[apparmor] [PATCH] private-files should disallow writing to .pki so files
Jamie Strandboge
jamie at canonical.com
Wed Jan 4 16:43:31 UTC 2012
From the bug[1]:
It was discovered that nss will try to load .so files from
~/.pki/nssdb/. Eg:
open("/home/<username>/.pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT
(No such file or directory)
The private-files abstraction should explicitly deny writes to this
directory. Since nss also stores certificates, etc in this directory,
should use something like:
audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
Attached is a patch to achieve this (and fixes 2 spelling errors).
[1]https://launchpad.net/bugs/911847
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0018-deny-home-pki-so.patch
Type: text/x-patch
Size: 1831 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120104/64b47ce9/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120104/64b47ce9/attachment.pgp>
More information about the AppArmor
mailing list