Alex (0bf6c829) at 20 Mar 23:42
Release apparmor.d v0.4906
Alex (d8b6f803) at 20 Mar 15:37
fix(build): dist configure script.
Alex (70134896) at 20 Mar 10:26
fix(profile): hwdb.bin link creation
Alex (d348e10b) at 16 Mar 23:40
fix(build): pci_bus has been cherry picked to all aa 4.1
Alex (d779c386) at 16 Mar 23:34
fix(build): pci_bus has been cherry picked to all aa 4.1
Alex (d0a68012) at 16 Mar 23:11
fix(build): pci_bus has been cherry picked to all aa 4.1
Alex (c783ce93) at 16 Mar 22:54
fix(build): fix minor parser bug.
Alex (192d04ea) at 16 Mar 17:02
Merge branch 'patch' of github.com:valoq/apparmor.d into valoq-patch
... and 84 more commits
I kind of disagree with the content of this abstraction. The main issue is that it is a mismatch of multiple things.
graphics. Rules also required for common graphics access should thus, not be here (e.g. igfx_user_feature, /sys/class/drm/, /sys/devices/system/node/ ...)X abstraction. It should not be here, but in the calling profile if required (spoiler alert: the calling profile will need it anyway).orcexec can be safely denied as long as you keep one (it allows us to deny the one on the shared path /tmp/)From a security point of view, it does not matter that much, as the rules would be included anyway. However, from a maintainability and transparency point, it is a huge concern as with such an abstraction we cannot say any more that these are the minimal set of rules for gstreamer, but something like that should be ok in most case.
For reference in apparmor.d see:
gstreamer-registry was a failed test, it could now be merged with gstreamer: I tested confining gstreamer and gstreamer plugin separately, but it turns out to be completely useless as they both need the same access.Alex (ad8b1fa1) at 03 Mar 21:03
Release apparmor.d v0.4905
Alex (ce94eac0) at 27 Feb 19:43
feat: enable glycin namespace on apparmor 5.0
... and 6 more commits