From: Mario Höllein <mhoellein@freenet.de>
Date: Mon, 8 Oct 2018 04:24:42 +0000 (+0200)
Subject: committing changes in /etc after apt run
X-Git-Url: https://git.hoellein.online/?a=commitdiff_plain;h=30dd32864692e3b2b259ca12e749c0348bb220be;p=zenbook

committing changes in /etc after apt run

Package changes:
-apache2-bin 2.4.29-1ubuntu4.3 amd64
+apache2-bin 2.4.29-1ubuntu4.4 amd64
-apparmor 2.12-4ubuntu5 amd64
+apparmor 2.12-4ubuntu5.1 amd64
-firefox 62.0+build2-0ubuntu0.18.04.5 amd64
-firefox-locale-de 62.0+build2-0ubuntu0.18.04.5 amd64
+firefox 62.0.3+build1-0ubuntu0.18.04.1 amd64
+firefox-locale-de 62.0.3+build1-0ubuntu0.18.04.1 amd64
-gir1.2-javascriptcoregtk-4.0 2.20.5-0ubuntu0.18.04.1 amd64
+gir1.2-javascriptcoregtk-4.0 2.22.2-0ubuntu0.18.04.1 amd64
-gir1.2-webkit2-4.0 2.20.5-0ubuntu0.18.04.1 amd64
+gir1.2-webkit2-4.0 2.22.2-0ubuntu0.18.04.1 amd64
-imagemagick 8:6.9.7.4+dfsg-16ubuntu6.3 amd64
-imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.3 all
-imagemagick-6.q16 8:6.9.7.4+dfsg-16ubuntu6.3 amd64
-imagemagick-common 8:6.9.7.4+dfsg-16ubuntu6.3 all
+imagemagick 8:6.9.7.4+dfsg-16ubuntu6.4 amd64
+imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.4 all
+imagemagick-6.q16 8:6.9.7.4+dfsg-16ubuntu6.4 amd64
+imagemagick-common 8:6.9.7.4+dfsg-16ubuntu6.4 all
-initramfs-tools 0.130ubuntu3.3 all
-initramfs-tools-bin 0.130ubuntu3.3 amd64
-initramfs-tools-core 0.130ubuntu3.3 all
+initramfs-tools 0.130ubuntu3.5 all
+initramfs-tools-bin 0.130ubuntu3.5 amd64
+initramfs-tools-core 0.130ubuntu3.5 all
-libapparmor-perl 2.12-4ubuntu5 amd64
-libapparmor1 2.12-4ubuntu5 amd64
+libapparmor-perl 2.12-4ubuntu5.1 amd64
+libapparmor1 2.12-4ubuntu5.1 amd64
-libbrotli1 1.0.3-1ubuntu1 amd64
+libbrotli1 1.0.3-1ubuntu1.2 amd64
-libjavascriptcoregtk-4.0-18 2.20.5-0ubuntu0.18.04.1 amd64
+libjavascriptcoregtk-4.0-18 2.22.2-0ubuntu0.18.04.1 amd64
-liblouis-data 3.5.0-1ubuntu0.2 all
-liblouis14 3.5.0-1ubuntu0.2 amd64
+liblouis-data 3.5.0-1ubuntu0.3 all
+liblouis14 3.5.0-1ubuntu0.3 amd64
-libmagickcore-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.3 amd64
-libmagickcore-6.q16-3-extra 8:6.9.7.4+dfsg-16ubuntu6.3 amd64
-libmagickwand-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.3 amd64
+libmagickcore-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.4 amd64
+libmagickcore-6.q16-3-extra 8:6.9.7.4+dfsg-16ubuntu6.4 amd64
+libmagickwand-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.4 amd64
-libmetacity1 1:3.28.0-1 amd64
+libmetacity1 1:3.28.0-1ubuntu0.1 amd64
-libwebkit2gtk-4.0-37 2.20.5-0ubuntu0.18.04.1 amd64
-libwebkit2gtk-4.0-37-gtk2 2.20.5-0ubuntu0.18.04.1 amd64
+libwebkit2gtk-4.0-37 2.22.2-0ubuntu0.18.04.1 amd64
+libwebkit2gtk-4.0-37-gtk2 2.22.2-0ubuntu0.18.04.1 amd64
-libwoff1 1.0.2-1 amd64
+libwoff1 1.0.2-1build0.1 amd64
-metacity 1:3.28.0-1 amd64
-metacity-common 1:3.28.0-1 all
+metacity 1:3.28.0-1ubuntu0.1 amd64
+metacity-common 1:3.28.0-1ubuntu0.1 all
-python3-louis 3.5.0-1ubuntu0.2 all
+python3-louis 3.5.0-1ubuntu0.3 all
---

diff --git a/ImageMagick-6/policy.xml b/ImageMagick-6/policy.xml
index e3dd4d7..7a5658a 100644
--- a/ImageMagick-6/policy.xml
+++ b/ImageMagick-6/policy.xml
@@ -70,4 +70,9 @@
   <!-- in order to avoid to get image with password text -->
   <policy domain="path" rights="none" pattern="@*"/>
   <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>
+  <!-- disable ghostscript format types -->
+  <policy domain="coder" rights="none" pattern="PS" />
+  <policy domain="coder" rights="none" pattern="EPI" />
+  <policy domain="coder" rights="none" pattern="PDF" />
+  <policy domain="coder" rights="none" pattern="XPS" />
 </policymap>
diff --git a/apparmor.d/abstractions/private-files b/apparmor.d/abstractions/private-files
index 3149b0d..0a659f1 100644
--- a/apparmor.d/abstractions/private-files
+++ b/apparmor.d/abstractions/private-files
@@ -13,13 +13,18 @@
   deny @{HOME}/.*.bak mrwkl,
 
   # special attention to (potentially) executable files
-  audit deny @{HOME}/bin/** wl,
-  audit deny @{HOME}/.config/autostart/** wl,
-  audit deny @{HOME}/.config/upstart/** wl,
-  audit deny @{HOME}/.init/** wl,
-  audit deny @{HOME}/.kde{,4}/Autostart/** wl,
-  audit deny @{HOME}/.kde{,4}/env/** wl,
-  audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
+  audit deny @{HOME}/bin/{,**} wl,
+  audit deny @{HOME}/.config/ w,
+  audit deny @{HOME}/.config/autostart/{,**} wl,
+  audit deny @{HOME}/.config/upstart/{,**} wl,
+  audit deny @{HOME}/.init/{,**} wl,
+  audit deny @{HOME}/.kde{,4}/ w,
+  audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
+  audit deny @{HOME}/.kde{,4}/env/{,**} wl,
+  audit deny @{HOME}/.local/{,share/} w,
+  audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
+  audit deny @{HOME}/.pki/ w,
+  audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,
 
   # don't allow reading/updating of run control files
   deny @{HOME}/.*rc mrk,
diff --git a/apparmor.d/abstractions/private-files-strict b/apparmor.d/abstractions/private-files-strict
index 91851b8..60ea72a 100644
--- a/apparmor.d/abstractions/private-files-strict
+++ b/apparmor.d/abstractions/private-files-strict
@@ -5,17 +5,20 @@
   #include <abstractions/private-files>
 
   # potentially extremely sensitive files
-  audit deny @{HOME}/.gnupg/** mrwkl,
-  audit deny @{HOME}/.ssh/** mrwkl,
-  audit deny @{HOME}/.gnome2_private/** mrwkl,
-  audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
+  audit deny @{HOME}/.gnupg/{,**} mrwkl,
+  audit deny @{HOME}/.ssh/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2/ w,
+  audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
   # don't allow access to any gnome-keyring modules
   audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
-  audit deny @{HOME}/.mozilla/** mrwkl,
-  audit deny @{HOME}/.config/chromium/** mrwkl,
-  audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
-  audit deny @{HOME}/.evolution/** mrwkl,
-  audit deny @{HOME}/.config/evolution/** mrwkl,
-  audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/** mrwkl,
-  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
+  audit deny @{HOME}/.mozilla/{,**} mrwkl,
+  audit deny @{HOME}/.config/ w,
+  audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+  audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+  audit deny @{HOME}/.evolution/{,**} mrwkl,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
+  audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
+  audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
 
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/user-files b/apparmor.d/abstractions/ubuntu-browsers.d/user-files
index 2b28d13..ffe6824 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/user-files
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/user-files
@@ -8,12 +8,13 @@
 
   # Do not allow read and/or write to particularly sensitive/problematic files
   #include <abstractions/private-files>
-  audit deny @{HOME}/.ssh/** mrwkl,
-  audit deny @{HOME}/.gnome2_private/** mrwkl,
-  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
+  audit deny @{HOME}/.ssh/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+  audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
+  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
 
   # Comment this out if using gpg plugin/addons
-  audit deny @{HOME}/.gnupg/** mrwkl,
+  audit deny @{HOME}/.gnupg/{,**} mrwkl,
 
   # Allow read to all files user has DAC access to and write for files the user
   # owns on removable media and filesystems.