[apparmor] [patch] [2.8 branch] Backport profile additions from the 2.9 branch
Christian Boltz
apparmor at cboltz.de
Thu Apr 14 12:23:58 UTC 2016
Hello,
this patch backports most profile additions from the latest 2.9 branch
r3004, with the exception of new rule types (2.8 doesn't support dbus,
ptrace etc.) and some noisy cleanups (like /proc/*/ -> @{PROC}/@{pid}/).
I'll submit this patch as update for openSUSE 13.1 (which still uses
2.8.4) and would like to get a review ASAP ;-)
(See also the mail I sent some minutes ago.)
[ backport-profile-additions-from-2.9.diff ]
=== modified file 'profiles/apparmor.d/abstractions/X'
--- profiles/apparmor.d/abstractions/X 2013-01-04 17:45:19 +0000
+++ profiles/apparmor.d/abstractions/X 2016-04-14 12:13:08 +0000
@@ -19,6 +19,8 @@
@{HOME}/.Xauthority r,
owner /{,var/}run/gdm{,3}/*/database r,
owner /{,var/}run/lightdm/authority/[0-9]* r,
+ owner /{,var/}run/lightdm/*/xauthority r,
+ owner /{,var/}run/user/*/gdm/Xauthority r,
# the unix socket to use to connect to the display
/tmp/.X11-unix/* w,
@@ -32,9 +34,13 @@
/usr/share/X11/** r,
/usr/X11R6/**.so* mr,
+ # EGL
+ /usr/lib/@{multiarch}/egl/*.so* mr,
+
# DRI
/usr/lib{,32,64}/dri/** mr,
/usr/lib/@{multiarch}/dri/** mr,
+ /usr/lib/fglrx/dri/** mr,
/dev/dri/** rw,
/etc/drirc r,
owner @{HOME}/.drirc r,
=== modified file 'profiles/apparmor.d/abstractions/aspell'
--- profiles/apparmor.d/abstractions/aspell 2012-01-18 18:15:57 +0000
+++ profiles/apparmor.d/abstractions/aspell 2016-04-14 12:13:08 +0000
@@ -8,4 +8,6 @@
/usr/lib/aspell/ r,
/usr/lib/aspell/* r,
/usr/lib/aspell/*.so m,
+ /usr/share/aspell/ r,
+ /usr/share/aspell/* r,
/var/lib/aspell/* r,
=== modified file 'profiles/apparmor.d/abstractions/base'
--- profiles/apparmor.d/abstractions/base 2013-04-09 13:18:40 +0000
+++ profiles/apparmor.d/abstractions/base 2016-04-14 12:13:08 +0000
@@ -26,12 +26,14 @@
/etc/locale/** r,
/etc/locale.alias r,
/etc/localtime r,
+ /usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
/usr/share/locale/** r,
/usr/share/**/locale/** r,
/usr/share/zoneinfo/ r,
/usr/share/zoneinfo/** r,
/usr/share/X11/locale/** r,
+ /{,var/}run/systemd/journal/dev-log w,
/usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr,
@@ -103,6 +105,9 @@
# glibc malloc (man 5 proc)
@{PROC}/sys/vm/overcommit_memory r,
+ # Allow determining the highest valid capability of the running kernel
+ @{PROC}/sys/kernel/cap_last_cap r,
+
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
# filesystems generally. This does not appreciably decrease security with
# Ubuntu profiles because the user is expected to have access to files owned
=== modified file 'profiles/apparmor.d/abstractions/cups-client'
--- profiles/apparmor.d/abstractions/cups-client 2012-01-06 16:45:34 +0000
+++ profiles/apparmor.d/abstractions/cups-client 2016-04-14 12:13:08 +0000
@@ -12,7 +12,7 @@
# discoverable system configuration for non-local cupsd
/etc/cups/client.conf r,
# client should be able to talk the local cupsd
- /{,var/}run/cups/cups.sock w,
+ /{,var/}run/cups/cups.sock rw,
# client should be able to read user-specified cups configuration
owner @{HOME}/.cups/client.conf r,
owner @{HOME}/.cups/lpoptions r,
=== modified file 'profiles/apparmor.d/abstractions/fonts'
--- profiles/apparmor.d/abstractions/fonts 2013-10-14 23:31:38 +0000
+++ profiles/apparmor.d/abstractions/fonts 2016-04-14 12:13:08 +0000
@@ -52,3 +52,6 @@
# poppler CMap tables
/usr/share/poppler/cMap/** r,
+
+ # data files for LibThai
+ /usr/share/libthai/thbrk.tri r,
=== modified file 'profiles/apparmor.d/abstractions/freedesktop.org'
--- profiles/apparmor.d/abstractions/freedesktop.org 2014-09-11 00:40:14 +0000
+++ profiles/apparmor.d/abstractions/freedesktop.org 2016-04-14 12:13:08 +0000
@@ -11,6 +11,7 @@
# system configuration
/usr/share/applications/ r,
+ /usr/share/applications/defaults.list r,
/usr/share/applications/mimeinfo.cache r,
/usr/share/applications/*.desktop r,
/usr/share/icons/ r,
@@ -30,6 +31,7 @@
owner @{HOME}/.recently-used.xbel* rw,
owner @{HOME}/.local/share/recently-used.xbel* rw,
owner @{HOME}/.config/user-dirs.dirs r,
+ owner @{HOME}/.config/mimeapps.list r,
owner @{HOME}/.local/share/applications/ r,
owner @{HOME}/.local/share/applications/*.desktop r,
owner @{HOME}/.local/share/applications/defaults.list r,
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice 2014-11-17 23:28:51 +0000
+++ profiles/apparmor.d/abstractions/nameservice 2016-04-14 12:13:08 +0000
@@ -26,12 +26,21 @@
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
+ # When using sssd, the passwd and group files are stored in an alternate path
+ # and the nss plugin also needs to talk to a pipe
+ /var/lib/sss/mc/group r,
+ /var/lib/sss/mc/passwd r,
+ /var/lib/sss/pipes/nss rw,
+
/etc/resolv.conf r,
# on systems using resolvconf, /etc/resolv.conf is a symlink to
# /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
# /etc/resolvconf/run/resolv.conf
/{,var/}run/resolvconf/resolv.conf r,
/etc/resolvconf/run/resolv.conf r,
+ # on systems using systemd's networkd, /etc/resolv.conf is a symlink to
+ # /run/systemd/resolve/resolv.conf
+ /{,var/}run/systemd/resolve/resolv.conf r,
/etc/samba/lmhosts r,
/etc/services r,
=== modified file 'profiles/apparmor.d/abstractions/p11-kit'
--- profiles/apparmor.d/abstractions/p11-kit 2013-09-12 14:25:56 +0000
+++ profiles/apparmor.d/abstractions/p11-kit 2016-04-14 12:13:08 +0000
@@ -19,6 +19,9 @@
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/* r,
+ # gnome-keyring pkcs11 module
+ owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
+
# p11-kit also supports reading user configuration from ~/.pkcs11 depending
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
# included in this abstraction.
=== modified file 'profiles/apparmor.d/abstractions/php5'
--- profiles/apparmor.d/abstractions/php5 2010-03-30 17:34:32 +0000
+++ profiles/apparmor.d/abstractions/php5 2016-04-14 12:13:08 +0000
@@ -11,8 +11,8 @@
# ------------------------------------------------------------------
# shared snippets for config files
- /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r,
- /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r,
+ /etc/php5/**/ r,
+ /etc/php5/**.ini r,
# Xlibs
/usr/X11R6/lib{,32,64}/lib*.so* mr,
@@ -30,3 +30,6 @@
# MySQL extension
/usr/share/mysql/** r,
+
+ # Zend opcache
+ /tmp/.ZendSem.* rwlk,
=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba 2013-12-23 21:16:59 +0000
+++ profiles/apparmor.d/abstractions/samba 2016-04-14 12:13:08 +0000
@@ -13,7 +13,7 @@
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
/var/cache/samba/ w,
- /var/lib/samba/**.tdb rwk,
+ /var/lib/samba/** rwk,
/var/log/samba/cores/ rw,
/var/log/samba/cores/** rw,
/var/log/samba/log.* w,
=== modified file 'profiles/apparmor.d/abstractions/ssl_certs'
--- profiles/apparmor.d/abstractions/ssl_certs 2013-11-25 23:42:19 +0000
+++ profiles/apparmor.d/abstractions/ssl_certs 2016-04-14 12:13:08 +0000
@@ -12,6 +12,10 @@
/etc/ssl/ r,
/etc/ssl/certs/ r,
/etc/ssl/certs/* r,
+ /etc/pki/trust/ r,
+ /etc/pki/trust/* r,
+ /etc/pki/trust/anchors/ r,
+ /etc/pki/trust/anchors/** r,
/usr/share/ca-certificates/ r,
/usr/share/ca-certificates/** r,
/usr/share/ssl/certs/ca-bundle.crt r,
@@ -19,3 +23,7 @@
/usr/local/share/ca-certificates/** r,
/var/lib/ca-certificates/ r,
/var/lib/ca-certificates/** r,
+
+ # acmetool
+ /var/lib/acme/certs/*/chain r,
+ /var/lib/acme/certs/*/cert r,
=== modified file 'profiles/apparmor.d/abstractions/ssl_keys'
--- profiles/apparmor.d/abstractions/ssl_keys 2010-12-20 20:29:10 +0000
+++ profiles/apparmor.d/abstractions/ssl_keys 2016-04-14 12:13:08 +0000
@@ -16,3 +16,7 @@
/etc/ssl/ r,
/etc/ssl/** r,
+ # acmetool
+ /var/lib/acme/live/* r,
+ /var/lib/acme/certs/** r,
+ /var/lib/acme/keys/** r,
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/java'
--- profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2013-01-03 23:37:41 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2016-04-14 12:13:08 +0000
@@ -12,6 +12,8 @@
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
/usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
/usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
+ owner /{,var/}run/user/*/icedteaplugin-*/ rw,
+ owner /{,var/}run/user/*/icedteaplugin-*/** rwk,
# Profile for the supported OpenJDK in Ubuntu. This doesn't require the
# unfortunate workarounds of the proprietary Javas, so have a separate
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia'
--- profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia 2013-01-09 23:15:59 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia 2016-04-14 12:13:08 +0000
@@ -55,3 +55,6 @@
# Virus scanners
/usr/bin/clamscan Cx -> sanitized_helper,
+
+ # gxine (LP: #1057642)
+ /var/lib/xine/gxine.desktop r,
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common'
--- profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common 2012-01-17 14:22:11 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common 2016-04-14 12:13:08 +0000
@@ -5,10 +5,10 @@
#
@{PROC}/[0-9]*/fd/ r,
/usr/lib/** rm,
- /bin/bash ixr,
- /bin/dash ixr,
- /bin/grep ixr,
- /bin/sed ixr,
+ /{,usr/}bin/bash ixr,
+ /{,usr/}bin/dash ixr,
+ /{,usr/}bin/grep ixr,
+ /{,usr/}bin/sed ixr,
/usr/bin/m4 ixr,
# Since all the ubuntu-browsers.d abstractions need this, just include it
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration'
--- profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2013-07-01 15:51:11 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2016-04-14 12:13:08 +0000
@@ -33,3 +33,9 @@
/usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
/etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
/etc/xdg/xfce4/helpers.rc r,
+
+ # unity webapps integration. Could go in its own abstraction
+ owner /run/user/*/dconf/user rw,
+ owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk,
+ /usr/bin/debconf-communicate Cxr -> sanitized_helper,
+ owner @{HOME}/.config/libaccounts-glib/accounts.db rk,
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-email'
--- profiles/apparmor.d/abstractions/ubuntu-email 2012-05-18 20:30:22 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-email 2016-04-14 12:13:08 +0000
@@ -10,6 +10,8 @@
/usr/bin/balsa Cx -> sanitized_helper,
/usr/bin/claws-mail Cx -> sanitized_helper,
/usr/bin/evolution Cx -> sanitized_helper,
+ /usr/bin/geary Cx -> sanitized_helper,
+ /usr/bin/gnome-gmail Cx -> sanitized_helper,
/usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper,
/usr/bin/kmail Cx -> sanitized_helper,
/usr/bin/mailody Cx -> sanitized_helper,
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-helpers'
--- profiles/apparmor.d/abstractions/ubuntu-helpers 2013-01-03 23:44:14 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-helpers 2016-04-14 12:13:08 +0000
@@ -33,6 +33,7 @@
profile sanitized_helper {
#include <abstractions/base>
+ #include <abstractions/X>
# Allow all networking
network inet,
@@ -53,11 +54,15 @@
# permissions for /usr/share, but for now just do this. (LP: #972367)
/usr/share/software-center/* Pixr,
+ # Allow exec of texlive font build scripts (LP: #1010909)
+ /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,
+
# While the chromium and chrome sandboxes are setuid root, they only link
# in limited libraries so glibc's secure execution should be enough to not
# require the santized_helper (ie, LD_PRELOAD will only use standard system
# paths (man ld.so)).
/usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
+ /usr/lib/chromium-browser/chrome-sandbox PUxr,
/opt/google/chrome/chrome-sandbox PUxr,
/opt/google/chrome/google-chrome Pixr,
/opt/google/chrome/chrome Pixr,
=== modified file 'profiles/apparmor.d/abstractions/user-mail'
--- profiles/apparmor.d/abstractions/user-mail 2010-12-22 22:55:18 +0000
+++ profiles/apparmor.d/abstractions/user-mail 2016-04-14 12:13:08 +0000
@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -12,8 +13,8 @@
owner @{HOME}/[mM]ail/ r,
owner @{HOME}/[mM]ail/** rwl,
owner @{HOME}/postponed* rwl,
- /var/spool/mail/ r,
- /var/spool/mail/* rwl,
+ /var/{,spool/}mail/ r,
+ /var/{,spool/}mail/* rwl,
owner @{HOME}/mbox.lock* rwl,
owner @{HOME}/mbox rw,
owner @{HOME}/inbox rw,
=== modified file 'profiles/apparmor.d/apache2.d/phpsysinfo'
--- profiles/apparmor.d/apache2.d/phpsysinfo 2011-07-14 12:57:57 +0000
+++ profiles/apparmor.d/apache2.d/phpsysinfo 2016-04-14 12:13:08 +0000
@@ -5,36 +5,44 @@
#include <abstractions/apache2-common>
#include <abstractions/base>
#include <abstractions/nameservice>
+ #include <abstractions/php5>
#include <abstractions/python>
- /bin/dash ixr,
- /bin/df ixr,
- /bin/mount ixr,
- /bin/uname ixr,
+ /{,usr/}bin/dash ixr,
+ /{,usr/}bin/df ixr,
+ /{,usr/}bin/mount ixr,
+ /{,usr/}bin/uname ixr,
/dev/bus/usb/ r,
/dev/bus/usb/** r,
/etc/debian_version r,
/etc/lsb-release r,
/etc/mtab r,
/etc/phpsysinfo/config.php r,
+ /etc/udev/udev.conf r,
/proc/** r,
+ /sys/bus/ r,
/sys/bus/pci/devices/ r,
+ /sys/bus/pci/slots/ r,
+ /sys/bus/pci/slots/** r,
+ /sys/bus/usb/devices/ r,
+ /sys/class/ r,
/sys/devices/** r,
+ /usr/bin/ r,
/usr/bin/apt-cache ixr,
/usr/bin/dpkg-query ixr,
/usr/bin/lsb_release ixr,
/usr/bin/lspci ixr,
/usr/bin/who ixr,
- /usr/sbin/lsusb ixr,
+ /usr/{,s}bin/lsusb ixr,
/usr/share/phpsysinfo/** r,
+ /var/lib/dpkg/arch r,
/var/lib/dpkg/available r,
/var/lib/dpkg/status r,
/var/lib/dpkg/triggers/* r,
/var/lib/dpkg/updates/ r,
- /var/lib/misc/usb.ids r,
+ /var/lib/{misc,usbutils}/usb.ids r,
/var/log/apache2/access.log w,
/var/log/apache2/error.log w,
/{,var/}run/utmp rk,
/usr/share/misc/pci.ids r,
-
}
=== modified file 'profiles/apparmor.d/sbin.syslog-ng'
--- profiles/apparmor.d/sbin.syslog-ng 2012-01-09 12:28:25 +0000
+++ profiles/apparmor.d/sbin.syslog-ng 2016-04-14 12:13:08 +0000
@@ -20,6 +20,7 @@
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/mysql>
+ #include <abstractions/openssl>
capability chown,
capability dac_override,
@@ -34,7 +35,10 @@
/dev/syslog w,
/dev/tty10 rw,
/dev/xconsole rw,
+ /etc/machine-id r,
/etc/syslog-ng/* r,
+ /etc/syslog-ng/conf.d/ r,
+ /etc/syslog-ng/conf.d/* r,
@{PROC}/kmsg r,
/etc/hosts.deny r,
/etc/hosts.allow r,
@@ -47,6 +51,10 @@
@{CHROOT_BASE}/var/log/** w,
@{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
@{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
+ /{var,var/run,run}/log/journal/ r,
+ /{var,var/run,run}/log/journal/*/ r,
+ /{var,var/run,run}/log/journal/*/*.journal r,
+ /{var/,}run/syslog-ng.ctl a,
/{var/,}run/syslog-ng/additional-log-sockets.conf r,
# Site-specific additions and overrides. See local/README for details.
=== modified file 'profiles/apparmor.d/usr.sbin.identd'
--- profiles/apparmor.d/usr.sbin.identd 2011-07-14 12:57:57 +0000
+++ profiles/apparmor.d/usr.sbin.identd 2016-04-14 12:13:08 +0000
@@ -23,7 +23,9 @@
/usr/sbin/identd rmix,
@{PROC}/net/tcp r,
@{PROC}/net/tcp6 r,
- /{,var/}run/identd.pid w,
+ /{,var/}run/identd.pid w,
+ /{,var/}run/identd/ w,
+ /{,var/}run/identd/identd.pid w,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.identd>
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd 2014-08-11 21:24:23 +0000
+++ profiles/apparmor.d/usr.sbin.smbd 2016-04-14 12:13:08 +0000
@@ -17,6 +17,7 @@
capability net_bind_service,
capability setgid,
capability setuid,
+ capability sys_admin, # needed to store ACLS in the security.NTACL namespace
capability sys_resource,
capability sys_tty_config,
=== modified file 'profiles/apparmor.d/usr.sbin.smbldap-useradd'
--- profiles/apparmor.d/usr.sbin.smbldap-useradd 2012-01-10 18:06:24 +0000
+++ profiles/apparmor.d/usr.sbin.smbldap-useradd 2016-04-14 12:13:08 +0000
@@ -8,7 +8,7 @@
#include <abstractions/perl>
/dev/tty rw,
- /bin/bash ix,
+ /{,usr/}bin/bash ix,
/etc/init.d/nscd Cx,
/etc/shadow r,
/etc/smbldap-tools/smbldap.conf r,
@@ -26,9 +26,9 @@
capability sys_ptrace,
- /bin/bash r,
- /bin/mountpoint rix,
- /bin/systemctl rix,
+ /{,usr/}bin/bash r,
+ /{,usr/}bin/mountpoint rix,
+ /{,usr/}bin/systemctl rix,
/dev/tty rw,
/etc/init.d/nscd r,
/etc/rc.status r,
Regards,
Christian Boltz
--
Multitasking - one computer keeps several users/admins busy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160414/d151939d/attachment.pgp>
More information about the AppArmor
mailing list