[apparmor] [PATCH] policy updates for ptrace and signal mediation
Steve Beattie
steve at nxnw.org
Mon Jun 23 20:06:09 UTC 2014
On Mon, Jun 23, 2014 at 02:07:12PM -0500, Jamie Strandboge wrote:
>
> I thought I sent these ages ago, but alas, I did not. Sorry.
>
> Attached are two patches:
>
> - base-abstraction-ptrace-ipc.patch: adds policy to the base abstraction that
> is basically required on systems using targeted policy. Namely:
> - Allow reciprocal ptrace readby to everyone (requires peer unconfined or to
> ptrace read to us)
> - same for ptrace tracedby
> - allow us to ptrace read ourselves
> - receive all signals from unconfined
> - allow us to signal ourselves
> - allow sending and receiving "exists" (for pid existence)
> - dnsmasq-libvirtd-signal-ptrace.patch: allow libvirtd to signal and ptrace us
>
> Both have been used in Ubuntu and are in our latest stable and development
> releases (I did add a fix for LP: #1333377[1] that isn't in Ubuntu yet, but
> found in practice it is needed quite often). With these changes to the base
> abstraction, we found we had to do only minimal changes to shipped policy.
>
> [1]https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1333377
>
> --
> Jamie Strandboge http://www.ubuntu.com/
> Description: Adjust base abstraction for ptrace and signal mediation
>
> Acked-By: Jamie Strandboge <jamie at canonical.com>
>
> === modified file 'profiles/apparmor.d/abstractions/base'
> --- profiles/apparmor.d/abstractions/base 2013-04-09 01:11:43 +0000
> +++ profiles/apparmor.d/abstractions/base 2014-06-23 18:56:50 +0000
> @@ -103,6 +103,27 @@
> # glibc malloc (man 5 proc)
> @{PROC}/sys/vm/overcommit_memory r,
>
> + # Allow other processes to read our /proc entries, futexes, perf tracing and
> + # kcmp for now
> + ptrace (readby),
> +
> + # Allow other processes to trace us by default (they will need 'trace' in
> + # the first place). Administrators can override with:
> + # deny ptrace (tracedby) ...
> + ptrace (tracedby),
Would these two make more sense for peer=unconfined and
peer=@{profile_name}? Or is the intent to rely on the peer needing
"ptrace read" and "ptrace trace" permissions and not require both
profiles be modified?
> + # Allow us to ptrace read ourselves
> + ptrace (read) peer=@{profile_name},
> +
> + # Allow unconfined processes to send us signals by default
> + signal (receive) peer=unconfined,
> +
> + # Allow us to signal ourselves
> + signal peer=@{profile_name},
> +
> + # Checking for PID existence is quite common so add it by default for now
> + signal (receive, send) set=("exists"),
Ah, sending kill(PID, 0), right.
Acked-by: Steve Beattie <steve at nxnw.org> for at least the 4 rules above.
> # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
> # filesystems generally. This does not appreciably decrease security with
> # Ubuntu profiles because the user is expected to have access to files owned
>
> Author: Jamie Strandboge <jamie at canonical.com>
> Subject: dnsmasq profile updates for signals and ptrace from libvirtd
Acked-by: Steve Beattie <steve at nxnw.org>
> Index: ipc-fixes-and-improvements/profiles/apparmor.d/usr.sbin.dnsmasq
> ===================================================================
> --- ipc-fixes-and-improvements.orig/profiles/apparmor.d/usr.sbin.dnsmasq 2014-03-27 11:03:09.893804000 -0500
> +++ ipc-fixes-and-improvements/profiles/apparmor.d/usr.sbin.dnsmasq 2014-04-03 02:32:55.321315465 -0500
> @@ -25,6 +25,9 @@
> capability net_raw, # for DHCP server ping checks
> network inet raw,
>
> + signal (receive) peer=/usr/sbin/libvirtd,
> + ptrace (readby) peer=/usr/sbin/libvirtd,
> +
> /etc/dnsmasq.conf r,
> /etc/dnsmasq.d/ r,
> /etc/dnsmasq.d/* r,
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140623/06457fd5/attachment.pgp>
More information about the AppArmor
mailing list