[apparmor] [patch] wutmp cleanups
Steve Beattie
steve at nxnw.org
Wed Aug 17 21:25:12 UTC 2011
On Tue, Aug 16, 2011 at 01:07:37PM +0200, Christian Boltz wrote:
> Hallo Leute,
>
> Am Dienstag, 16. August 2011 schrieb Steve Beattie:
> > On Sat, Aug 13, 2011 at 11:27:42PM +0200, Christian Boltz wrote:
> > > The k permission should be merged into abstractions/wutmp IMHO.
>
> > Yes, please. Acked-By: Steve Beattie <sbeattie at ubuntu.com>
> >
> > Also, as a followup, you may wish to convert the useradd and userdel
> > profiles to using the wutmp abstraction.
>
> Not only those. Grep says that are some other candidates ;-)
>
> a) obvious changes
>
> ./apparmor.d/usr.lib.dovecot.dovecot-auth: #include <abstractions/wutmp>
> ./apparmor.d/usr.lib.dovecot.dovecot-auth: /{,var/}run/utmp k,
>
> k permission can be removed from dovecot-auth since it's in the wutmp
> abstraction now
Agreed, patch attached.
> b) rw usage of at least one of the files listed in abstractions/wutmp
>
> Note that switching to abstractions/wutmp will add some permissions
> to those profiles (the abstraction contains 3 files, the profiles
> listed below only one or two of them).
>
> ./apparmor/profiles/extras/usr.sbin.useradd: /var/log/lastlog rw,
> ./apparmor/profiles/extras/usr.sbin.useradd: /{,var/}run/utmp rw,
>
> ./apparmor/profiles/extras/usr.sbin.userdel: /var/log/lastlog rw,
> ./apparmor/profiles/extras/usr.sbin.userdel: /{,var/}run/utmp rw,
With two out of the three, I think we're not expanding the privileges
too grossly here. Patch attached.
> ./apparmor/profiles/extras/usr.sbin.sendmail.sendmail: /{,var/}run/utmp rw,
>
> ./apparmor/profiles/extras/usr.sbin.sendmail: /{,var/}run/utmp rw,
>
> ./apparmor.d/sbin.syslogd: /{,var/}run/utmp rw,
>
>
> c) read-only usage of wutmp files
>
> Here the wutmp abstractin would add even more permissions.
>
> ./apparmor/profiles/extras/usr.sbin.in.fingerd: /var/log/lastlog r,
> ./apparmor/profiles/extras/usr.sbin.in.fingerd: /{,var/}run/utmp r,
>
> ./apparmor/profiles/extras/usr.sbin.in.ntalkd: /{,var/}run/utmp r,
>
> ./apparmor/profiles/extras/sbin.dhclient: /var/log/lastlog r,
> ./apparmor/profiles/extras/sbin.dhclient: /var/log/wtmp r,
>
> ./apparmor.d/abstractions/ubuntu-konsole: /{,var/}run/utmp r,
>
> ./apparmor.d/abstractions/ubuntu-xterm: /{,var/}run/utmp r,
>
> ./apparmor.d/apache2.d/phpsysinfo: /{,var/}run/utmp rk,
>
>
> Which of these profiles should be changed to use abstractions/wutmp?
For the rest, my inclination is that the wutmp abstraction expands
privilege more widely than I'd like, particularly for the read-only
accessors of the various files. But obviously it's open for discussion.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot-auth-wutmp_fix_cleanup.patch
Type: text/x-diff
Size: 554 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110817/567c8b86/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: profiles-wutmp_additions.patch
Type: text/x-diff
Size: 1521 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110817/567c8b86/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110817/567c8b86/attachment.pgp>
More information about the AppArmor
mailing list