fae582b...
by
John Johansen <email address hidden>
Add xdg-open (and friends) abstraction
Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments.
Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers.
(cherry picked from commit d257afd3096b25f5d76e2575478c13d4f6930f9a)
622fc44b Add xdg-open (and friends) abstraction
af278ca6 exo-open: Fix denials on OpenSUSE
f07f0771 exo-open: Allow playing alert sounds
80514906 kde-open5: use dbus-network-manager-strict abstraction
ac08dc66 kde-open5: fix denies Ubuntu Eoan
501aada8 gio-open: fix denies Ubuntu Eoan
0a55babe exo-open: do not enable a11y by default
e77abfa5 exo-open: update comment about DBUS denial
d35faafd kde-open5: do not enable a11y by default
8b481d46 kde-open5: do not enable gstreamer support by default
162e5086 xdg-open: update usage example
dda6825...
by
Rich McAllister <email address hidden>
abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns
In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.
in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains
hosts: files mdns [NOTFOUND=return] myhostname dns
and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)
Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.
This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.
(cherry picked from commit e92da079ca12e776991bd36524430bd67c1cb72a)