[apparmor] [PATCH] policy updates for ptrace and signal mediation
Jamie Strandboge
jamie at canonical.com
Mon Jun 23 19:07:12 UTC 2014
I thought I sent these ages ago, but alas, I did not. Sorry.
Attached are two patches:
- base-abstraction-ptrace-ipc.patch: adds policy to the base abstraction that
is basically required on systems using targeted policy. Namely:
- Allow reciprocal ptrace readby to everyone (requires peer unconfined or to
ptrace read to us)
- same for ptrace tracedby
- allow us to ptrace read ourselves
- receive all signals from unconfined
- allow us to signal ourselves
- allow sending and receiving "exists" (for pid existence)
- dnsmasq-libvirtd-signal-ptrace.patch: allow libvirtd to signal and ptrace us
Both have been used in Ubuntu and are in our latest stable and development
releases (I did add a fix for LP: #1333377[1] that isn't in Ubuntu yet, but
found in practice it is needed quite often). With these changes to the base
abstraction, we found we had to do only minimal changes to shipped policy.
[1]https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1333377
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: base-abstraction-ptrace-ipc.patch
Type: text/x-patch
Size: 1328 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140623/add78b14/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq-libvirtd-signal-ptrace.patch
Type: text/x-patch
Size: 734 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140623/add78b14/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140623/add78b14/attachment.pgp>
More information about the AppArmor
mailing list