From 9ee1161bc2a3f2286d8136bd1e88f36f49f7a3f0 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sat, 27 Oct 2018 09:47:48 +0000
Subject: [PATCH] Totem, Pidgin, gstreamer: update to the latest upstream
profile. Drop the gst_plugin_scanner named profile.
This adds a dependency on the mesa abstraction, shipped in apparmor 2.13.1,
so versioning the dependency on apparmor accordingly.
The removal of the gst_plugin_scanner named profile and the gstreamer
abstraction updates break the usr.bin.surf profile, so adding a versioned
Breaks.
---
debian/README.Debian | 10 ++++----
debian/apparmor-profiles-extra.maintscript | 1 +
debian/control | 6 +++--
debian/copyright | 2 +-
profiles/abstractions/gstreamer | 22 ++++++++++++++++++
profiles/abstractions/totem | 5 ----
profiles/gst_plugin_scanner | 27 ----------------------
profiles/usr.bin.pidgin | 6 -----
profiles/usr.bin.totem | 1 +
profiles/usr.bin.totem-previewers | 4 ++++
10 files changed, 38 insertions(+), 46 deletions(-)
create mode 100644 debian/apparmor-profiles-extra.maintscript
delete mode 100644 profiles/gst_plugin_scanner
diff --git a/debian/README.Debian b/debian/README.Debian
index 2a5c5eb..e1ff2a8 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -2,12 +2,12 @@ Included profiles
=================
- apt-cacher-ng: taken from the apparmor-profiles repository at commit 9d7bd63.
-- GStreamer abstraction, gst_plugin_scanner named profile: taken from
- the apparmor-profiles repository at commit 5ba92ee.
+- GStreamer abstraction: taken from the apparmor-profiles repository
+ at commit 835edc5.
- irssi: taken from the apparmor-profiles repository at commit 5ba92ee.
-- Pidgin: taken from the apparmor-profiles repository at commit 6ae555e
+- Pidgin: taken from the apparmor-profiles repository at commit 835edc5
with apparmor/apparmor-profiles!29 applied on top.
-- Totem: taken from the apparmor-profiles repository at commit 6ae555e.
+- Totem: taken from the apparmor-profiles repository at commit 835edc5.
Sources
=======
@@ -17,4 +17,4 @@ apparmor-profiles repository
https://gitlab.com/apparmor/apparmor-profiles
- -- intrigeri <intrigeri@debian.org>, Sat, 20 Oct 2018 21:22:11 +0200
+ -- intrigeri <intrigeri@debian.org>, Sat, 27 Oct 2018 11:47:14 +0200
diff --git a/debian/apparmor-profiles-extra.maintscript b/debian/apparmor-profiles-extra.maintscript
new file mode 100644
index 0000000..411c9ab
--- /dev/null
+++ b/debian/apparmor-profiles-extra.maintscript
@@ -0,0 +1 @@
+rm_conffile /etc/apparmor.d/gst_plugin_scanner 1.22~
diff --git a/debian/control b/debian/control
index d9db789..7a7a744 100644
--- a/debian/control
+++ b/debian/control
@@ -5,7 +5,7 @@ Section: admin
Priority: optional
Build-Depends: debhelper (>= 11),
dh-apparmor,
- apparmor (>= 2.9.0)
+ apparmor (>= 2.13.1-1~)
Standards-Version: 4.2.1
Vcs-Browser: https://salsa.debian.org/apparmor-team/apparmor-profiles-extra
Vcs-Git: https://salsa.debian.org/apparmor-team/apparmor-profiles-extra.git
@@ -14,7 +14,9 @@ Homepage: https://wiki.debian.org/AppArmor
Package: apparmor-profiles-extra
Architecture: all
Depends: ${misc:Depends},
- apparmor (>= 2.9.0)
+ apparmor (>= 2.13.1-1~)
+Breaks: surf (<< 2.0+git20180223-1.),
+ surf-apparmor (<< 2.0+git20180223-1.)
Description: Extra profiles for AppArmor Security policies
This package provides various AppArmor profiles that are not shipped in
the upstream AppArmor releases.
diff --git a/debian/copyright b/debian/copyright
index ab12189..3e4bf6a 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -5,7 +5,7 @@ Files: debian/*
Copyright: 2014-2017 Debian AppArmor Team <pkg-apparmor-team@lists.alioth.debian.org>
License: GPL-2+
-Files: profiles/abstractions/gstreamer profiles/gst_plugin_scanner
+Files: profiles/abstractions/gstreamer
Copyright: 2008-2016 AppArmor developers <apparmor@lists.ubuntu.com>
License: GPL-2+
diff --git a/profiles/abstractions/gstreamer b/profiles/abstractions/gstreamer
index 893e672..00f1ac8 100644
--- a/profiles/abstractions/gstreamer
+++ b/profiles/abstractions/gstreamer
@@ -1,9 +1,17 @@
# vim:syntax=apparmor
+ #include <abstractions/base>
#include <abstractions/p11-kit>
+ #include <abstractions/X>
+
+ # TODO: adjust when support finer-grained netlink rules
+ network netlink raw,
/etc/udev/udev.conf r,
+ /etc/wildmidi/wildmidi.cfg r,
+ /dev/ r,
+ /dev/bus/usb/ r,
/dev/dri/ r,
# /dev/shm is a symlink to /run/shm on ubuntu
@@ -13,6 +21,10 @@
/run/udev/data/+pci:* r,
/run/udev/data/+usb* r,
+ /sys/bus/ r,
+ /sys/bus/usb/devices/ r,
+ /sys/class/ r,
+ /sys/class/drm/ r,
/sys/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
/sys/devices/system/node/ r,
/sys/devices/system/node/*/meminfo r,
@@ -21,3 +33,13 @@
owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
# needed if /tmp is mounted noexec:
owner @{HOME}/orcexec.* mr,
+
+ /usr/lib/frei0r-[0-9]/*.so m,
+ # /usr/lib/@{multiarch}/dri/** mr,
+ /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
+ /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
+ /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
+
+ owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/ rw,
+ owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
+ owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
diff --git a/profiles/abstractions/totem b/profiles/abstractions/totem
index 79b57f9..111bee7 100644
--- a/profiles/abstractions/totem
+++ b/profiles/abstractions/totem
@@ -28,11 +28,6 @@
/usr/share/** r,
/{media,mnt,opt,srv}/** r,
- /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Px -> gst_plugin_scanner,
-
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
owner @{HOME}/.cache/mesa/** rwk,
owner @{HOME}/.cache/thumbnails/** rw,
owner @{HOME}/.cache/totem/ rw,
diff --git a/profiles/gst_plugin_scanner b/profiles/gst_plugin_scanner
deleted file mode 100644
index bea6c32..0000000
--- a/profiles/gst_plugin_scanner
+++ /dev/null
@@ -1,27 +0,0 @@
-# vim:syntax=apparmor
-
-#include <tunables/global>
-
-profile gst_plugin_scanner {
- #include <abstractions/base>
- #include <abstractions/gstreamer>
- #include <abstractions/X>
-
- # TODO: adjust when support finer-grained netlink rules
- network netlink raw,
-
- /dev/ r,
- /dev/bus/usb/ r,
-
- /sys/bus/ r,
- /sys/bus/usb/devices/ r,
- /sys/class/ r,
-
- /etc/wildmidi/wildmidi.cfg r,
-
- /usr/lib/frei0r-[0-9]/*.so m,
- # /usr/lib/@{multiarch}/dri/** mr,
- /usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner mr,
- /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
- /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
-}
diff --git a/profiles/usr.bin.pidgin b/profiles/usr.bin.pidgin
index 5e00e96..c3ce8e1 100644
--- a/profiles/usr.bin.pidgin
+++ b/profiles/usr.bin.pidgin
@@ -38,12 +38,6 @@
deny capability sys_ptrace,
deny @{HOME}/.local/share/applications/wine/ r,
- owner @{HOME}/.gstreamer*/ rw,
- owner @{HOME}/.gstreamer*/** rw,
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
- /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Pix -> gst_plugin_scanner,
owner @{HOME}/.purple/ rw,
owner @{HOME}/.purple/** rwk,
owner @{HOME}/.purple/plugins/*.so m,
diff --git a/profiles/usr.bin.totem b/profiles/usr.bin.totem
index f94049f..f6091d8 100644
--- a/profiles/usr.bin.totem
+++ b/profiles/usr.bin.totem
@@ -7,6 +7,7 @@
#include <abstractions/audio>
#include <abstractions/dconf>
#include <abstractions/ibus>
+ #include <abstractions/mesa>
#include <abstractions/nvidia>
#include <abstractions/python>
#include <abstractions/totem>
diff --git a/profiles/usr.bin.totem-previewers b/profiles/usr.bin.totem-previewers
index b08af56..80a42e9 100644
--- a/profiles/usr.bin.totem-previewers
+++ b/profiles/usr.bin.totem-previewers
@@ -6,6 +6,10 @@
/usr/bin/totem-video-thumbnailer {
#include <abstractions/totem>
+ # Probably needed due to this program being run with bwrap
+ @{HOMEDIRS} w,
+ owner @{HOME}/ w,
+
# Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
# effect.
#include <abstractions/private-files-strict>
--
GitLab