[apparmor] [patch] Change /bin/ paths in profiles to also match on /usr/bin/
John Johansen
john.johansen at canonical.com
Tue Oct 20 20:48:14 UTC 2015
On 09/18/2015 12:54 PM, Christian Boltz wrote:
> Hello,
>
> oftc_ftw reported on IRC that Arch Linux has a symlink /bin -> /usr/bin.
> This means we have to update paths for /bin/ in several profiles to also
> allow /usr/bin/
>
> I propose this patch for trunk and 2.9.
>
>
So for these types of things I prefer a var to the use of alias. I really
don't like how alias hides things. It has its place but I think of it more
as a site specific solution than something that should be shipped in policy.
While I would like to see this little regex moved to a var, I think this
is fine the way it is and can go in now
Acked-by: John Johansen <john.johansen at canonical.com>
> [ profiles-usrmove-bin.diff ]
>
> === modified file ./profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
> --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common 2013-07-05 20:40:57.568842000 +0200
> +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common 2015-09-18 21:44:06.939854258 +0200
> @@ -5,10 +5,10 @@
> #
> @{PROC}/@{pid}/fd/ r,
> /usr/lib/** rm,
> - /bin/bash ixr,
> - /bin/dash ixr,
> - /bin/grep ixr,
> - /bin/sed ixr,
> + /{,usr/}bin/bash ixr,
> + /{,usr/}bin/dash ixr,
> + /{,usr/}bin/grep ixr,
> + /{,usr/}bin/sed ixr,
> /usr/bin/m4 ixr,
>
> # Since all the ubuntu-browsers.d abstractions need this, just include it
> === modified file ./profiles/apparmor.d/apache2.d/phpsysinfo
> --- profiles/apparmor.d/apache2.d/phpsysinfo 2014-10-15 20:19:34.705810000 +0200
> +++ profiles/apparmor.d/apache2.d/phpsysinfo 2015-09-18 21:41:48.387810179 +0200
> @@ -8,10 +8,10 @@
> #include <abstractions/php5>
> #include <abstractions/python>
>
> - /bin/dash ixr,
> - /bin/df ixr,
> - /bin/mount ixr,
> - /bin/uname ixr,
> + /{,usr/}bin/dash ixr,
> + /{,usr/}bin/df ixr,
> + /{,usr/}bin/mount ixr,
> + /{,usr/}bin/uname ixr,
> /dev/bus/usb/ r,
> /dev/bus/usb/** r,
> /etc/debian_version r,
> === modified file ./profiles/apparmor.d/bin.ping
> --- profiles/apparmor.d/bin.ping 2013-07-05 20:40:57.568842000 +0200
> +++ profiles/apparmor.d/bin.ping 2015-09-18 21:42:14.850290670 +0200
> @@ -19,7 +19,7 @@
> capability setuid,
> network inet raw,
>
> - /bin/ping mixr,
> + /{,usr/}bin/ping mixr,
> /etc/modules.conf r,
>
> # Site-specific additions and overrides. See local/README for details.
> === modified file ./profiles/apparmor.d/usr.sbin.dnsmasq
> --- profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-18 19:19:23.099960000 +0200
> +++ profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-18 21:41:04.976302904 +0200
> @@ -47,7 +47,7 @@
>
> /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
>
> - /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
> + /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
>
> # access to iface mtu needed for Router Advertisement messages in IPv6
> # Neighbor Discovery protocol (RFC 2461)
> === modified file ./profiles/apparmor.d/usr.sbin.smbldap-useradd
> --- profiles/apparmor.d/usr.sbin.smbldap-useradd 2013-07-05 20:40:57.568842000 +0200
> +++ profiles/apparmor.d/usr.sbin.smbldap-useradd 2015-09-18 21:42:52.370136220 +0200
> @@ -8,7 +8,7 @@
> #include <abstractions/perl>
>
> /dev/tty rw,
> - /bin/bash ix,
> + /{,usr/}bin/bash ix,
> /etc/init.d/nscd Cx,
> /etc/shadow r,
> /etc/smbldap-tools/smbldap.conf r,
> @@ -26,9 +26,9 @@
>
> capability sys_ptrace,
>
> - /bin/bash r,
> - /bin/mountpoint rix,
> - /bin/systemctl rix,
> + /{,usr/}bin/bash r,
> + /{,usr/}bin/mountpoint rix,
> + /{,usr/}bin/systemctl rix,
> /dev/tty rw,
> /etc/init.d/nscd r,
> /etc/rc.status r,
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list