[apparmor] [patch] logprof.conf and UsrMove

John Johansen john.johansen at canonical.com
Sun Feb 2 10:08:54 UTC 2014 

On 01/28/2014 12:20 PM, Christian Boltz wrote:
> Hello,
> 
> logprof.conf contains a list of binaries in the [qualifiers] section 
> that should for example never have their own profile.
> 
> Since some distributions moved lots of files from /bin/ to /usr/bin/ 
> ("UsrMove"), this list is outdated.
> 
> The patch adds copies of all /bin/ (and /sbin/) lines with /usr 
> prepended.
> 
Acked-by: John Johansen <john.johansen at canonical.com>

> === modified file 'utils/logprof.conf'
> --- utils/logprof.conf  2012-09-27 21:57:21 +0000
> +++ utils/logprof.conf  2014-01-28 20:16:47 +0000
> @@ -43,14 +43,20 @@
>  [qualifiers]
>    # things will be painfully broken if bash has a profile
>    /bin/bash     = icnu
> -  /bin/ksh     = icnu
> -  /bin/dash    = icnu
> +  /usr/bin/bash = icnu
> +  /bin/ksh         = icnu
> +  /usr/bin/ksh = icnu
> +  /bin/dash        = icnu
> +  /usr/bin/dash        = icnu
>  
>    # these programs can't function if they're confined
>    /bin/mount    = u
> +  /usr/bin/mount = u
>    /etc/init.d/subdomain = u
>    /sbin/cardmgr = u
> +  /usr/sbin/cardmgr = u
>    /sbin/subdomain_parser = u
> +  /usr/sbin/subdomain_parser = u
>    /usr/sbin/genprof = u
>    /usr/sbin/logprof = u
>    /usr/lib/YaST2/servers_non_y2/ag_genprof = u
> @@ -58,24 +64,43 @@
>  
>    # these ones shouln't have their own profiles
>    /bin/awk      = icn
> +  /usr/bin/awk  = icn
>    /bin/cat      = icn
> +  /usr/bin/cat  = icn
>    /bin/chmod    = icn
> +  /usr/bin/chmod = icn
>    /bin/chown    = icn
> +  /usr/bin/chown = icn
>    /bin/cp       = icn
> +  /usr/bin/cp   = icn
>    /bin/gawk     = icn
> +  /usr/bin/gawk = icn
>    /bin/grep     = icn
> +  /usr/bin/grep = icn
>    /bin/gunzip   = icn
> +  /usr/bin/gunzip = icn
>    /bin/gzip     = icn
> +  /usr/bin/gzip = icn
>    /bin/kill     = icn
> +  /usr/bin/kill = icn
>    /bin/ln       = icn
> +  /usr/bin/ln   = icn
>    /bin/ls       = icn
> +  /usr/bin/ls   = icn
>    /bin/mkdir    = icn
> +  /usr/bin/mkdir = icn
>    /bin/mv       = icn
> +  /usr/bin/mv   = icn
>    /bin/readlink = icn
> +  /usr/bin/readlink = icn
>    /bin/rm       = icn
> +  /usr/bin/rm   = icn
>    /bin/sed      = icn
> +  /usr/bin/sed  = icn
>    /bin/touch    = icn
> +  /usr/bin/touch = icn
>    /sbin/killall5 = icn
> +  /usr/sbin/killall5 = icn
>    /usr/bin/find = icn
>    /usr/bin/killall = icn
>    /usr/bin/nice = icn
> 
> 
> 
> Regards,
> 
> Christian Boltz
>

More information about the AppArmor mailing list