roddhjav
openSUSE profile additions
Thanks. They should be integrated now. I figured out that some of the rules were already the project ;)
I was wondering, my experience with rpm package is very limited, do you know if there is a way to build your package from local source instead of using a git talbar . This is the default for debian and very easy to do for arch, but I don't find a clean way for opensuse.
Edit: found the solution.
Oh, and the git profile doesn't cover the binary path used on Tumbleweed: /usr/libexec/git/git
You'll also need to update the profiles that allow to exec git - a quick grep lists etckeeper, hugo, onefetch, pass, repo and youtube-dl.
Indeed :-)
I see you edited away your question about git, but I'll answer it anyway ;-)
cb@tux:~> ls -l /usr/bin/git* | grep ^l
lrwxrwxrwx 1 root root 18 26. Sep 22:17 /usr/bin/git -> ../libexec/git/git*
lrwxrwxrwx 1 root root 28 26. Sep 22:17 /usr/bin/git-cvsserver -> ../libexec/git/git-cvsserver*
lrwxrwxrwx 1 root root 18 26. Sep 22:17 /usr/bin/git-receive-pack -> ../libexec/git/git*
lrwxrwxrwx 1 root root 24 26. Sep 22:17 /usr/bin/git-shell -> ../libexec/git/git-shell*
lrwxrwxrwx 1 root root 18 26. Sep 22:17 /usr/bin/git-upload-archive -> ../libexec/git/git*
lrwxrwxrwx 1 root root 3 26. Sep 22:17 /usr/bin/git-upload-pack -> git*
The rule should be integrated now.
Do we agree that:
- In
xrdb:@{lib}/gcc/@{multiarch}/@{int}*/cc1should catch/usr/lib64/gcc/x86_64-suse-linux/13/cc1? - In
kded5:@{user_share_dirs}/kcookiejar/cookies.IsPUUI rk -> @{user_share_dirs}/kcookiejar/#24084753,is caught by: https://github.com/roddhjav/apparmor.d/blob/f5e3c86c6c44be016d55f3b26f5f221030d13de9/apparmor.d/groups/kde/kded5#L110-L112
I'm afraid I can't really agree ;-)
@{multiarch} is defined as @{multiarch}=*-linux-gnu* which does not match x86_64-suse-linux
kded5 also still gives me denials even with the rules you mentioned in place: apparmor="ALLOWED" operation="link" class="file" profile="kded5" name="/home/cb/.local/share/kcookiejar/cookies.TCNciF" pid=4792 comm="kded5" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 target="/home/cb/.local/share/kcookiejar/#24111969" (but I'm not sure what's wrong with the existing rules - at least on a quick look they should match)
Also, the git profile still doesn't match the path on Tumbleweed (/usr/libexec/git/git). Note that the allowed paths only allow .../git-core/git, but not .../git/git.
For some more boring denials, see the attached apparmor-2023-10-12.txt
@{multiarch}is defined as@{multiarch}=*-linux-gnu*which does not matchx86_64-suse-linux
Good point. I am wondering if in this case, @{multiarch} should be set to something like @{multiarch}=*-linux-gnu* *suse-linux* on opensuse. Because it seems to be a logical use of the @{multiarch} variable.
Also, the git profile still doesn't match the path on Tumbleweed
My bad, I forgot to commit my changes... This is pushed now.
Extending @{multiarch} is an interesting idea. Give me a few days to think about it ;-)
In the meantime, I can offer some new denials, mostly for update-ca-certificates (probably triggered while restarting unbound, I started to create a profile for it): apparmor-2023-10-20.txt