[apparmor] [patch] several updates for profiles/extras

Christian Boltz apparmor at cboltz.de
Sun Apr 3 21:53:37 UTC 2011 

Hello,

Am Sonntag, 3. April 2011 schrieb Kees Cook:
> Some things jumped out at me...
> 
> On Sun, Apr 03, 2011 at 10:28:35PM +0200, Christian Boltz wrote:
> > === modified file 'profiles/apparmor/profiles/extras/bin.netstat'
> > +  capability sys_ptrace,
> 
> This should not be needed; that's not something netstat would ever
> need. I suspect it's a false audit log due to running around in
> @{PROC}/*/ getting tripped. I would rather see "deny capability
> sys_ptrace,"

Hmmm... I just tested that:
- removed the sys_ptrace line completely
- run netstat -tulpen
- aa-logprof asked for sys_ptrace -> deny

Afterwards, I run netstat -tulpen again, and it worked. Therefore I'm 
fine with the deny rule and changed the profile accordingly.

The patch for netstat now looks like this:

=== modified file 'profiles/apparmor/profiles/extras/bin.netstat'
--- profiles/apparmor/profiles/extras/bin.netstat
+++ profiles/apparmor/profiles/extras/bin.netstat
@@ -21,6 +21,7 @@
 
   capability dac_override,
   capability dac_read_search,
+  deny capability sys_ptrace,
 
   /bin/netstat rmix,
   /etc/networks r,
@@ -29,4 +30,12 @@
   @{PROC}/[0-9]*/fd r,
   @{PROC}/net r,
   @{PROC}/net/* r,
+  @{PROC}/*/fd/ r,
+  owner @{PROC}/*/net/raw r,
+  owner @{PROC}/*/net/raw6 r,
+  owner @{PROC}/*/net/tcp r,
+  owner @{PROC}/*/net/tcp6 r,
+  owner @{PROC}/*/net/udp r,
+  owner @{PROC}/*/net/udp6 r,
+  owner @{PROC}/*/net/unix r,
 }

> > === modified file
> > 'profiles/apparmor/profiles/extras/usr.bin.freshclam' 
> > +  owner @{PROC}/*/status r,
> 
> I haven't seen this in my freshclam audit logs. How have you hit it?

Good question. As I said, my profiles grew over a long time.
I am sure _that_ I hit it, but I can't tell you _when/how_.

I just disabled this line and switched to complain mode - I'll see if it 
appears in audit.log.

> > -  /var/lib/clamav/clamav-* rw,
> > -  /var/lib/clamav/daily.cvd rw,
> > -  /var/lib/clamav/main.cvd rw,
> > +  /var/lib/clamav/ r,
> > +  /var/lib/clamav/** rw,
> 
> Why this change? 

Freshclam needed access to more files, and at one point I thought ** 
might be the easiest option.

> Given the nature of that directory, I'd prefer the named paths.

OK, then I'll change my production profile, switch to complain mode and 
collect some filenames in the next days ;-)

The first freshclam and logprof run showed me why I changed to ** - I 
now have 30 rules for files in /var/lib/clamav ;-)
I could merge most of those rules to
  owner /var/lib/clamav/clamav-*/clamav-*/daily.* rw,
Would that be OK for you?

I'll wait some days before I post the updated profile for freshclam - 
maybe there will be more...

> > === modified file 'profiles/apparmor/profiles/extras/usr.bin.man'
> > +  /usr/bin/man r,
> 
> Under what situation does it read itself?

It did at least once, but I have no idea when/why.
It did not on a short test on openSUSE 11.3, however that would have 
been too easy ;-)


BTW: Even if I posted everything in a collective patch, feel free to 
ACK/NAK per profile. I can then commit the ACKed files and post the 
remaining profiles after updating them.


Regards,

Christian Boltz
-- 
> [SuSE vs. SUSE] A good question. Maybe the friend of ... had
> a company which needed urgently some money?
Sorry, I can't follow you there. Do you mean there's a company
that sells capital U's?    [> Thorsten Kukuk and Rasmus Plewe]

More information about the AppArmor mailing list