[apparmor] Some profiles
Seth Arnold
seth.arnold at canonical.com
Mon Mar 11 23:07:16 UTC 2013
On Mon, Mar 11, 2013 at 09:12:57PM +0400, "Артём Н." wrote:
> I can't found profiles for some programs, which I use.
> I use Debian OS and make profiles for it, but I hope, if they will be included
> in ubuntu packages, one time they will migrate from ubuntu to Debian. :-)
Thanks for this :)
Probably easiest long-term is to file merge requests (like this one
https://code.launchpad.net/~sdeziel/apparmor-profiles/fix-for-lp1133409/+merge/150605
though I'll admit using these tools is new for me...)
> And I have some questions, for example: can I allow access to the file, if I
> deny it earlier?
What do you mean? If you use the 'deny' keyword, it takes precedence
over the allowed permissions. (It's a cheap-o way to let users write ..
less than optimal policies such as for Firefox while still protecting
e.g. ~/.ssh/ or ~/.gnupg/.)
> Dict:
> # vim:syntax=apparmor
> # Last Modified: Sun Mar 10 20:19:24 2013
> # Author: Artiom N. <artiom14 at yandex.ru>
> #include <tunables/global>
>
> /usr/sbin/dictd {
> #include <abstractions/base>
> #include <abstractions/nameservice>
>
> capability net_bind_service,
> capability setuid,
> capability setgid,
>
> /etc/dictd/** mr,
> /etc/group mr,
> /usr/share/dictd/** mr,
> /usr/sbin/dictd mr,
> /var/lib/dictd/** mrk,
> owner /var/run/dictd.pid mrwk,
> owner /run/dictd.pid mrwk,
> }
This is nice, I've now got this on my Ubuntu 12.10 system and made some
queries succesfully.
> DNSCrypt:
> # Last Modified: Fri Mar 8 15:24:34 2013
> #include <tunables/global>
>
> /usr/sbin/dnscrypt-proxy {
> #include <abstractions/base>
>
> capability sys_resource,
> capability dac_override,
> capability setgid,
> capability setuid,
> capability sys_chroot,
> capability net_bind_service,
> capability net_admin,
> network inet udp,
>
> /etc/nsswitch.conf r,
> /etc/passwd r,
> /usr/sbin/dnscrypt-proxy mr,
> /var/lib/dnscrypt rwk,
>
>
> }
Untested, not looked into how to test...
> Fix for the usr/sbin/unbound:
> /{,var/}run/unbound.pid rw,
> + /run/unbound.pid rw,
That's odd; the first should actually match the second. Can you
reproduce this problem?
>
> My profile for the firefox, I think it's work correctly (now it includes some
> trash):
> ...
These are a bit difficult to grasp; the permissions you removed by
commenting out abstractions is easy enough to understand -- but removing
permissions in profiles is difficult to do, since we don't want an
update to break existing users.
That's not to say every user needs overly permissive profiles, just that
people who want tighter profiles than we ship are probably not going to
be sharing or deploying other's profiles -- they'll want profiles
tailored to their own environment.
On the other hand, if you had to add permissions to the profiles, that'd
be nice to know.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130311/d3557f99/attachment-0001.pgp>
More information about the AppArmor
mailing list