[apparmor] Apparmor profile for mtr
Steve Beattie
steve at nxnw.org
Tue May 14 20:14:38 UTC 2013
On Tue, May 14, 2013 at 06:13:23PM +0300, Kaan Özdinçer wrote:
> We talked about meeting with cboltz and he wrote me an email below.
> Because of that. I tried to make apparmor profile for *mtr*
For confinement purposes, mtr is a nice, well-contained, and alas,
setuid root, program. Depending on your interests, it may be
interesting to see the issues around confining something more complex.
This profile looks good, though a couple of things:
> #include <tunables/global>
>
> /usr/sbin/mtr {
On debian/ubuntu, the path is /usr/bin/mtr, so changing the above to
/usr/{s,}bin/mtr
would work there as well.
> #include <abstractions/base>
> #include <abstractions/nameservice>
>
>
> capability net_raw,
> capability setgid,
> capability setuid,
>
> network inet raw,
> network inet6 raw,
>
>
> /usr/sbin/mtr mr,
Same path issue here.
> /usr/share/terminfo/x/xterm r,
I didn't end up needing this; however, my testing was with the X-less
version in the debian/ubuntu mtr-tiny package. More likely, you might
want to grant read access to /usr/share/terminfo/**, to compensate
for different terminal types.
>
> }
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130514/6ede4019/attachment.pgp>
More information about the AppArmor
mailing list