[apparmor] [patch] several updates for profiles/extras
Christian Boltz
apparmor at cboltz.de
Sun Apr 3 21:53:37 UTC 2011
Hello,
Am Sonntag, 3. April 2011 schrieb Kees Cook:
> Some things jumped out at me...
>
> On Sun, Apr 03, 2011 at 10:28:35PM +0200, Christian Boltz wrote:
> > === modified file 'profiles/apparmor/profiles/extras/bin.netstat'
> > + capability sys_ptrace,
>
> This should not be needed; that's not something netstat would ever
> need. I suspect it's a false audit log due to running around in
> @{PROC}/*/ getting tripped. I would rather see "deny capability
> sys_ptrace,"
Hmmm... I just tested that:
- removed the sys_ptrace line completely
- run netstat -tulpen
- aa-logprof asked for sys_ptrace -> deny
Afterwards, I run netstat -tulpen again, and it worked. Therefore I'm
fine with the deny rule and changed the profile accordingly.
The patch for netstat now looks like this:
=== modified file 'profiles/apparmor/profiles/extras/bin.netstat'
--- profiles/apparmor/profiles/extras/bin.netstat
+++ profiles/apparmor/profiles/extras/bin.netstat
@@ -21,6 +21,7 @@
capability dac_override,
capability dac_read_search,
+ deny capability sys_ptrace,
/bin/netstat rmix,
/etc/networks r,
@@ -29,4 +30,12 @@
@{PROC}/[0-9]*/fd r,
@{PROC}/net r,
@{PROC}/net/* r,
+ @{PROC}/*/fd/ r,
+ owner @{PROC}/*/net/raw r,
+ owner @{PROC}/*/net/raw6 r,
+ owner @{PROC}/*/net/tcp r,
+ owner @{PROC}/*/net/tcp6 r,
+ owner @{PROC}/*/net/udp r,
+ owner @{PROC}/*/net/udp6 r,
+ owner @{PROC}/*/net/unix r,
}
> > === modified file
> > 'profiles/apparmor/profiles/extras/usr.bin.freshclam'
> > + owner @{PROC}/*/status r,
>
> I haven't seen this in my freshclam audit logs. How have you hit it?
Good question. As I said, my profiles grew over a long time.
I am sure _that_ I hit it, but I can't tell you _when/how_.
I just disabled this line and switched to complain mode - I'll see if it
appears in audit.log.
> > - /var/lib/clamav/clamav-* rw,
> > - /var/lib/clamav/daily.cvd rw,
> > - /var/lib/clamav/main.cvd rw,
> > + /var/lib/clamav/ r,
> > + /var/lib/clamav/** rw,
>
> Why this change?
Freshclam needed access to more files, and at one point I thought **
might be the easiest option.
> Given the nature of that directory, I'd prefer the named paths.
OK, then I'll change my production profile, switch to complain mode and
collect some filenames in the next days ;-)
The first freshclam and logprof run showed me why I changed to ** - I
now have 30 rules for files in /var/lib/clamav ;-)
I could merge most of those rules to
owner /var/lib/clamav/clamav-*/clamav-*/daily.* rw,
Would that be OK for you?
I'll wait some days before I post the updated profile for freshclam -
maybe there will be more...
> > === modified file 'profiles/apparmor/profiles/extras/usr.bin.man'
> > + /usr/bin/man r,
>
> Under what situation does it read itself?
It did at least once, but I have no idea when/why.
It did not on a short test on openSUSE 11.3, however that would have
been too easy ;-)
BTW: Even if I posted everything in a collective patch, feel free to
ACK/NAK per profile. I can then commit the ACKed files and post the
remaining profiles after updating them.
Regards,
Christian Boltz
--
> [SuSE vs. SUSE] A good question. Maybe the friend of ... had
> a company which needed urgently some money?
Sorry, I can't follow you there. Do you mean there's a company
that sells capital U's? [> Thorsten Kukuk and Rasmus Plewe]
More information about the AppArmor
mailing list