[apparmor] [patch] Change /bin/ paths in profiles to also match on /usr/bin/

[Christian Boltz]

Hello,

oftc_ftw reported on IRC that Arch Linux has a symlink /bin -> /usr/bin.
This means we have to update paths for /bin/ in several profiles to also
allow /usr/bin/

I propose this patch for trunk and 2.9.


[ profiles-usrmove-bin.diff ]

=== modified file ./profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
--- profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common   2013-07-05 20:40:57.568842000 +0200
+++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common   2015-09-18 21:44:06.939854258 +0200
@@ -5,10 +5,10 @@
   #
   @{PROC}/@{pid}/fd/ r,
   /usr/lib/** rm,
-  /bin/bash ixr,
-  /bin/dash ixr,
-  /bin/grep ixr,
-  /bin/sed ixr,
+  /{,usr/}bin/bash ixr,
+  /{,usr/}bin/dash ixr,
+  /{,usr/}bin/grep ixr,
+  /{,usr/}bin/sed ixr,
   /usr/bin/m4 ixr,
 
   # Since all the ubuntu-browsers.d abstractions need this, just include it
=== modified file ./profiles/apparmor.d/apache2.d/phpsysinfo
--- profiles/apparmor.d/apache2.d/phpsysinfo    2014-10-15 20:19:34.705810000 +0200
+++ profiles/apparmor.d/apache2.d/phpsysinfo    2015-09-18 21:41:48.387810179 +0200
@@ -8,10 +8,10 @@
     #include <abstractions/php5>
     #include <abstractions/python>
 
-    /bin/dash ixr,
-    /bin/df ixr,
-    /bin/mount ixr,
-    /bin/uname ixr,
+    /{,usr/}bin/dash ixr,
+    /{,usr/}bin/df ixr,
+    /{,usr/}bin/mount ixr,
+    /{,usr/}bin/uname ixr,
     /dev/bus/usb/ r,
     /dev/bus/usb/** r,
     /etc/debian_version r,
=== modified file ./profiles/apparmor.d/bin.ping
--- profiles/apparmor.d/bin.ping        2013-07-05 20:40:57.568842000 +0200
+++ profiles/apparmor.d/bin.ping        2015-09-18 21:42:14.850290670 +0200
@@ -19,7 +19,7 @@
   capability setuid,
   network inet raw,
 
-  /bin/ping mixr,
+  /{,usr/}bin/ping mixr,
   /etc/modules.conf r,
 
   # Site-specific additions and overrides. See local/README for details.
=== modified file ./profiles/apparmor.d/usr.sbin.dnsmasq
--- profiles/apparmor.d/usr.sbin.dnsmasq        2015-09-18 19:19:23.099960000 +0200
+++ profiles/apparmor.d/usr.sbin.dnsmasq        2015-09-18 21:41:04.976302904 +0200
@@ -47,7 +47,7 @@
 
   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
 
-  /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
+  /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
 
   # access to iface mtu needed for Router Advertisement messages in IPv6
   # Neighbor Discovery protocol (RFC 2461)
=== modified file ./profiles/apparmor.d/usr.sbin.smbldap-useradd
--- profiles/apparmor.d/usr.sbin.smbldap-useradd        2013-07-05 20:40:57.568842000 +0200
+++ profiles/apparmor.d/usr.sbin.smbldap-useradd        2015-09-18 21:42:52.370136220 +0200
@@ -8,7 +8,7 @@
   #include <abstractions/perl>
 
   /dev/tty rw,
-  /bin/bash ix,
+  /{,usr/}bin/bash ix,
   /etc/init.d/nscd Cx,
   /etc/shadow r,
   /etc/smbldap-tools/smbldap.conf r,
@@ -26,9 +26,9 @@
 
     capability sys_ptrace,
 
-    /bin/bash r,
-    /bin/mountpoint rix,
-    /bin/systemctl rix,
+    /{,usr/}bin/bash r,
+    /{,usr/}bin/mountpoint rix,
+    /{,usr/}bin/systemctl rix,
     /dev/tty rw,
     /etc/init.d/nscd r,
     /etc/rc.status r,


Regards,

Christian Boltz
-- 
> Can we agree to disagree, or do we need to vote in the
> next meeting? ;-)
Wait, you want to start a discussion on which voting system
(http://en.wikipedia.org/wiki/Voting_system) to use? :)
[> Christian Boltz and Steve Beattie in apparmor]