Commit 3fc8752c authored by André Magalhães's avatar André Magalhães

Remove some user related obsolete AppArmor abstraction/tunables

Remove abstractions:
- chaiwala-execution
- chaiwala-user-read
- chaiwala-user-write

Remove tunables:
- chaiwala-user
Signed-off-by: André Magalhães's avatarAndre Moreira Magalhaes (andrunko) <andre.magalhaes@collabora.co.uk>
Reviewed-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D6669
parent 14677c69
# FIXME: This does nothing. https://phabricator.apertis.org/T3592
# vim:syntax=apparmor
#
# Copyright (C) 2012-2015 Collabora Ltd.
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This package is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
###
# <abstractions/chaiwala-user-read>: allow reading miscellaneous user files
#
# This abstraction gives the confined process read access to the entire
# home directory, as well as several obsolete directories that no
# longer exist. It is a mixture of per-app and general paths, which
# seems undesired; in particular, blanket access to @{HOME} and
# @{XDGRUNTIMEDIR} seems like a bad idea.
# See https://phabricator.apertis.org/T3599
#
# Status: Apertis-specific, deprecated, candidate for deletion
# Privilege level: elevated privilege
# Known users: none
# Dependencies: <tunables/chaiwala/chaiwala-user>, <tunables/global>
###
owner @{APPLICATION_DATA_USER}/ r,
owner @{APPLICATION_DATA_USER}/** r,
owner @{APPLICATION_DATA_EVERYONE}/ r,
owner @{APPLICATION_DATA_EVERYONE}/** r,
owner @{APPLICATION_CACHE_USER}/ r,
owner @{APPLICATION_CACHE_USER}/** r,
owner @{USER_DATA_GENERAL}/ r,
owner @{USER_DATA_GENERAL}/** r,
owner @{XDGRUNTIMEDIR}/ r,
owner @{XDGRUNTIMEDIR}/** r,
# vim:syntax=apparmor
#
# Copyright (C) 2012-2015 Collabora Ltd.
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This package is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
###
# <abstractions/chaiwala-user-write>: never use this
#
# This abstraction gives the confined process write access to the entire
# home directory, as well as several obsolete directories that no
# longer exist. It is a mixture of per-app and general paths, and can
# easily be used to escalate privileges into the TCB for protection between
# app-bundles. See https://phabricator.apertis.org/T3600
#
# Status: Apertis-specific, deprecated, should be deleted
# Privilege level: very elevated, neutralises protection between app-bundles
# Known users: none
# Dependencies: <tunables/chaiwala/chaiwala-user>, <tunables/global>
###
owner @{APPLICATION_DATA_USER}/ r,
owner @{APPLICATION_DATA_USER}/** rw,
owner @{APPLICATION_DATA_EVERYONE}/ r,
owner @{APPLICATION_DATA_EVERYONE}/** rw,
owner @{APPLICATION_CACHE_USER}/ r,
owner @{APPLICATION_CACHE_USER}/** rw,
owner @{USER_DATA_GENERAL}/ r,
owner @{USER_DATA_GENERAL}/** rw,
owner @{XDGRUNTIMEDIR}/ r,
owner @{XDGRUNTIMEDIR}/** rw,
# vim:syntax=apparmor
#
# Copyright (C) 2012-2015 Collabora Ltd.
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This package is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
###
# <tunables/chaiwala/chaiwala-user>: paths for miscellaneous user files
#
# Before including this, the user needs to define @{CURRENT_APPLICATION}
# local to current profile. This is the only way to be able to use a
# application-specific path from a non profile/application dependant context.
# Still, APPLICATION_DATA_USER will match all the users' data for this
# application. Profile needs to be sure to use the "owner" conditional to be
# sure only user's data can be matched.
#
# For example:
#
# @{CURRENT_APPLICATION}=Empathy
# #include <tunables/chaiwala/chaiwala-user>
#
# profile /usr/bin/empathy {
# ...
# owner @{APPLICATION_DATA_USER}/ r,
# owner @{APPLICATION_DATA_USER}/** rw,
# ...
# }
#
# These tunables are likely to be removed:
# https://phabricator.apertis.org/T3629
#
# @{CURRENT_APPLICATION} has been superseded by the bundle ID.
#
# @{SYSTEM_RUNTIME_DIR} does not exist; its purpose is unknown.
#
# @{APPLICATION_DATA_USER} and @{APPLICATION_CACHE_USER} have been
# superseded by the rules recommended in the Apertis App Bundle Specification
# (basically "owner /var/Applications/BUNDLE/users/**").
#
# Status: Apertis-specific, deprecated, candidate for deletion
# Known users: <abstractions/chaiwala-user-{read,write}>
# Dependencies: <tunables/global>
###
@{SYSTEM_RUNTIME_DIR}=/var/lib/system runtime/
@{APPLICATION_DATA_USER}=/Applications/@{CURRENT_APPLICATION}/Storage/*/
@{APPLICATION_DATA_EVERYONE}=/Applications/Everyone Storage/
@{APPLICATION_CACHE_USER}=@{HOME}/.cache/@{CURRENT_APPLICATION}/
@{USER_DATA_GENERAL}=@{HOME}
/etc/apparmor.d/abstractions
/etc/apparmor.d/tunables/chaiwala
etc/apparmor.d/abstractions
etc/apparmor.d/lib.systemd.systemd-logind
etc/apparmor.d/tunables
etc/apparmor.d/usr.lib.libreoffice
rm_conffile /etc/apparmor.d/abstractions/chaiwala-execution UNRELEASED chaiwala-apparmor-profiles
rm_conffile /etc/apparmor.d/abstractions/chaiwala-user-read UNRELEASED chaiwala-apparmor-profiles
rm_conffile /etc/apparmor.d/abstractions/chaiwala-user-write UNRELEASED chaiwala-apparmor-profiles
rm_conffile /etc/apparmor.d/tunables/chaiwala/chaiwala-user UNRELEASED chaiwala-apparmor-profiles
......@@ -33,6 +33,7 @@ Description: nodm apparmor secured session
Package: chaiwala-apparmor-profiles
Architecture: all
Pre-Depends: ${misc:Pre-Depends}
Depends:
apparmor (>= 2.10.95-0ubuntu2.5co3),
${misc:Depends},
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment