[apparmor] [profile] /etc/cron.daily/logrotate: updated version.

Christian Boltz apparmor at cboltz.de
Sun Dec 25 13:54:19 UTC 2016 

Hello,

Am Dienstag, 20. Dezember 2016, 12:52:57 CET schrieb daniel curtis:
> So, I just decided to paste the whole profile here, since I've added
> only a few rules. It should be easier to read and eventually change
> the logrotate profile in the future. Also, Mr Christian Boltz wrote,

Feel free to simply call me by my first name ;-)

>   ## NOTE: there is not 'syslog.pid' but 'rsyslogd.pid' file
>   #/{,var/}run/syslogd.pid r,
>   /{,var/}run/rsyslogd.pid r,

That depends on which syslog daemon you use ;-) so we should keep both.

> By the way: an official profile contains rule, which confused me:
> "/var/log r,". Does not should be there: "/var/log/ r,"? As we can
> see: missing "/". 

Once upon a time ;-) AppArmor did not differ between file and directory 
rules. Several releases ago, this changed and directory rules require a 
trailing / now.

So /var/log means a _file_ and /var/log/ means a directory nowadays.
This also means: If you don't see any denials with a rule that misses 
the trailing /, this rule is most probably superfluous.

> The same thing with: /etc/subdomain.d directory -
> I've added '/' to these rules. What do you think?

Once upon a time ;-) AppArmor was named SubDomain. The name changed even 
before directory rules needed the trailing /, so we can simply drop the 
/etc/subdomain.d rule IMHO. (Nevertheless, "subdomain" survived in 
several function names and also in more public places like 
/etc/apparmor/subdomain.conf)

> The last and the most important thing: can someone check this profile;
> I mean from a security point of view? It's secure enough to use?
> Especially, I'm thinking about permissions for a /tmp directory
> ('rwl,' access) etc.

If an application writes tempfiles, you won't be able to avoid those
rules ;-)

Restricting the rule with the "owner" flag might be an option to ensure
that someone else's files get changed, and restricting the filename as
good as possible (/tmp/logrot* instead of /tmp/*) is always a good 
choice. As long as the application uses mktemp, this should be secure.
(OTOH, you should start to worry if the tempfile names only include the
PID or are completely static - typically, that's when I open a bugreport ;-)


That all said - thanks for updating the profile!

In the meantime, the upstream profile changed thanks to usrMove. I merged
your changes into the upstream profile. Note that I dropped some rules
that looked superfluous:
- /etc/subdomain.d (a directory dropped loooong ago
- @{PROC} and @{PROC}/@{pid} - no trailing /, so these rules are likely unused

The full profile is attached. I hope my changes didn't break anything,
but some testing never hurts ;-)


Here's the patch for the latest upstream profile, which I hereby propose 
for bzr trunk [1]:

=== modified file 'profiles/apparmor/profiles/extras/etc.cron.daily.logrotate'
--- profiles/apparmor/profiles/extras/etc.cron.daily.logrotate  2016-12-03 09:59:01 +0000
+++ profiles/apparmor/profiles/extras/etc.cron.daily.logrotate  2016-12-25 13:33:41 +0000
@@ -2,6 +2,8 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2016 Seth Arnold
+#    Copyright (C) 2016 Daniel Curtis
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -16,38 +18,58 @@
   #include <abstractions/bash>
   #include <abstractions/nameservice>
 
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+
   /{usr/,}bin/bash mixr,
   /{usr/,}bin/cat mixr,
   /{usr/,}bin/gzip mixr,
   /{usr/,}bin/kill mixr,
   /{usr/,}bin/logger mixr,
+  /{usr/,}bin/mv mixr,
+  /{usr/,}bin/sed mixr,
+  /{usr/,}bin/sleep mrix,
   /{usr/,}bin/true mixr,
   /etc/init.d/* mixr,
+  /usr/bin/head mrix,
   /usr/bin/killall mixr,
+  /usr/sbin/invoke-rc.d mrix,
   /usr/sbin/logrotate mixr,
 
-  /var/log      r,
-  /var/log/**   wrl,
+  ## see https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html
+  /{usr/,}sbin/initctl Ux,
+  /{usr/,}sbin/runlevel Ux,
+
+  /var/log/ r,
+  /var/log/** rwl,
 
   /var/lib/privoxy/log/**  rwl,
   /var/lib64/privoxy/log/**  rwl,
 
   / r,
-  /dev/tty wr,
+  /dev/tty rw,
   /etc/cron.daily/logrotate r,
   /etc/logrotate.conf r,
-  /etc/logrotate.d r,
+  /etc/logrotate.d/ r,
   /etc/logrotate.d/* r,
-  /etc/subdomain.d r,
-  @{PROC} r,
-  @{PROC}/@{pid} r,
-  /tmp w,
+  /etc/lsb-base-logging.sh r,
+
+#  @{PROC} r,
+#  @{PROC}/@{pid} r,
   /tmp/file* wl,
-  /tmp/logrot* wlr,
-  /var/lib/logrotate.status wr,
+  /tmp/logrot* rwl,
+
+  /var/lib/logrotate/ r,
+  /var/lib/logrotate/* rw,
+
   /{run,var}/lock/samba r,
   /{,var/}run/httpd.pid r,
   /{,var/}run/syslogd.pid r,
-  /var/spool/slrnpull wr,
+  /{,var/}run/rsyslogd.pid r,
+
+  /var/spool/slrnpull/ wr,
   /var/spool/slrnpull/log* wrl,
 }



Regards,

Christian Boltz

[1] Merging to 2.9 and 2.10 would mean additional work because the 
    usrMerge changes are trunk-only, so if someone insists on having the
    updated profile in 2.9 and 2.10, the only sane way is to just copy 
    it over including the usrMerge changes.

-- 
The tone of my answers is directly related to my annoyance factor.
[Robert Schweikert in opensuse-project]
-------------- next part --------------
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2006 Novell/SUSE
#    Copyright (C) 2016 Seth Arnold
#    Copyright (C) 2016 Daniel Curtis
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

/etc/cron.daily/logrotate {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/nameservice>

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,

  /{usr/,}bin/bash mixr,
  /{usr/,}bin/cat mixr,
  /{usr/,}bin/gzip mixr,
  /{usr/,}bin/kill mixr,
  /{usr/,}bin/logger mixr,
  /{usr/,}bin/mv mixr,
  /{usr/,}bin/sed mixr,
  /{usr/,}bin/sleep mrix,
  /{usr/,}bin/true mixr,
  /etc/init.d/* mixr,
  /usr/bin/head mrix,
  /usr/bin/killall mixr,
  /usr/sbin/invoke-rc.d mrix,
  /usr/sbin/logrotate mixr,

  ## see https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html
  /{usr/,}sbin/initctl Ux,
  /{usr/,}sbin/runlevel Ux,

  /var/log/ r,
  /var/log/** rwl,

  /var/lib/privoxy/log/**  rwl,
  /var/lib64/privoxy/log/**  rwl,

  / r,
  /dev/tty rw,
  /etc/cron.daily/logrotate r,
  /etc/logrotate.conf r,
  /etc/logrotate.d/ r,
  /etc/logrotate.d/* r,
  /etc/lsb-base-logging.sh r,

#  @{PROC} r,
#  @{PROC}/@{pid} r,
  /tmp/file* wl,
  /tmp/logrot* rwl,

  /var/lib/logrotate/ r,
  /var/lib/logrotate/* rw,

  /{run,var}/lock/samba r,
  /{,var/}run/httpd.pid r,
  /{,var/}run/syslogd.pid r,
  /{,var/}run/rsyslogd.pid r,

  /var/spool/slrnpull/ wr,
  /var/spool/slrnpull/log* wrl,
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161225/bce200b3/attachment.pgp>

More information about the AppArmor mailing list