[apparmor] [patch] logprof.conf and UsrMove

Christian Boltz apparmor at cboltz.de
Tue Jan 28 20:20:52 UTC 2014 

Hello,

logprof.conf contains a list of binaries in the [qualifiers] section 
that should for example never have their own profile.

Since some distributions moved lots of files from /bin/ to /usr/bin/ 
("UsrMove"), this list is outdated.

The patch adds copies of all /bin/ (and /sbin/) lines with /usr 
prepended.

=== modified file 'utils/logprof.conf'
--- utils/logprof.conf  2012-09-27 21:57:21 +0000
+++ utils/logprof.conf  2014-01-28 20:16:47 +0000
@@ -43,14 +43,20 @@
 [qualifiers]
   # things will be painfully broken if bash has a profile
   /bin/bash     = icnu
-  /bin/ksh     = icnu
-  /bin/dash    = icnu
+  /usr/bin/bash = icnu
+  /bin/ksh         = icnu
+  /usr/bin/ksh = icnu
+  /bin/dash        = icnu
+  /usr/bin/dash        = icnu
 
   # these programs can't function if they're confined
   /bin/mount    = u
+  /usr/bin/mount = u
   /etc/init.d/subdomain = u
   /sbin/cardmgr = u
+  /usr/sbin/cardmgr = u
   /sbin/subdomain_parser = u
+  /usr/sbin/subdomain_parser = u
   /usr/sbin/genprof = u
   /usr/sbin/logprof = u
   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
@@ -58,24 +64,43 @@
 
   # these ones shouln't have their own profiles
   /bin/awk      = icn
+  /usr/bin/awk  = icn
   /bin/cat      = icn
+  /usr/bin/cat  = icn
   /bin/chmod    = icn
+  /usr/bin/chmod = icn
   /bin/chown    = icn
+  /usr/bin/chown = icn
   /bin/cp       = icn
+  /usr/bin/cp   = icn
   /bin/gawk     = icn
+  /usr/bin/gawk = icn
   /bin/grep     = icn
+  /usr/bin/grep = icn
   /bin/gunzip   = icn
+  /usr/bin/gunzip = icn
   /bin/gzip     = icn
+  /usr/bin/gzip = icn
   /bin/kill     = icn
+  /usr/bin/kill = icn
   /bin/ln       = icn
+  /usr/bin/ln   = icn
   /bin/ls       = icn
+  /usr/bin/ls   = icn
   /bin/mkdir    = icn
+  /usr/bin/mkdir = icn
   /bin/mv       = icn
+  /usr/bin/mv   = icn
   /bin/readlink = icn
+  /usr/bin/readlink = icn
   /bin/rm       = icn
+  /usr/bin/rm   = icn
   /bin/sed      = icn
+  /usr/bin/sed  = icn
   /bin/touch    = icn
+  /usr/bin/touch = icn
   /sbin/killall5 = icn
+  /usr/sbin/killall5 = icn
   /usr/bin/find = icn
   /usr/bin/killall = icn
   /usr/bin/nice = icn



Regards,

Christian Boltz
-- 
"Oh my god, nobody has improved the shape of the wheel since 100 years.
 Let's abandon all wheels immediately, they cannot possibly work
 anymore!!!"   [Stefan Seyfried in opensuse-factory]

More information about the AppArmor mailing list