[apparmor] add profile for lessopen

Mon Dec 22 17:27:30 UTC 2014

Hello,

(CC'ing Marcus to make sure he notices the discussion)

Am Montag, 22. Dezember 2014 schrieb John Johansen:
> On 12/21/2014 08:34 AM, Christian Boltz wrote:
> > this patch adds a profile for lessopen.sh which handles programms
> > automatically executed by less (for example to get a file list out
> > of tarballs).
> > 
> > Patch by Marcus Meissner <meissner at suse.com>
> > 
> > References: https://bugzilla.opensuse.org/show_bug.cgi?id=906858
> 
> So I don't have any objections to the patch besides the comment
> below.
> 
> I question if it should be in the base profile set but can't
> really think of a reason it shouldn't be as with the broad read
> permissions, it shouldn't cause breakage unless the exec list
> is incomplete.

Exactly - I'm also not afraid of breaking something (and if we are 
wrong, bugreports will tell us ;-)

> That said, it begs the question about confining less (harder)
> and whether this would be better as a subprofile of it.
> 
> > +Index: apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen.sh
> > +===================================================================
> > +--- /dev/null
> > ++++ apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen.sh
> > +@@ -0,0 +1,39 @@
> > ++# Last Modified: Fri Nov 28 08:01:09 2014
> > ++#include <tunables/global>
> > ++
> > ++/usr/bin/lessopen.sh {
> > ++  #include <abstractions/base>
> > ++  #include <abstractions/bash>
> > ++  #include <abstractions/consoles>
> > ++  #include <abstractions/perl>
> > ++
> > ++  /** rk,
> > ++  /bin/bash ix,
> > ++  /bin/rpm rix,
> > ++  /bin/tar rix,
> > ++  /tmp/less.* rw,
> 
> could we move the rw perms to a separate section from the exec perms

A quick look at the lessopen.sh script indicates that writing the 
tempfile is done by using output redirection, so only lessopen.sh needs 
write access.

Maybe we could change all the rix rules to "Cx -> less_helpers" and give 
the "less_helpers" hat only "/** rk," permissions.

We could also Cx less into the "less_helpers" subprofile and only give 
it read access - however I think it's unlikely that less destroys the 
(temp)files it has to display ;-)

Oh, and we could probably restrict write access to the owner ;-)

> > ++  /usr/bin/bzip2 rix,
> > ++  /usr/bin/cabextract rix,
...
> > ++  #include <local/usr.bin.lessopen.sh>
> 
> I'd like to see a stub file here to go along with the patch

profiles/Makefile generates the local/* stubs for all profiles, so 
there's no need to add them manually.

Regards,

Christian Boltz
-- 
> Immerhin ist Netscape 4 bei einigen Seiten konsequent. Du erinnerst
> Dich an mein Großprojekt? Da stürzt er zuverlässig nach spätestens 2
> Klicks ab ;-))  Somit ist das Problem der abweichenden Darstellung
> gelöst...
Selbstmord wegen begründeter Versagensängste. Wink-wink... :-)
[> Christian Boltz und Ratti in fontlinge-devel]