[apparmor] [patch] smbd profile + smbldap-useradd
John Johansen
john.johansen at canonical.com
Wed Jan 4 20:09:51 UTC 2012
On 01/04/2012 11:54 AM, Christian Boltz wrote:
> Hello,
>
> Am Mittwoch, 4. Januar 2012 schrieb Kees Cook:
>> On Wed, Jan 04, 2012 at 07:43:35PM +0100, Christian Boltz wrote:
>>> + profile /etc/init.d/nscd {
>>> + #include <abstractions/base>
>>> + #include <abstractions/nameservice>
>>> +
>>> + capability sys_ptrace,
>>
>> I wonder why sys_ptrace keeps showing up in some of these profiles. Is
>> this really needed?
>
> Good question, I only know what the audit.log says ;-)
My guess is because of proc calling into ptrace_my_access instead of being
sane and using a distinct hook, which could then call ptrace_may_access
if those where the desired semantics.
>
>>> + /proc/filesystems r,
>>> + /proc/meminfo r,
>>
>> These are already in "base".
>
> Good catch, I removed them from my pending patch.
>
> OTOH, this brings up an interesting question - why did logprof add them
> to the profile? I probably first allowed them before adding
> abstractions/base, but logprof should have removed them again when I
> told it to use abstractions/base.
>
> The only explanation I can imagine is that abstractions/base uses
> @{PROC} instead of /proc - could that be the reason?
>
> If you want to test yourself, the audit.log is attached to
> https://bugzilla.novell.com/show_bug.cgi?id=738041
>
yep you got it. logprof still doesn't understand variables
More information about the AppArmor
mailing list