[apparmor] [patch] openSUSE profile patches - part 1

Christian Boltz apparmor at cboltz.de
Sat Aug 6 11:46:28 UTC 2011


Hello,

the openSUSE apparmor package contains several profile patches. 
Jeff asked me to get them upstream ;-)

The first 5 patches are:

==> apparmor-2.5.1-edirectory-profile <==
From: Jeff Mahoney <jeffm at suse.com>
Subject: apparmor-profiles: Add support for eDirectory calls from nscd
References: bnc#621394

 eDirectory hooks into nscd and provides its own libraries. In order for
 this to operate properly with AppArmor, it needs to be told about these
 libraries.

 This patch adds a new abstract profile and includes it in the nameservice
 profile.

Signed-off-by: Jeff Mahoney <jeffm at suse.com>


==> apparmor-2.5.1-ldapclient-profile <==
- add profiles/apparmor.d/abstractions/ldapclient
- let profiles/apparmor.d/abstractions/nameservice use the new ldapclient abstraction


==> apparmor-2.5.1-ntpd-sys_nice <==
From: Jeff Mahoney <jeffm at suse.com>
Subject: profile: ntpd -N needs sys_nice
References: bnc#657054

 ntpd -N allows the administrator to increase or decrease priority of the
 ntp server. Since the profile doesn't allow it, the operation is denied.

 This patch adds support for that operation.


==> apparmor-2.5.1-ssl-fix <==
From: Jeff Mahoney <jeffm at suse.com>
Subject: profiles: Add openssl abstraction
References: bnc#623886

 Profiles that use openssl have been adding the openssl files piecemeal.

 This patch creates a new openssl abstraction that can be inherited by
 all profiles that use it.


Signed-off-by: Jeff Mahoney <jeffm at suse.com>

Patch for profiles/apparmor.d/abstractions/ssl_certs and
profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork (second chunk)
updated by Christian Boltz <apparmor at cboltz.de>
(didn't apply to master)


==> apparmor-2.6.0-dhcpd <==
From: Jeff Mahoney <jeffm at suse.com>
Subject: dhcpd: Fix apparmor profile
References: bnc#692428

 This patch adds the network rules needed, corrects the path to dhcpd.leases,
 and adds the path for TSIG DNS keys.

Reported-by: Andrew Beames <suseforum at roocomputing.co.uk>
Signed-off-by: Jeff Mahoney <jeffm at suse.com>

updated to match master by
Christian Boltz <apparmor at cboltz.de>

Question:
-  /var/lib/dhcp/dhcpd.leases*  rwl,
+  /var/lib/dhcp/db/dhcpd.leases*       rwl,

Should I use {,db/} for backward compatibility? Or was the path wrong 
from the beginning? (On openSUSE 11.4, the path with .../db/... is 
correct, and I don't have dhcpd running on an older system.)


Regards,

Christian Boltz
-- 
[Autoreply] Das ist fast so clever wie seinen Anrufzuhörer mit dem Text
"Hier ist der automatische Anrufbeantworter der Familie XY ungelöst. Wir
sind zur Zeit auf Weltreise und kommen erst Februar 2004 zurück. Um uns
unnötige Gefahren zu ersparen, brechen Sie bitte vor unserer Rückkehr
ein." [Paul Foerster in suse-laptop]
-------------- next part --------------
From: Jeff Mahoney <jeffm at suse.com>
Subject: apparmor-profiles: Add support for eDirectory calls from nscd
References: bnc#621394

 eDirectory hooks into nscd and provides its own libraries. In order for
 this to operate properly with AppArmor, it needs to be told about these
 libraries.

 This patch adds a new abstract profile and includes it in the nameservice
 profile.

Signed-off-by: Jeff Mahoney <jeffm at suse.com>
---
 profiles/apparmor.d/abstractions/nameservice       |    3 +++
 profiles/apparmor.d/abstractions/novell-edirectory |   13 +++++++++++++
 2 files changed, 16 insertions(+)

--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -72,6 +72,9 @@
   # kerberos
   #include <abstractions/kerberosclient>
 
+  # Novell eDirectory
+  #include <abstractions/novell-edirectory>
+
   # TCP/UDP network access
   network inet  stream,
   network inet6 stream,
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/novell-edirectory
@@ -0,0 +1,13 @@
+# $Id$
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2010 Novell/SUSE
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  /opt/novell/eDirectory/lib/lib*so* r,
+  /opt/novell/eDirectory/lib64/lib*so* r,
-------------- next part --------------
---
 profiles/apparmor.d/abstractions/ldapclient  |   21 +++++++++++++++++++++
 profiles/apparmor.d/abstractions/nameservice |    8 +++-----
 2 files changed, 24 insertions(+), 5 deletions(-)

--- /dev/null
+++ b/profiles/apparmor.d/abstractions/ldapclient
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011 Novell/SUSE
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
+  /etc/ldap.conf            r,
+  /etc/ldap.secret          r,
+  /etc/openldap/*           r,
+  /etc/openldap/cacerts/*   r,
+
+  # SASL plugins and config
+  /etc/sasl2/*              r,
+  /usr/lib{,32,64}/sasl2/*  r,
+
+  #include <abstractions/ssl_certs>
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -16,8 +16,6 @@
   /etc/group              r,
   /etc/host.conf          r,
   /etc/hosts              r,
-  /etc/ldap.conf          r,
-  /etc/ldap.secret        r,
   /etc/nsswitch.conf      r,
   /etc/gai.conf           r,
   /etc/passwd             r,
@@ -32,9 +30,6 @@
 
   /etc/samba/lmhosts      r,
   /etc/services           r,
-  # all openldap config
-  /etc/openldap/*         r,
-  /etc/ldap/**            r,
   # db backend
   /var/lib/misc/*.db      r,
   # The Name Service Cache Daemon can cache lookups, sometimes leading
@@ -60,6 +55,9 @@
   # nis
   #include <abstractions/nis>
 
+  # ldap
+  #include <abstractions/ldapclient>
+
   # winbind
   #include <abstractions/winbind>
 
-------------- next part --------------
From: Jeff Mahoney <jeffm at suse.com>
Subject: profile: ntpd -N needs sys_nice
References: bnc#657054

 ntpd -N allows the administrator to increase or decrease priority of the
 ntp server. Since the profile doesn't allow it, the operation is denied.

 This patch adds support for that operation.

Signed-off-by: Jeff Mahoney <jeffm at suse.com>
---
 profiles/apparmor.d/usr.sbin.ntpd |    1 +
 1 file changed, 1 insertion(+)

--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -24,6 +24,7 @@
   capability sys_chroot,
   capability sys_resource,
   capability sys_time,
+  capability sys_nice,
 
   network inet dgram,
   network inet stream,
-------------- next part --------------
From: Jeff Mahoney <jeffm at suse.com>
Subject: profiles: Add openssl abstraction
References: bnc#623886

 Profiles that use openssl have been adding the openssl files piecemeal.

 This patch creates a new openssl abstraction that can be inherited by
 all profiles that use it.


Signed-off-by: Jeff Mahoney <jeffm at suse.com>

Patch for 
- profiles/apparmor.d/abstractions/ssl_certs 
- profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork (second chunk)
updated by Christian Boltz <apparmor at cboltz.de>
(didn't apply to trunk)

---
 profiles/apparmor.d/abstractions/openssl                  |    4 ++++
 profiles/apparmor.d/abstractions/ssl_certs                |    4 ++++
 profiles/apparmor/profiles/extras/usr.lib.postfix.smtp    |    2 +-
 profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd   |    2 +-
 profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork |    2 +-
 profiles/apparmor/profiles/extras/usr.sbin.imapd          |    2 +-
 profiles/apparmor/profiles/extras/usr.sbin.ipop2d         |    2 +-
 profiles/apparmor/profiles/extras/usr.sbin.ipop3d         |    2 +-
 8 files changed, 14 insertions(+), 6 deletions(-)

--- /dev/null
+++ b/profiles/apparmor.d/abstractions/openssl
@@ -0,0 +1,4 @@
+
+  /etc/ssl/openssl.cnf r,
+  /usr/share/ssl/openssl.cnf r,
+
--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -14,5 +14,6 @@
   /etc/ssl/certs/* r,
   /usr/share/ca-certificates/ r,
   /usr/share/ca-certificates/** r,
+  /usr/share/ssl/certs/ca-bundle.crt          r,
   /usr/local/share/ca-certificates/ r,
   /usr/local/share/ca-certificates/** r,

--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
@@ -15,6 +15,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/kerberosclient>
   #include <program-chunks/postfix-common>
+  #include <abstractions/openssl>
 
   capability dac_override,
   capability dac_read_search,
@@ -38,7 +39,6 @@
   /etc/postfix/{ssl/,}*.pem                   r,
   /etc/postfix/prng_exch                      rw,
   /usr/share/ssl/certs/ca-bundle.crt          r,
-  /usr/share/ssl/openssl.cnf                  r,
   /etc/postfix/virtual.db                     r,
   /etc/postfix/sasl_passwd.db                 r,
   /etc/mtab                                   r,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
@@ -15,6 +15,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/kerberosclient>
   #include <program-chunks/postfix-common>
+  #include <abstractions/openssl>
 
   capability dac_override,
   capability dac_read_search,
@@ -43,7 +44,6 @@
   /usr/lib/sasl2/*                            mr,
 
   /usr/share/ssl/certs/ca-bundle.crt          r,
-  /usr/share/ssl/openssl.cnf                  r,
 
   /{var/spool/postfix/,}pid/inet.*               rw,
   /{var/spool/postfix/,}private/anvil            w,
--- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
+++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
@@ -17,6 +17,7 @@
   #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/perl>
+  #include <abstractions/openssl>
 
   capability kill,
   capability net_bind_service,
@@ -83,7 +84,6 @@
   /usr/share/snmp/mibs r,
   /usr/share/snmp/mibs/*.{txt,mib} r,
   /usr/share/snmp/mibs/.index wr,
-  /usr/share/ssl/openssl.cnf r,
   /{run,var}/lock/httpd2.lock.* wl,
   /var/log/apache2/* rwl,
   /var/log/httpd/ssl_scache.dir r,
--- a/profiles/apparmor/profiles/extras/usr.sbin.imapd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd
@@ -15,10 +15,10 @@
   #include <abstractions/nameservice>
   #include <abstractions/authentication>
   #include <abstractions/user-mail>
+  #include <abstractions/openssl>
 
   /dev/urandom                              r,
   /tmp/*                                    rwl,
   /usr/sbin/imapd                           r,
   /usr/share/ssl/certs/imapd.pem            r,
-  /usr/share/ssl/openssl.cnf                r,
 }
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
@@ -15,10 +15,10 @@
   #include <abstractions/nameservice>
   #include <abstractions/authentication>
   #include <abstractions/user-mail>
+  #include <abstractions/openssl>
 
   /dev/urandom                           r     ,
   /tmp/.*                                rwl   ,
   /usr/sbin/ipop2d                       rmix,
   /usr/share/ssl/certs/ipop2d.pem        r     ,
-  /usr/share/ssl/openssl.cnf             r     ,
 }
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
@@ -15,10 +15,10 @@
   #include <abstractions/nameservice>
   #include <abstractions/authentication>
   #include <abstractions/user-mail>
+  #include <abstractions/openssl>
 
   /dev/urandom                           r     ,
   /tmp/.*                                rwl   ,
   /usr/sbin/ipop3d                       rmix,
   /usr/share/ssl/certs/ipop3d.pem        r     ,
-  /usr/share/ssl/openssl.cnf             r     ,
 }
-------------- next part --------------
From: Jeff Mahoney <jeffm at suse.com>
Subject: dhcpd: Fix apparmor profile
References: bnc#692428

 This patch adds the network rules needed, corrects the path to dhcpd.leases,
 and adds the path for TSIG DNS keys.

Reported-by: Andrew Beames <suseforum at roocomputing.co.uk>
Signed-off-by: Jeff Mahoney <jeffm at suse.com>

updated to match trunk by
Christian Boltz <apparmor at cboltz.de>

--- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd	2011-07-14 12:57:57 +0000
+++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd	2011-08-06 11:24:38 +0000
@@ -21,12 +21,17 @@
   capability setuid,
   capability sys_chroot,
 
+  network inet raw,
+  network packet raw,
+
   /db/dhcpd.leases*     lrw,
   /etc/dhcpd.conf	r,
+  /etc/named.d/*	r,
   /etc/hosts.allow	r,
   /etc/hosts.deny	r,
+  @{PROC}/net/dev	r,
   /usr/sbin/dhcpd	rmix,
-  /var/lib/dhcp/dhcpd.leases*	rwl,
+  /var/lib/dhcp/db/dhcpd.leases*	rwl,
   /var/lib/dhcp/etc/dhcpd.conf  r,
   /{,var/}run/dhcpd.pid	wl,
 }



More information about the AppArmor mailing list