <email address hidden>

3330. By Christian Boltz on 2016-01-07

Add some simple_tests ("deny dbus name=(SomeService)," and "deny file,")

Acked-by: Steve Beattie <email address hidden>

3329. By Christian Boltz on 2016-01-07

Fix handling of link events in aa-logprof

handle_children() has some special code for handling link events with
denied_mask = 'l'. Unfortunately this special code depends on a regex
that matches the old, obsolete log format - in a not really parsed
format ("^from .* to .*$").

The result was that aa-logprof did not ask about events containing 'l'
in denied_mask.

Fortunately the fix is easy - delete the code with the special handling
for 'l' events, and the remaining code that handles other file
permissions will handle it :-)

References: Bugreport by pfak on IRC

Testcase (with hand-tuned log event):

    aa-logprof -f <( echo 'Jan 7 03:11:24 mail kernel: [191223.562261] type=1400 audit(1452136284.727:344): apparmor="ALLOWED" operation="link" profile="/usr/sbin/smbd" name="/foo" pid=10262 comm=616D617669736420286368362D3130 requested_mask="l" denied_mask="l" fsuid=110 ouid=110 target="/bar"')

should ask to add '/foo l,' to the profile.

Acked-by: Seth Arnold <email address hidden> for trunk, 2.10 and 2.9.