[apparmor] [PATCH] private-files should disallow writing to .pki so files

Steve Beattie steve at nxnw.org
Wed Jan 4 17:54:39 UTC 2012 

On Wed, Jan 04, 2012 at 10:43:31AM -0600, Jamie Strandboge wrote:
> From the bug[1]:
> 
> It was discovered that nss will try to load .so files from
> ~/.pki/nssdb/. Eg:
> open("/home/<username>/.pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT
> (No such file or directory)
> 
> The private-files abstraction should explicitly deny writes to this
> directory. Since nss also stores certificates, etc in this directory,
> should use something like:
>   audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
> 
> Attached is a patch to achieve this (and fixes 2 spelling errors).

Acked-By: Steve Beattie <sbeattie at ubuntu.com> for both trunk and the
apparmor 2.7 branch.

Thanks!

> Author: Jamie Strandboge <jamie at canonical.com>
> Description: Disallow writing and linking to @{HOME}/.pki/nssdb/ .so files
> Bug-Ubuntu: https://launchpad.net/bugs/911847
> Forwarded: yes
> Index: apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files
> ===================================================================
> --- apparmor-2.7.0.orig/profiles/apparmor.d/abstractions/private-files	2011-04-18 08:55:50.000000000 -0500
> +++ apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files	2012-01-04 10:23:11.000000000 -0600
> @@ -1,6 +1,6 @@
>  # vim:syntax=apparmor
> -# privacy-violations contains rules for common files that you want to explicity
> -# deny access
> +# privacy-violations contains rules for common files that you want to
> +# explicitly deny access
>  
>    # privacy violations (don't audit files under $HOME otherwise get a
>    # lot of false positives when reading contents of directories)
> @@ -16,6 +16,7 @@
>    audit deny @{HOME}/bin/** wl,
>    audit deny @{HOME}/.config/autostart/** wl,
>    audit deny @{HOME}/.kde/Autostart/** wl,
> +  audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
>  
>    # don't allow reading/updating of run control files
>    deny @{HOME}/.*rc mrk,
> Index: apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files-strict
> ===================================================================
> --- apparmor-2.7.0.orig/profiles/apparmor.d/abstractions/private-files-strict	2011-01-07 10:44:47.000000000 -0600
> +++ apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files-strict	2012-01-04 10:23:33.000000000 -0600
> @@ -1,6 +1,6 @@
>  # vim:syntax=apparmor
>  # privacy-violations-strict contains additional rules for sensitive
> -# files that you want to explicity deny access
> +# files that you want to explicitly deny access
>  
>    #include <abstractions/private-files>
>  

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120104/db05c684/attachment.pgp>

More information about the AppArmor mailing list