[apparmor] [patch] [2.8 branch] Backport profile additions from the 2.9 branch
Christian Boltz
apparmor at cboltz.de
Thu Apr 14 18:45:52 UTC 2016
Hello,
Am Donnerstag, 14. April 2016, 09:33:16 CEST schrieb Simon Deziel:
> I looked at the diff and it looks good. I noticed a 2 things that may
> be improved.
>
> On 2016-04-14 08:23 AM, Christian Boltz wrote:
> > === modified file 'profiles/apparmor.d/abstractions/php5'
> > --- profiles/apparmor.d/abstractions/php5 2010-03-30 17:34:32
> > +0000 +++ profiles/apparmor.d/abstractions/php5 2016-04-14
> > 12:13:08 +0000 @@ -11,8 +11,8 @@
> >
> > #
> > ------------------------------------------------------------------
> >
> > # shared snippets for config files
> >
> > - /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r,
> > - /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r,
> > + /etc/php5/**/ r,
> > + /etc/php5/**.ini r,
> >
> > # Xlibs
> > /usr/X11R6/lib{,32,64}/lib*.so* mr,
> >
> > @@ -30,3 +30,6 @@
> >
> > # MySQL extension
> > /usr/share/mysql/** r,
> >
> > +
> > + # Zend opcache
> > + /tmp/.ZendSem.* rwlk,
>
> Would the above work with "owner"?
Good question. I have no idea - and I can't find any /tmp/.ZendSem.* files
on my webservers to check it.
This was added by Kees in r2545 nearly a year ago.
Kees, can you please answer if 'owner' would be enough here?
> > === modified file 'profiles/apparmor.d/abstractions/user-mail'
> > --- profiles/apparmor.d/abstractions/user-mail 2010-12-22 22:55:18
> > +0000 +++ profiles/apparmor.d/abstractions/user-mail 2016-04-14
> > 12:13:08 +0000 @@ -1,6 +1,7 @@
> >
> > #
> > ------------------------------------------------------------------
> > #
> > # Copyright (C) 2002-2006 Novell/SUSE
> >
> > +# Copyright (C) 2014 Canonical Ltd.
> >
> > #
> > # This program is free software; you can redistribute it and/or
> > # modify it under the terms of version 2 of the GNU General
> > Public
> >
> > @@ -12,8 +13,8 @@
> >
> > owner @{HOME}/[mM]ail/ r,
> > owner @{HOME}/[mM]ail/** rwl,
> > owner @{HOME}/postponed* rwl,
> >
> > - /var/spool/mail/ r,
> > - /var/spool/mail/* rwl,
> > + /var/{,spool/}mail/ r,
> > + /var/{,spool/}mail/* rwl,
>
> Here too, I think "owner" should be used.
The reason for this change was to cover /var/mail/ and /var/spool/mail/
(one is typically a symlink to the other)
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1192965
Restricting that to owner doesn't sound bad, but I don't want to do this
in the 2.8 backport patch because it would remove permissions and
therefore comes with the risk to break something.
You know how to send merge requests - if you send one to trunk that adds
the owner restriction to /var/{,spool/}mail/*, I won't object ;-)
Regards,
Christian Boltz
--
> oder das absolut berauschende ;-))
> [ -d "/test/" ] || echo mkd
Danke, zum Glück muß ich heute nicht mehr mit dem Auto fahren :-)
[> Thomas Preissler und Al Bogner in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160414/78922d3c/attachment.pgp>
More information about the AppArmor
mailing list