[apparmor] Fwd: Re: owner usage for @{HOME} rules

John Johansen john.johansen at canonical.com
Tue Dec 18 22:57:18 UTC 2012


On 12/18/2012 02:54 PM, Simon Deziel wrote:
> On 12-12-18 05:39 PM, Jamie Strandboge wrote:
>>
>> Sigh, forgot to reply all...
>>
>> -------- Original Message --------
>> Subject: Re: [apparmor] owner usage for @{HOME} rules
>> Date: Tue, 18 Dec 2012 16:38:41 -0600
>> From: Jamie Strandboge <jamie at canonical.com>
>> To: Simon Deziel <simon.deziel at gmail.com>
>>
>> On 12/18/2012 04:26 PM, Simon Deziel wrote:
>>> Hi all,
>>>
>>> I am wondering why some of the profile abstractions are not using the
>>> owner prefix with the variable @{HOME} while many others do (and some
>>> mix both)?
>>>
>>> Some stats from my Ubuntu 12.04 box:
>>>
>>> $ grep -crE '^[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep
>>> -v :0$
>>> /etc/apparmor.d/abstractions/kde:7
>>> /etc/apparmor.d/abstractions/X:2
>>> /etc/apparmor.d/abstractions/audio:3
>>> /etc/apparmor.d/abstractions/libvirt-qemu:1
>>> /etc/apparmor.d/abstractions/gnupg:6
>>> /etc/apparmor.d/abstractions/fonts:8
>>> /etc/apparmor.d/abstractions/gnome:12
>>> /etc/apparmor.d/abstractions/bash:4
>>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2
>>> /etc/apparmor.d/abstractions/web-data:2
>>>
>>> $ grep -crE '^[[:space:]]*owner[[:space:]]*@{HOME}'
>>> /etc/apparmor.d/abstractions/ | grep -v :0$
>>> /etc/apparmor.d/abstractions/X:1
>>> /etc/apparmor.d/abstractions/audio:4
>>> /etc/apparmor.d/abstractions/user-tmp:2
>>> /etc/apparmor.d/abstractions/user-write:9
>>> /etc/apparmor.d/abstractions/user-download:6
>>> /etc/apparmor.d/abstractions/user-mail:9
>>> /etc/apparmor.d/abstractions/enchant:2
>>> /etc/apparmor.d/abstractions/ibus:3
>>> /etc/apparmor.d/abstractions/ubuntu-media-players:2
>>> /etc/apparmor.d/abstractions/xdg-desktop:4
>>> /etc/apparmor.d/abstractions/user-manpages:3
>>> /etc/apparmor.d/abstractions/freedesktop.org:12
>>> /etc/apparmor.d/abstractions/base:1
>>> /etc/apparmor.d/abstractions/aspell:1
>>> /etc/apparmor.d/abstractions/cups-client:2
>>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/java:6
>>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia:2
>>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2
>>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity:1
>>>
>>
>> My guess is that most of the ones without explicit owner match predate
>> 'owner' in apparmor.
> 
> Ah, that makes sense.
> 
>> It would be worthwhile to update the ones where it
>> makes sense to do so. Eg, this one would for sure not be one we would
>> want to add owner to:
>> /etc/apparmor.d/abstractions/web-data:  @{HOME}/public_html/ r,
>> /etc/apparmor.d/abstractions/web-data:  @{HOME}/public_html/** r,
> 
> Yes, indeed.
> 
>> Also, abstractions/ubuntu-browsers.d/user-files was intentional as well:
>>   # Allow read to all files user has DAC access to and write access to all
>>   # files owned by the user in $HOME.
>>   @{HOME}/ r,
>>   @{HOME}/** r,
>>   owner @{HOME}/** w,
>>   owner @{HOME}/Desktop/** r,
> 
> The rule "owner @{HOME}/Desktop/** r," is superfluous isn't it?
> 
yes, it will get subsumed by @{HOME}/** r, and since permissions are accumulated
the tighter owner restrictions will be lost.


>> A quick glance at the others indicates they could probably be changed
>> without issue.
> 
> OK, so I'll try to send a patch here. Thanks!
> 
> Simon
> 




More information about the AppArmor mailing list