[apparmor] [patch] several updates for profiles/extras
Kees Cook
kees at ubuntu.com
Sun Apr 3 21:04:09 UTC 2011
Hi Christian,
Some things jumped out at me...
On Sun, Apr 03, 2011 at 10:28:35PM +0200, Christian Boltz wrote:
> === modified file 'profiles/apparmor/profiles/extras/bin.netstat'
> + capability sys_ptrace,
This should not be needed; that's not something netstat would ever need. I
suspect it's a false audit log due to running around in @{PROC}/*/ getting
tripped. I would rather see "deny capability sys_ptrace,"
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.freshclam'
> + owner @{PROC}/*/status r,
I haven't seen this in my freshclam audit logs. How have you hit it?
> - /var/lib/clamav/clamav-* rw,
> - /var/lib/clamav/daily.cvd rw,
> - /var/lib/clamav/main.cvd rw,
> + /var/lib/clamav/ r,
> + /var/lib/clamav/** rw,
Why this change? Given the nature of that directory, I'd prefer the named
paths.
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.man'
> + /usr/bin/man r,
Under what situation does it read itself?
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the AppArmor
mailing list