[apparmor] [profile] netstat(8): plenty of DENIED messages; repeated "target=*" value.
Seth Arnold
seth.arnold at canonical.com
Tue Jan 17 23:18:14 UTC 2017
Hi Daniel,
On Mon, Jan 16, 2017 at 03:48:58PM +0100, daniel curtis wrote:
> There are some rules, which are confusing me. I would like to ask You about
> them etc. So, here they are:
>
> ## tha lack of "/"?
> @{PROC} r,
This is because @{PROC} is defined with the slashes already included:
/etc/apparmor.d/tunables/proc:@{PROC}=/proc/
> ## Isn't the same thing?
> @{PROC}/*/fd/ r,
> @{PROC}/[0-9]*/fd r,
These are different: The first one will let the program enumerate the
files in all directories that match /proc/*/fd/ (assuming the usual
@{PROC} variable setting.) The second one will let the program read a file
that matches /proc/[0-9]*/fd -- this rule is probably useless, as there's
no files matching that name on my current systems.
The use of * vs [0-9] vs @{pids} in /proc/ is a matter of just how tight
do you want to make a profile against possible future changes.
For example, there's currently no directories named 'fd' in any
subdirectories of /proc -- except for the per-process directories. So all
these forms would currently match the same thing. But if a new directory
were introduced, in say /proc/sys/fd/ or /proc/fs/fd/, then these profiles
would also allow access there. And if something were introduced like
/proc/0new/fd/ -- then even the 'simple' [0-9]* version would grant
access, probably mistakenly.
> What do You think; what is your opinion? I've removed an "owner" prefix
> from these rules:
>
> @{PROC}/*/net/tcp r,
> @{PROC}/*/net/udp r,
> @{PROC}/*/net/raw r,
>
> @{PROC}/*/net/tcp6 r,
> @{PROC}/*/net/udp6 r,
> @{PROC}/*/net/raw6 r,
>
> There is one more rule with such prefix; should I remove it?
>
> owner @{PROC}/*/net/unix r,
It was a good idea to look for more cases -- yes, I'd also remove the
'owner' from this rule.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170117/9b8911df/attachment.pgp>
More information about the AppArmor
mailing list