[apparmor] [PATCH] 02/04 abstraction updates for abstract, anonymous and netlink
Jamie Strandboge
jamie at canonical.com
Wed Aug 27 23:36:27 UTC 2014
On 08/27/2014 05:55 PM, Seth Arnold wrote:
> On Wed, Aug 27, 2014 at 04:47:01PM -0500, Jamie Strandboge wrote:
>> On 08/27/2014 04:34 PM, Jamie Strandboge wrote:
>>
>>> Starting a subthread for some additions to John's patches. This series assumes
>>> John's 12 patches are applied and includes updates to the apparmor.d man page
>>> and some policy updates. I expect I might have to adjust this a bit, but wanted
>>> to send it up for comment. Let's have an ACK mean to apply it once it is safe to
>>> do so.
>>>
>>
>> Attached is a patch for:
>> - the base abstraction for common abstract and anonymous rules (comments
>> included per rule)
>> - dbus-session-strict to add a rule for connecting to the dbus session abstract
>> socket. I used 'peer=(label=unconfined)' here, but I could probably lose the
>> explicit label if people preferred that
>
> I don't like the label=unconfined on the dbus socket -- that would make it
> harder to confine dbus.
>
Well, on the other hand, if dbus is confined you might want to limit what could
talk to that label which is why I used unconfined here. But, that said, I'm fine
with removing it; I don't feel strongly either way.
>> - X to add a rule for connecting to the X abstract socket. Same as for
>> dbus-session-strict
>> - nameservice to add a rule for connecting to a netlink raw. This change could
>> possibly be excluded, but applications using networking (at least on Ubuntu)
>> all seem to need it. Excluding it would mean systems using nscd would need to
>> add this and ones not using it would have a noisy denial
>
> Hmm. Netlink grants a lot. Can we make this any finer?
>
No. The extent of the options is AFAICT is:
network netlink,
network netlink raw,
network netlink dgram,
Note, prior to John's patch series, netlink was unconditionally allowed. Also
note, every application I've tested that used networking needs this rule, so it
makes sense to me to add it to an abstraction. Perhaps I could do something like
this:
# TODO: adjust when support finer-grained netlink rules
# Netlink raw needed for nscd
network netlink raw,
> Thanks
>
>>
>>
>> --
>> Jamie Strandboge http://www.ubuntu.com/
>
>> Author: Jamie Strandboge <jamie at canonical.com>
>> Description: update policy for abstract sockets. Man page updates
>>
>> Conversion of s/path/addr/ in rules by Steve Beattie
>> <steve.beattie at canonical.com>
>>
>> ---
>> profiles/apparmor.d/abstractions/X | 3 +++
>> profiles/apparmor.d/abstractions/base | 12 ++++++++++++
>> profiles/apparmor.d/abstractions/dbus-session-strict | 4 ++++
>> 3 files changed, 19 insertions(+)
>>
>> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base
>> ===================================================================
>> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/base
>> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base
>> @@ -122,6 +122,18 @@
>> # Checking for PID existence is quite common so add it by default for now
>> signal (receive, send) set=("exists"),
>>
>> + # Allow us to create and use abstract and anonymous sockets
>> + unix peer=(label=@{profile_name}),
>> +
>> + # Allow unconfined processes to us via unix sockets
>> + unix (receive) peer=(label=unconfined),
>> +
>> + # Allow us to create abstract and anonymous sockets
>> + unix (create),
>> +
>> + # Allow us to getattr and shutdown for anonymous sockets
>> + unix (getattr, shutdown) peer=(addr=none),
>> +
>> # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
>> # filesystems generally. This does not appreciably decrease security with
>> # Ubuntu profiles because the user is expected to have access to files owned
>> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict
>> ===================================================================
>> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/dbus-session-strict
>> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict
>> @@ -13,6 +13,10 @@
>> /etc/machine-id r,
>> /var/lib/dbus/machine-id r,
>>
>> + unix (connect, receive, send)
>> + type=stream
>> + peer=(label=unconfined,addr="@/tmp/dbus-*"),
>> +
>> dbus send
>> bus=session
>> path=/org/freedesktop/DBus
>> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X
>> ===================================================================
>> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/X
>> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X
>> @@ -22,6 +22,9 @@
>>
>> # the unix socket to use to connect to the display
>> /tmp/.X11-unix/* w,
>> + unix (connect, receive, send)
>> + type=stream
>> + peer=(label=unconfined,addr="@/tmp/.X11-unix/X[0-9]*"),
>>
>> /usr/include/X11/ r,
>> /usr/include/X11/** r,
>> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice
>> ===================================================================
>> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/nameservice
>> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice
>> @@ -87,5 +87,8 @@
>> network inet dgram,
>> network inet6 dgram,
>>
>> + # Netlink raw needed for nscd
>> + network netlink raw,
>> +
>> # interface details
>> @{PROC}/@{pid}/net/route r,
>
>
>
>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
>
>
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140827/9979a005/attachment.pgp>
More information about the AppArmor
mailing list