[apparmor] [PATCH] profiles: rw file perms are now needed on AF_UNIX socket files

Seth Arnold seth.arnold at canonical.com
Fri Dec 20 07:05:44 UTC 2013 

On Thu, Dec 19, 2013 at 10:16:35PM -0800, Tyler Hicks wrote:
> The AppArmor kernel now checks for both read and write permissions when
> a process calls connect() on a UNIX domain socket.
> 
> The patch updates a four abstractions that were found to be needing
> changes after the kernel change.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Thanks for all these fixes.

Acked-by: Seth Arnold <seth.arnold at canonical.com>

> ---
>  profiles/apparmor.d/abstractions/cups-client          | 2 +-
>  profiles/apparmor.d/abstractions/dbus                 | 2 +-
>  profiles/apparmor.d/abstractions/p11-kit              | 3 +++
>  profiles/apparmor.d/abstractions/private-files-strict | 2 ++
>  4 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/profiles/apparmor.d/abstractions/cups-client b/profiles/apparmor.d/abstractions/cups-client
> index fa9f8df..f38ac09 100644
> --- a/profiles/apparmor.d/abstractions/cups-client
> +++ b/profiles/apparmor.d/abstractions/cups-client
> @@ -12,7 +12,7 @@
>    # discoverable system configuration for non-local cupsd
>    /etc/cups/client.conf   r,
>    # client should be able to talk the local cupsd
> -  /{,var/}run/cups/cups.sock w,
> +  /{,var/}run/cups/cups.sock rw,
>    # client should be able to read user-specified cups configuration
>    owner @{HOME}/.cups/client.conf r,
>    owner @{HOME}/.cups/lpoptions r,
> diff --git a/profiles/apparmor.d/abstractions/dbus b/profiles/apparmor.d/abstractions/dbus
> index 129a756..f0644c0 100644
> --- a/profiles/apparmor.d/abstractions/dbus
> +++ b/profiles/apparmor.d/abstractions/dbus
> @@ -10,5 +10,5 @@
>  # ------------------------------------------------------------------
>  
>    # System socket. Be careful when including this abstraction.
> -  /{,var/}run/dbus/system_bus_socket w,
> +  /{,var/}run/dbus/system_bus_socket rw,
>    dbus bus=system,
> diff --git a/profiles/apparmor.d/abstractions/p11-kit b/profiles/apparmor.d/abstractions/p11-kit
> index a56fcee..84b7b11 100644
> --- a/profiles/apparmor.d/abstractions/p11-kit
> +++ b/profiles/apparmor.d/abstractions/p11-kit
> @@ -19,6 +19,9 @@
>    /usr/share/p11-kit/modules/  r,
>    /usr/share/p11-kit/modules/* r,
>  
> +  # gnome-keyring pkcs11 module
> +  owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
> +
>    # p11-kit also supports reading user configuration from ~/.pkcs11 depending
>    # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
>    # included in this abstraction.
> diff --git a/profiles/apparmor.d/abstractions/private-files-strict b/profiles/apparmor.d/abstractions/private-files-strict
> index cc4d67e..91851b8 100644
> --- a/profiles/apparmor.d/abstractions/private-files-strict
> +++ b/profiles/apparmor.d/abstractions/private-files-strict
> @@ -9,6 +9,8 @@
>    audit deny @{HOME}/.ssh/** mrwkl,
>    audit deny @{HOME}/.gnome2_private/** mrwkl,
>    audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
> +  # don't allow access to any gnome-keyring modules
> +  audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
>    audit deny @{HOME}/.mozilla/** mrwkl,
>    audit deny @{HOME}/.config/chromium/** mrwkl,
>    audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
> -- 
> 1.8.3.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131219/51102203/attachment.pgp>

More information about the AppArmor mailing list