[apparmor] [PATCH] profiles: rw file perms are now needed on AF_UNIX socket files
Tyler Hicks
tyhicks at canonical.com
Fri Dec 20 06:16:35 UTC 2013
The AppArmor kernel now checks for both read and write permissions when
a process calls connect() on a UNIX domain socket.
The patch updates a four abstractions that were found to be needing
changes after the kernel change.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
profiles/apparmor.d/abstractions/cups-client | 2 +-
profiles/apparmor.d/abstractions/dbus | 2 +-
profiles/apparmor.d/abstractions/p11-kit | 3 +++
profiles/apparmor.d/abstractions/private-files-strict | 2 ++
4 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/profiles/apparmor.d/abstractions/cups-client b/profiles/apparmor.d/abstractions/cups-client
index fa9f8df..f38ac09 100644
--- a/profiles/apparmor.d/abstractions/cups-client
+++ b/profiles/apparmor.d/abstractions/cups-client
@@ -12,7 +12,7 @@
# discoverable system configuration for non-local cupsd
/etc/cups/client.conf r,
# client should be able to talk the local cupsd
- /{,var/}run/cups/cups.sock w,
+ /{,var/}run/cups/cups.sock rw,
# client should be able to read user-specified cups configuration
owner @{HOME}/.cups/client.conf r,
owner @{HOME}/.cups/lpoptions r,
diff --git a/profiles/apparmor.d/abstractions/dbus b/profiles/apparmor.d/abstractions/dbus
index 129a756..f0644c0 100644
--- a/profiles/apparmor.d/abstractions/dbus
+++ b/profiles/apparmor.d/abstractions/dbus
@@ -10,5 +10,5 @@
# ------------------------------------------------------------------
# System socket. Be careful when including this abstraction.
- /{,var/}run/dbus/system_bus_socket w,
+ /{,var/}run/dbus/system_bus_socket rw,
dbus bus=system,
diff --git a/profiles/apparmor.d/abstractions/p11-kit b/profiles/apparmor.d/abstractions/p11-kit
index a56fcee..84b7b11 100644
--- a/profiles/apparmor.d/abstractions/p11-kit
+++ b/profiles/apparmor.d/abstractions/p11-kit
@@ -19,6 +19,9 @@
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/* r,
+ # gnome-keyring pkcs11 module
+ owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
+
# p11-kit also supports reading user configuration from ~/.pkcs11 depending
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
# included in this abstraction.
diff --git a/profiles/apparmor.d/abstractions/private-files-strict b/profiles/apparmor.d/abstractions/private-files-strict
index cc4d67e..91851b8 100644
--- a/profiles/apparmor.d/abstractions/private-files-strict
+++ b/profiles/apparmor.d/abstractions/private-files-strict
@@ -9,6 +9,8 @@
audit deny @{HOME}/.ssh/** mrwkl,
audit deny @{HOME}/.gnome2_private/** mrwkl,
audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
+ # don't allow access to any gnome-keyring modules
+ audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
audit deny @{HOME}/.mozilla/** mrwkl,
audit deny @{HOME}/.config/chromium/** mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
--
1.8.3.2
More information about the AppArmor
mailing list