[apparmor] [patch] [2.8 branch] Backport profile additions from the 2.9 branch
Seth Arnold
seth.arnold at canonical.com
Fri Apr 15 19:47:03 UTC 2016
On Thu, Apr 14, 2016 at 02:23:58PM +0200, Christian Boltz wrote:
> Hello,
>
> this patch backports most profile additions from the latest 2.9 branch
> r3004, with the exception of new rule types (2.8 doesn't support dbus,
> ptrace etc.) and some noisy cleanups (like /proc/*/ -> @{PROC}/@{pid}/).
>
> I'll submit this patch as update for openSUSE 13.1 (which still uses
> 2.8.4) and would like to get a review ASAP ;-)
>
> (See also the mail I sent some minutes ago.)
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
>
>
>
> [ backport-profile-additions-from-2.9.diff ]
>
> === modified file 'profiles/apparmor.d/abstractions/X'
> --- profiles/apparmor.d/abstractions/X 2013-01-04 17:45:19 +0000
> +++ profiles/apparmor.d/abstractions/X 2016-04-14 12:13:08 +0000
> @@ -19,6 +19,8 @@
> @{HOME}/.Xauthority r,
> owner /{,var/}run/gdm{,3}/*/database r,
> owner /{,var/}run/lightdm/authority/[0-9]* r,
> + owner /{,var/}run/lightdm/*/xauthority r,
> + owner /{,var/}run/user/*/gdm/Xauthority r,
>
> # the unix socket to use to connect to the display
> /tmp/.X11-unix/* w,
> @@ -32,9 +34,13 @@
> /usr/share/X11/** r,
> /usr/X11R6/**.so* mr,
>
> + # EGL
> + /usr/lib/@{multiarch}/egl/*.so* mr,
> +
> # DRI
> /usr/lib{,32,64}/dri/** mr,
> /usr/lib/@{multiarch}/dri/** mr,
> + /usr/lib/fglrx/dri/** mr,
> /dev/dri/** rw,
> /etc/drirc r,
> owner @{HOME}/.drirc r,
>
> === modified file 'profiles/apparmor.d/abstractions/aspell'
> --- profiles/apparmor.d/abstractions/aspell 2012-01-18 18:15:57 +0000
> +++ profiles/apparmor.d/abstractions/aspell 2016-04-14 12:13:08 +0000
> @@ -8,4 +8,6 @@
> /usr/lib/aspell/ r,
> /usr/lib/aspell/* r,
> /usr/lib/aspell/*.so m,
> + /usr/share/aspell/ r,
> + /usr/share/aspell/* r,
> /var/lib/aspell/* r,
>
> === modified file 'profiles/apparmor.d/abstractions/base'
> --- profiles/apparmor.d/abstractions/base 2013-04-09 13:18:40 +0000
> +++ profiles/apparmor.d/abstractions/base 2016-04-14 12:13:08 +0000
> @@ -26,12 +26,14 @@
> /etc/locale/** r,
> /etc/locale.alias r,
> /etc/localtime r,
> + /usr/share/locale-bundle/** r,
> /usr/share/locale-langpack/** r,
> /usr/share/locale/** r,
> /usr/share/**/locale/** r,
> /usr/share/zoneinfo/ r,
> /usr/share/zoneinfo/** r,
> /usr/share/X11/locale/** r,
> + /{,var/}run/systemd/journal/dev-log w,
>
> /usr/lib{,32,64}/locale/** mr,
> /usr/lib{,32,64}/gconv/*.so mr,
> @@ -103,6 +105,9 @@
> # glibc malloc (man 5 proc)
> @{PROC}/sys/vm/overcommit_memory r,
>
> + # Allow determining the highest valid capability of the running kernel
> + @{PROC}/sys/kernel/cap_last_cap r,
> +
> # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
> # filesystems generally. This does not appreciably decrease security with
> # Ubuntu profiles because the user is expected to have access to files owned
>
> === modified file 'profiles/apparmor.d/abstractions/cups-client'
> --- profiles/apparmor.d/abstractions/cups-client 2012-01-06 16:45:34 +0000
> +++ profiles/apparmor.d/abstractions/cups-client 2016-04-14 12:13:08 +0000
> @@ -12,7 +12,7 @@
> # discoverable system configuration for non-local cupsd
> /etc/cups/client.conf r,
> # client should be able to talk the local cupsd
> - /{,var/}run/cups/cups.sock w,
> + /{,var/}run/cups/cups.sock rw,
> # client should be able to read user-specified cups configuration
> owner @{HOME}/.cups/client.conf r,
> owner @{HOME}/.cups/lpoptions r,
>
> === modified file 'profiles/apparmor.d/abstractions/fonts'
> --- profiles/apparmor.d/abstractions/fonts 2013-10-14 23:31:38 +0000
> +++ profiles/apparmor.d/abstractions/fonts 2016-04-14 12:13:08 +0000
> @@ -52,3 +52,6 @@
>
> # poppler CMap tables
> /usr/share/poppler/cMap/** r,
> +
> + # data files for LibThai
> + /usr/share/libthai/thbrk.tri r,
>
> === modified file 'profiles/apparmor.d/abstractions/freedesktop.org'
> --- profiles/apparmor.d/abstractions/freedesktop.org 2014-09-11 00:40:14 +0000
> +++ profiles/apparmor.d/abstractions/freedesktop.org 2016-04-14 12:13:08 +0000
> @@ -11,6 +11,7 @@
>
> # system configuration
> /usr/share/applications/ r,
> + /usr/share/applications/defaults.list r,
> /usr/share/applications/mimeinfo.cache r,
> /usr/share/applications/*.desktop r,
> /usr/share/icons/ r,
> @@ -30,6 +31,7 @@
> owner @{HOME}/.recently-used.xbel* rw,
> owner @{HOME}/.local/share/recently-used.xbel* rw,
> owner @{HOME}/.config/user-dirs.dirs r,
> + owner @{HOME}/.config/mimeapps.list r,
> owner @{HOME}/.local/share/applications/ r,
> owner @{HOME}/.local/share/applications/*.desktop r,
> owner @{HOME}/.local/share/applications/defaults.list r,
>
> === modified file 'profiles/apparmor.d/abstractions/nameservice'
> --- profiles/apparmor.d/abstractions/nameservice 2014-11-17 23:28:51 +0000
> +++ profiles/apparmor.d/abstractions/nameservice 2016-04-14 12:13:08 +0000
> @@ -26,12 +26,21 @@
> /var/lib/extrausers/group r,
> /var/lib/extrausers/passwd r,
>
> + # When using sssd, the passwd and group files are stored in an alternate path
> + # and the nss plugin also needs to talk to a pipe
> + /var/lib/sss/mc/group r,
> + /var/lib/sss/mc/passwd r,
> + /var/lib/sss/pipes/nss rw,
> +
> /etc/resolv.conf r,
> # on systems using resolvconf, /etc/resolv.conf is a symlink to
> # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
> # /etc/resolvconf/run/resolv.conf
> /{,var/}run/resolvconf/resolv.conf r,
> /etc/resolvconf/run/resolv.conf r,
> + # on systems using systemd's networkd, /etc/resolv.conf is a symlink to
> + # /run/systemd/resolve/resolv.conf
> + /{,var/}run/systemd/resolve/resolv.conf r,
>
> /etc/samba/lmhosts r,
> /etc/services r,
>
> === modified file 'profiles/apparmor.d/abstractions/p11-kit'
> --- profiles/apparmor.d/abstractions/p11-kit 2013-09-12 14:25:56 +0000
> +++ profiles/apparmor.d/abstractions/p11-kit 2016-04-14 12:13:08 +0000
> @@ -19,6 +19,9 @@
> /usr/share/p11-kit/modules/ r,
> /usr/share/p11-kit/modules/* r,
>
> + # gnome-keyring pkcs11 module
> + owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
> +
> # p11-kit also supports reading user configuration from ~/.pkcs11 depending
> # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
> # included in this abstraction.
>
> === modified file 'profiles/apparmor.d/abstractions/php5'
> --- profiles/apparmor.d/abstractions/php5 2010-03-30 17:34:32 +0000
> +++ profiles/apparmor.d/abstractions/php5 2016-04-14 12:13:08 +0000
> @@ -11,8 +11,8 @@
> # ------------------------------------------------------------------
>
> # shared snippets for config files
> - /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r,
> - /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r,
> + /etc/php5/**/ r,
> + /etc/php5/**.ini r,
>
> # Xlibs
> /usr/X11R6/lib{,32,64}/lib*.so* mr,
> @@ -30,3 +30,6 @@
>
> # MySQL extension
> /usr/share/mysql/** r,
> +
> + # Zend opcache
> + /tmp/.ZendSem.* rwlk,
>
> === modified file 'profiles/apparmor.d/abstractions/samba'
> --- profiles/apparmor.d/abstractions/samba 2013-12-23 21:16:59 +0000
> +++ profiles/apparmor.d/abstractions/samba 2016-04-14 12:13:08 +0000
> @@ -13,7 +13,7 @@
> /usr/share/samba/*.dat r,
> /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
> /var/cache/samba/ w,
> - /var/lib/samba/**.tdb rwk,
> + /var/lib/samba/** rwk,
> /var/log/samba/cores/ rw,
> /var/log/samba/cores/** rw,
> /var/log/samba/log.* w,
>
> === modified file 'profiles/apparmor.d/abstractions/ssl_certs'
> --- profiles/apparmor.d/abstractions/ssl_certs 2013-11-25 23:42:19 +0000
> +++ profiles/apparmor.d/abstractions/ssl_certs 2016-04-14 12:13:08 +0000
> @@ -12,6 +12,10 @@
> /etc/ssl/ r,
> /etc/ssl/certs/ r,
> /etc/ssl/certs/* r,
> + /etc/pki/trust/ r,
> + /etc/pki/trust/* r,
> + /etc/pki/trust/anchors/ r,
> + /etc/pki/trust/anchors/** r,
> /usr/share/ca-certificates/ r,
> /usr/share/ca-certificates/** r,
> /usr/share/ssl/certs/ca-bundle.crt r,
> @@ -19,3 +23,7 @@
> /usr/local/share/ca-certificates/** r,
> /var/lib/ca-certificates/ r,
> /var/lib/ca-certificates/** r,
> +
> + # acmetool
> + /var/lib/acme/certs/*/chain r,
> + /var/lib/acme/certs/*/cert r,
>
> === modified file 'profiles/apparmor.d/abstractions/ssl_keys'
> --- profiles/apparmor.d/abstractions/ssl_keys 2010-12-20 20:29:10 +0000
> +++ profiles/apparmor.d/abstractions/ssl_keys 2016-04-14 12:13:08 +0000
> @@ -16,3 +16,7 @@
> /etc/ssl/ r,
> /etc/ssl/** r,
>
> + # acmetool
> + /var/lib/acme/live/* r,
> + /var/lib/acme/certs/** r,
> + /var/lib/acme/keys/** r,
>
> === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/java'
> --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2013-01-03 23:37:41 +0000
> +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2016-04-14 12:13:08 +0000
> @@ -12,6 +12,8 @@
> /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
> /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
> /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
> + owner /{,var/}run/user/*/icedteaplugin-*/ rw,
> + owner /{,var/}run/user/*/icedteaplugin-*/** rwk,
>
> # Profile for the supported OpenJDK in Ubuntu. This doesn't require the
> # unfortunate workarounds of the proprietary Javas, so have a separate
>
> === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia'
> --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia 2013-01-09 23:15:59 +0000
> +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia 2016-04-14 12:13:08 +0000
> @@ -55,3 +55,6 @@
>
> # Virus scanners
> /usr/bin/clamscan Cx -> sanitized_helper,
> +
> + # gxine (LP: #1057642)
> + /var/lib/xine/gxine.desktop r,
>
> === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common'
> --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common 2012-01-17 14:22:11 +0000
> +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common 2016-04-14 12:13:08 +0000
> @@ -5,10 +5,10 @@
> #
> @{PROC}/[0-9]*/fd/ r,
> /usr/lib/** rm,
> - /bin/bash ixr,
> - /bin/dash ixr,
> - /bin/grep ixr,
> - /bin/sed ixr,
> + /{,usr/}bin/bash ixr,
> + /{,usr/}bin/dash ixr,
> + /{,usr/}bin/grep ixr,
> + /{,usr/}bin/sed ixr,
> /usr/bin/m4 ixr,
>
> # Since all the ubuntu-browsers.d abstractions need this, just include it
>
> === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration'
> --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2013-07-01 15:51:11 +0000
> +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2016-04-14 12:13:08 +0000
> @@ -33,3 +33,9 @@
> /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
> /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
> /etc/xdg/xfce4/helpers.rc r,
> +
> + # unity webapps integration. Could go in its own abstraction
> + owner /run/user/*/dconf/user rw,
> + owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk,
> + /usr/bin/debconf-communicate Cxr -> sanitized_helper,
> + owner @{HOME}/.config/libaccounts-glib/accounts.db rk,
>
> === modified file 'profiles/apparmor.d/abstractions/ubuntu-email'
> --- profiles/apparmor.d/abstractions/ubuntu-email 2012-05-18 20:30:22 +0000
> +++ profiles/apparmor.d/abstractions/ubuntu-email 2016-04-14 12:13:08 +0000
> @@ -10,6 +10,8 @@
> /usr/bin/balsa Cx -> sanitized_helper,
> /usr/bin/claws-mail Cx -> sanitized_helper,
> /usr/bin/evolution Cx -> sanitized_helper,
> + /usr/bin/geary Cx -> sanitized_helper,
> + /usr/bin/gnome-gmail Cx -> sanitized_helper,
> /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper,
> /usr/bin/kmail Cx -> sanitized_helper,
> /usr/bin/mailody Cx -> sanitized_helper,
>
> === modified file 'profiles/apparmor.d/abstractions/ubuntu-helpers'
> --- profiles/apparmor.d/abstractions/ubuntu-helpers 2013-01-03 23:44:14 +0000
> +++ profiles/apparmor.d/abstractions/ubuntu-helpers 2016-04-14 12:13:08 +0000
> @@ -33,6 +33,7 @@
>
> profile sanitized_helper {
> #include <abstractions/base>
> + #include <abstractions/X>
>
> # Allow all networking
> network inet,
> @@ -53,11 +54,15 @@
> # permissions for /usr/share, but for now just do this. (LP: #972367)
> /usr/share/software-center/* Pixr,
>
> + # Allow exec of texlive font build scripts (LP: #1010909)
> + /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,
> +
> # While the chromium and chrome sandboxes are setuid root, they only link
> # in limited libraries so glibc's secure execution should be enough to not
> # require the santized_helper (ie, LD_PRELOAD will only use standard system
> # paths (man ld.so)).
> /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
> + /usr/lib/chromium-browser/chrome-sandbox PUxr,
> /opt/google/chrome/chrome-sandbox PUxr,
> /opt/google/chrome/google-chrome Pixr,
> /opt/google/chrome/chrome Pixr,
>
> === modified file 'profiles/apparmor.d/abstractions/user-mail'
> --- profiles/apparmor.d/abstractions/user-mail 2010-12-22 22:55:18 +0000
> +++ profiles/apparmor.d/abstractions/user-mail 2016-04-14 12:13:08 +0000
> @@ -1,6 +1,7 @@
> # ------------------------------------------------------------------
> #
> # Copyright (C) 2002-2006 Novell/SUSE
> +# Copyright (C) 2014 Canonical Ltd.
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of version 2 of the GNU General Public
> @@ -12,8 +13,8 @@
> owner @{HOME}/[mM]ail/ r,
> owner @{HOME}/[mM]ail/** rwl,
> owner @{HOME}/postponed* rwl,
> - /var/spool/mail/ r,
> - /var/spool/mail/* rwl,
> + /var/{,spool/}mail/ r,
> + /var/{,spool/}mail/* rwl,
> owner @{HOME}/mbox.lock* rwl,
> owner @{HOME}/mbox rw,
> owner @{HOME}/inbox rw,
>
> === modified file 'profiles/apparmor.d/apache2.d/phpsysinfo'
> --- profiles/apparmor.d/apache2.d/phpsysinfo 2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/apache2.d/phpsysinfo 2016-04-14 12:13:08 +0000
> @@ -5,36 +5,44 @@
> #include <abstractions/apache2-common>
> #include <abstractions/base>
> #include <abstractions/nameservice>
> + #include <abstractions/php5>
> #include <abstractions/python>
>
> - /bin/dash ixr,
> - /bin/df ixr,
> - /bin/mount ixr,
> - /bin/uname ixr,
> + /{,usr/}bin/dash ixr,
> + /{,usr/}bin/df ixr,
> + /{,usr/}bin/mount ixr,
> + /{,usr/}bin/uname ixr,
> /dev/bus/usb/ r,
> /dev/bus/usb/** r,
> /etc/debian_version r,
> /etc/lsb-release r,
> /etc/mtab r,
> /etc/phpsysinfo/config.php r,
> + /etc/udev/udev.conf r,
> /proc/** r,
> + /sys/bus/ r,
> /sys/bus/pci/devices/ r,
> + /sys/bus/pci/slots/ r,
> + /sys/bus/pci/slots/** r,
> + /sys/bus/usb/devices/ r,
> + /sys/class/ r,
> /sys/devices/** r,
> + /usr/bin/ r,
> /usr/bin/apt-cache ixr,
> /usr/bin/dpkg-query ixr,
> /usr/bin/lsb_release ixr,
> /usr/bin/lspci ixr,
> /usr/bin/who ixr,
> - /usr/sbin/lsusb ixr,
> + /usr/{,s}bin/lsusb ixr,
> /usr/share/phpsysinfo/** r,
> + /var/lib/dpkg/arch r,
> /var/lib/dpkg/available r,
> /var/lib/dpkg/status r,
> /var/lib/dpkg/triggers/* r,
> /var/lib/dpkg/updates/ r,
> - /var/lib/misc/usb.ids r,
> + /var/lib/{misc,usbutils}/usb.ids r,
> /var/log/apache2/access.log w,
> /var/log/apache2/error.log w,
> /{,var/}run/utmp rk,
> /usr/share/misc/pci.ids r,
> -
> }
>
> === modified file 'profiles/apparmor.d/sbin.syslog-ng'
> --- profiles/apparmor.d/sbin.syslog-ng 2012-01-09 12:28:25 +0000
> +++ profiles/apparmor.d/sbin.syslog-ng 2016-04-14 12:13:08 +0000
> @@ -20,6 +20,7 @@
> #include <abstractions/consoles>
> #include <abstractions/nameservice>
> #include <abstractions/mysql>
> + #include <abstractions/openssl>
>
> capability chown,
> capability dac_override,
> @@ -34,7 +35,10 @@
> /dev/syslog w,
> /dev/tty10 rw,
> /dev/xconsole rw,
> + /etc/machine-id r,
> /etc/syslog-ng/* r,
> + /etc/syslog-ng/conf.d/ r,
> + /etc/syslog-ng/conf.d/* r,
> @{PROC}/kmsg r,
> /etc/hosts.deny r,
> /etc/hosts.allow r,
> @@ -47,6 +51,10 @@
> @{CHROOT_BASE}/var/log/** w,
> @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
> @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
> + /{var,var/run,run}/log/journal/ r,
> + /{var,var/run,run}/log/journal/*/ r,
> + /{var,var/run,run}/log/journal/*/*.journal r,
> + /{var/,}run/syslog-ng.ctl a,
> /{var/,}run/syslog-ng/additional-log-sockets.conf r,
>
> # Site-specific additions and overrides. See local/README for details.
>
> === modified file 'profiles/apparmor.d/usr.sbin.identd'
> --- profiles/apparmor.d/usr.sbin.identd 2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/usr.sbin.identd 2016-04-14 12:13:08 +0000
> @@ -23,7 +23,9 @@
> /usr/sbin/identd rmix,
> @{PROC}/net/tcp r,
> @{PROC}/net/tcp6 r,
> - /{,var/}run/identd.pid w,
> + /{,var/}run/identd.pid w,
> + /{,var/}run/identd/ w,
> + /{,var/}run/identd/identd.pid w,
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.sbin.identd>
>
> === modified file 'profiles/apparmor.d/usr.sbin.smbd'
> --- profiles/apparmor.d/usr.sbin.smbd 2014-08-11 21:24:23 +0000
> +++ profiles/apparmor.d/usr.sbin.smbd 2016-04-14 12:13:08 +0000
> @@ -17,6 +17,7 @@
> capability net_bind_service,
> capability setgid,
> capability setuid,
> + capability sys_admin, # needed to store ACLS in the security.NTACL namespace
> capability sys_resource,
> capability sys_tty_config,
>
>
> === modified file 'profiles/apparmor.d/usr.sbin.smbldap-useradd'
> --- profiles/apparmor.d/usr.sbin.smbldap-useradd 2012-01-10 18:06:24 +0000
> +++ profiles/apparmor.d/usr.sbin.smbldap-useradd 2016-04-14 12:13:08 +0000
> @@ -8,7 +8,7 @@
> #include <abstractions/perl>
>
> /dev/tty rw,
> - /bin/bash ix,
> + /{,usr/}bin/bash ix,
> /etc/init.d/nscd Cx,
> /etc/shadow r,
> /etc/smbldap-tools/smbldap.conf r,
> @@ -26,9 +26,9 @@
>
> capability sys_ptrace,
>
> - /bin/bash r,
> - /bin/mountpoint rix,
> - /bin/systemctl rix,
> + /{,usr/}bin/bash r,
> + /{,usr/}bin/mountpoint rix,
> + /{,usr/}bin/systemctl rix,
> /dev/tty rw,
> /etc/init.d/nscd r,
> /etc/rc.status r,
>
>
>
> Regards,
>
> Christian Boltz
> --
> Multitasking - one computer keeps several users/admins busy.
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160415/d75cac52/attachment-0001.pgp>
More information about the AppArmor
mailing list