[apparmor] [PATCH] 02/04 abstraction updates for abstract, anonymous and netlink

Seth Arnold seth.arnold at canonical.com
Wed Sep 3 19:16:00 UTC 2014 

On Wed, Sep 03, 2014 at 02:06:15PM -0500, Jamie Strandboge wrote:
> On 08/29/2014 08:57 AM, Jamie Strandboge wrote:
> > On 08/27/2014 06:36 PM, Jamie Strandboge wrote:
> >> # TODO: adjust when support finer-grained netlink rules
> > 
> > I've added this comment to the preliminary patchset.
> > 
> Updated for to allow getopt and setopt which turns out to be extremely common:
> 
>    # Allow us to getattr, getopt, setop and shutdown for anonymous sockets
>    unix (getattr, getopt, setopt, shutdown) peer=(addr=none),
> 
> 
> -- 
> Jamie Strandboge                 http://www.ubuntu.com/

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks


> Author: Jamie Strandboge <jamie at canonical.com>
> Description: update policy for abstract sockets. Man page updates
> Forwarded: yes
> 
> Conversion of s/path/addr/ in rules by Steve Beattie
>   <steve.beattie at canonical.com>
> 
> ---
>  profiles/apparmor.d/abstractions/X                   |    3 +++
>  profiles/apparmor.d/abstractions/base                |   12 ++++++++++++
>  profiles/apparmor.d/abstractions/dbus-session-strict |    4 ++++
>  3 files changed, 19 insertions(+)
> 
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/base
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base
> @@ -122,6 +122,18 @@
>    # Checking for PID existence is quite common so add it by default for now
>    signal (receive, send) set=("exists"),
>  
> +  # Allow us to create and use abstract and anonymous sockets
> +  unix peer=(label=@{profile_name}),
> +
> +  # Allow unconfined processes to us via unix sockets
> +  unix (receive) peer=(label=unconfined),
> +
> +  # Allow us to create abstract and anonymous sockets
> +  unix (create),
> +
> +  # Allow us to getattr, getopt, setop and shutdown for anonymous sockets
> +  unix (getattr, getopt, setopt, shutdown) peer=(addr=none),
> +
>    # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
>    # filesystems generally. This does not appreciably decrease security with
>    # Ubuntu profiles because the user is expected to have access to files owned
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/dbus-session-strict
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict
> @@ -13,6 +13,10 @@
>    /etc/machine-id r,
>    /var/lib/dbus/machine-id r,
>  
> +  unix (connect, receive, send)
> +       type=stream
> +       peer=(label=unconfined,addr="@/tmp/dbus-*"),
> +
>    dbus send
>         bus=session
>         path=/org/freedesktop/DBus
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/X
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X
> @@ -22,6 +22,9 @@
>  
>    # the unix socket to use to connect to the display
>    /tmp/.X11-unix/*           w,
> +  unix (connect, receive, send)
> +       type=stream
> +       peer=(label=unconfined,addr="@/tmp/.X11-unix/X[0-9]*"),
>  
>    /usr/include/X11/               r,
>    /usr/include/X11/**             r,
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/nameservice
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice
> @@ -87,5 +87,9 @@
>    network inet  dgram,
>    network inet6 dgram,
>  
> +  # TODO: adjust when support finer-grained netlink rules
> +  # Netlink raw needed for nscd
> +  network netlink raw,
> +
>    # interface details
>    @{PROC}/@{pid}/net/route r,




> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140903/e0682ee6/attachment.pgp>

More information about the AppArmor mailing list