[apparmor] [patch] Update mlmmj profiles

Tue Nov 8 20:50:40 UTC 2016

Hello,

Am Montag, 7. November 2016, 11:49:46 CET schrieb Seth Arnold:
> I can see that these patches took a fair amount of back-and-forth
> development already so I'm discinlined to suggest further changes
> before they are merged, but...
> 
> 1) Per Jessen did a huge amount of work on these and probably ought to
> have a copyright line, or update suse's copyright lines.

I included copyright lines in my commit some minutes ago.

> 2) All the executables will need 'm' access when run on kernels that
> have 9f834ec18defc369d73ccf9e87a2790bfa05bf46 integrated.
> 
> 3) I'd suggest not deleting the mlmmj-recieve for a year or two. Who
> knows how long it will be before the old name is removed everywhere.

These two are worth a separate patch:


[patch] Add m permissions to mlmmj profiles

Newer kernels need m permissions for the binary the profile covers,
so add it before someone hits this problem in the wild ;-)

Also add a note that the mlmmj-recieve profile is probably superfluous
after upstream renamed the misspelled binary.


I propose this patch for trunk, 2.10 and 2.9


[ mlmmj-m.diff ]

=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce'

--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce      2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce      2016-11-08 20:40:38 +0000
@@ -15,7 +15,7 @@
 /usr/bin/mlmmj-bounce {
   #include <abstractions/base>
 
-  /usr/bin/mlmmj-bounce r,
+  /usr/bin/mlmmj-bounce mr,
   /usr/bin/mlmmj-send Px,
   /usr/bin/mlmmj-maintd Px,
   /var/spool/mlmmj/*/subscribers.d/ r,

=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd      2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd      2016-11-08 20:40:55 +0000
@@ -17,7 +17,7 @@
 
   capability setuid,
 
-  /usr/bin/mlmmj-maintd r,
+  /usr/bin/mlmmj-maintd mr,
   /usr/bin/mlmmj-send Px,
   /usr/bin/mlmmj-bounce Px,
   /usr/bin/mlmmj-unsub Px,

=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-process'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-process     2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-process     2016-11-08 20:41:35 +0000
@@ -15,7 +15,7 @@
 /usr/bin/mlmmj-process {
   #include <abstractions/base>
 
-  /usr/bin/mlmmj-process r,
+  /usr/bin/mlmmj-process mr,
   /usr/bin/mlmmj-send Px,
   /usr/bin/mlmmj-sub Px,
   /usr/bin/mlmmj-unsub Px,

=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive     2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive     2016-11-08 20:41:45 +0000
@@ -16,7 +16,7 @@
   #include <abstractions/base>
 
   /usr/bin/mlmmj-process Px,
-  /usr/bin/mlmmj-receive r,
+  /usr/bin/mlmmj-receive mr,
   /var/spool/mlmmj/*/incoming/ rw,
   /var/spool/mlmmj/*/incoming/* rw,
 }

=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve     2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve     2016-11-08 20:43:15 +0000
@@ -9,12 +9,17 @@
 # ------------------------------------------------------------------
 # vim:syntax=apparmor
 
+
+# mlmmj upstream renamed the (misspelled) mlmmj-recieve to mlmmj-receive,
+# so this profile is probably superfluous
+
+
 #include <tunables/global>
 
 /usr/bin/mlmmj-recieve {
   #include <abstractions/base>
 
   /usr/bin/mlmmj-process Px,
-  /usr/bin/mlmmj-recieve r,
+  /usr/bin/mlmmj-recieve mr,
   /var/spool/mlmmj/*/incoming/* w,
 }

=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-send'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-send        2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-send        2016-11-08 20:43:28 +0000
@@ -16,7 +16,7 @@
   #include <abstractions/base>
   #include <abstractions/nameservice>
 
-  /usr/bin/mlmmj-send r,
+  /usr/bin/mlmmj-send mr,
   /var/spool/mlmmj/*/archive/* w,
   /var/spool/mlmmj/*/control/* r,
   /var/spool/mlmmj/*/index rwk,

=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub 2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub 2016-11-08 20:43:39 +0000
@@ -18,7 +18,7 @@
   capability setuid,
 
   /usr/bin/mlmmj-send Px,
-  /usr/bin/mlmmj-sub r,
+  /usr/bin/mlmmj-sub mr,
   /var/spool/mlmmj/*/control/ r,
   /var/spool/mlmmj/*/control/* r,
   /var/spool/mlmmj/*/queue/ rw,

=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub       2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub       2016-11-08 20:43:51 +0000
@@ -15,7 +15,7 @@
 /usr/bin/mlmmj-unsub {
   #include <abstractions/base>
 
-  /usr/bin/mlmmj-unsub r,
+  /usr/bin/mlmmj-unsub mr,
   /usr/bin/mlmmj-send Px,
   /var/spool/mlmmj/*/control/ r,
   /var/spool/mlmmj/*/control/* r,



Regards,

Christian Boltz
-- 
Meine Rechner sind seit einem Jahr ein Naturschutzgebiet
für Pinguine. ;))           [Michael Raab in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161108/99286e7e/attachment.pgp>
