[apparmor] Fwd: MariaDB AppArmor

Otto Kekäläinen otto at seravo.fi
Fri Apr 18 06:40:51 UTC 2014 

Hello!

Just as a reminder about this topic: at the moment MariaDB 5.5 has no
effective AppArmor profile. I am happy to accept pull requests /
patches for it, if somebody more knowledgeable in AppArmor profile
generation wants to supply one.

Debian official packaging repo:
http://anonscm.debian.org/gitweb/?p=pkg-mysql/mariadb-5.5.git
A Github mirror for easy pull requests: https://github.com/ottok/mariadb-5.5


2014-02-22 19:49 GMT+02:00 Otto Kekäläinen <otto at seravo.fi>:
> Helllo!
>
> 2014-02-22 19:41 GMT+02:00 Felix Geyer <debfx at ubuntu.com>:
>> -Slave_open_temp_tables 0
>> +Slave_open_temp_tables 1
>>
>> mysqltest: Result content mismatch
>>
>> not ok
>
> This is ok, this "error" is not marked as an actual error in the test
> suite and it happens at least in all of the build environments I use.
>
>
>> There are a few denied permissions:
>>
>> apparmor="DENIED" operation="mknod" parent=13650 profile="/usr/sbin/mysqld"
>> name="/usr/share/mysql/mysql-test/<hostname>.lower-test" pid=13654 comm="mysqld"
>> requested_mask="c" denied_mask="c" fsuid=0 ouid=0
>> apparmor="DENIED" operation="open" parent=26824 profile="/usr/sbin/mysqld" name="/etc/" pid=26826
>> comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>> apparmor="DENIED" operation="open" parent=26863 profile="/usr/sbin/mysqld" name="/etc/pam.d/other"
>> pid=26895 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>> apparmor="DENIED" operation="capable" parent=27197 profile="/usr/sbin/mysqld" pid=27231
>> comm="mysqld" pid=27231 comm="mysqld" capability=36  capname="block_suspend"
>>
>> Just before the access to /etc/pam.d/other mariadb logs:
>> mysqld: PAM pam_end: NULL pam handle passed
>>
>> The first one is obviously only requested by the test suite, not sure about the others.
>
>
> I guess it is ok to add mysql-test paths to the profile, as an
> attacker would not benefit of such access anyway.
>
> Unlike MySQL, MariaDB has PAM authentication integration. So that
> probably needs some extra AppArmor rules too?
>
>
> Please send me a updated profile if you are handy at writing them :)
>
> - Otto
>
>
> --
> Check out our blog at http://seravo.fi/blog
> and follow @ottokekalainen



-- 
Check out our blog at http://seravo.fi/blog
and follow @ottokekalainen

More information about the AppArmor mailing list