[apparmor] [PATCH] private-files should disallow writing to .pki so files

Jamie Strandboge jamie at canonical.com
Wed Jan 4 16:43:31 UTC 2012


From the bug[1]:

It was discovered that nss will try to load .so files from
~/.pki/nssdb/. Eg:
open("/home/<username>/.pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT
(No such file or directory)

The private-files abstraction should explicitly deny writes to this
directory. Since nss also stores certificates, etc in this directory,
should use something like:
  audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,

Attached is a patch to achieve this (and fixes 2 spelling errors).

[1]https://launchpad.net/bugs/911847

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0018-deny-home-pki-so.patch
Type: text/x-patch
Size: 1831 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120104/64b47ce9/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120104/64b47ce9/attachment.pgp>


More information about the AppArmor mailing list