[apparmor] [PATCH] profiles: rw file perms are now needed on AF_UNIX socket files

[Tyler Hicks]

The AppArmor kernel now checks for both read and write permissions when
a process calls connect() on a UNIX domain socket.

The patch updates a four abstractions that were found to be needing
changes after the kernel change.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 profiles/apparmor.d/abstractions/cups-client          | 2 +-
 profiles/apparmor.d/abstractions/dbus                 | 2 +-
 profiles/apparmor.d/abstractions/p11-kit              | 3 +++
 profiles/apparmor.d/abstractions/private-files-strict | 2 ++
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/profiles/apparmor.d/abstractions/cups-client b/profiles/apparmor.d/abstractions/cups-client
index fa9f8df..f38ac09 100644
--- a/profiles/apparmor.d/abstractions/cups-client
+++ b/profiles/apparmor.d/abstractions/cups-client
@@ -12,7 +12,7 @@
   # discoverable system configuration for non-local cupsd
   /etc/cups/client.conf   r,
   # client should be able to talk the local cupsd
-  /{,var/}run/cups/cups.sock w,
+  /{,var/}run/cups/cups.sock rw,
   # client should be able to read user-specified cups configuration
   owner @{HOME}/.cups/client.conf r,
   owner @{HOME}/.cups/lpoptions r,
diff --git a/profiles/apparmor.d/abstractions/dbus b/profiles/apparmor.d/abstractions/dbus
index 129a756..f0644c0 100644
--- a/profiles/apparmor.d/abstractions/dbus
+++ b/profiles/apparmor.d/abstractions/dbus
@@ -10,5 +10,5 @@
 # ------------------------------------------------------------------
 
   # System socket. Be careful when including this abstraction.
-  /{,var/}run/dbus/system_bus_socket w,
+  /{,var/}run/dbus/system_bus_socket rw,
   dbus bus=system,
diff --git a/profiles/apparmor.d/abstractions/p11-kit b/profiles/apparmor.d/abstractions/p11-kit
index a56fcee..84b7b11 100644
--- a/profiles/apparmor.d/abstractions/p11-kit
+++ b/profiles/apparmor.d/abstractions/p11-kit
@@ -19,6 +19,9 @@
   /usr/share/p11-kit/modules/  r,
   /usr/share/p11-kit/modules/* r,
 
+  # gnome-keyring pkcs11 module
+  owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
+
   # p11-kit also supports reading user configuration from ~/.pkcs11 depending
   # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
   # included in this abstraction.
diff --git a/profiles/apparmor.d/abstractions/private-files-strict b/profiles/apparmor.d/abstractions/private-files-strict
index cc4d67e..91851b8 100644
--- a/profiles/apparmor.d/abstractions/private-files-strict
+++ b/profiles/apparmor.d/abstractions/private-files-strict
@@ -9,6 +9,8 @@
   audit deny @{HOME}/.ssh/** mrwkl,
   audit deny @{HOME}/.gnome2_private/** mrwkl,
   audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
+  # don't allow access to any gnome-keyring modules
+  audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
   audit deny @{HOME}/.mozilla/** mrwkl,
   audit deny @{HOME}/.config/chromium/** mrwkl,
   audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
-- 
1.8.3.2