[apparmor] Fixed profiles for Debian 9

intrigeri intrigeri at debian.org
Tue Jul 4 07:00:04 UTC 2017


Hi,

artiom:
> Diffs.

Thanks! See comments & questions below :)

> 29.06.2017 08:35, intrigeri пишет:

> --- /usr/share/doc/apparmor-profiles/extras/sbin.dhclient	2017-03-28 13:29:15.000000000 +0300
> +++ /etc/apparmor.d/sbin.dhclient	2017-06-27 22:48:18.314733833     +0300

Meta: I don't know if that's the best profile we have around for
dhclient. IIRC Ubuntu ships another one in src:isc-dhcp. Perhaps you
would like to have a look and try to merge them so we have one single,
great dhclient profile that everyone can ship?

> -  /var/lib/NetworkManager/dhclient-*.conf  r,
> -  /var/lib/NetworkManager/dhclient-*.lease rw,
> +  /var/lib/NetworkManager/dhclient*-*.conf  r,
> +  /var/lib/NetworkManager/dhclient*-*.lease rw,
> […]
> -  /{,var/}run/dhclient-*.pid  rw,
> +  /{,var/}run/dhclient*-*.pid rw,

Why not, but I'm curious why: on my system the files I see in that
directory match the glob you're extending. Can you please paste the
corresponding denial logs?

If we really need to do that, I'd rather go one more step forward and
do this:

  /var/lib/NetworkManager/dhclient*.conf r,
  /var/lib/NetworkManager/dhclient*.lease rw,
  /{,var/}run/dhclient*.pid rw,

>    # This one will need to be fleshed out depending on what the user is doing
>    /{usr/,}sbin/dhclient-script mrpix,
> +  /{usr/,}lib/NetworkManager/nm-dhcp-helper mrpix,

We already have this:

  /usr/lib/nm-dhcp-helper     rix,

So please de-duplicate them :)

Note that the Ubuntu profile has a dedicated child profile for that
helper IIRC, which seems nicer.

> --- /usr/share/doc/apparmor-profiles/extras/usr.bin.man	2017-03-28 13:29:15.000000000 +0300
> +++ /etc/apparmor.d/usr.bin.man	2017-06-27 22:35:18.636780980 +0300
> @@ -16,12 +16,38 @@
>  
>  /usr/bin/man {
>    #include <abstractions/base>
> -  #include <abstractions/nameservice>
> +  #include <abstractions/consoles>
> +  #include <abstractions/user-manpages>
>  
>    capability setgid,
>    capability setuid,
>  
> -  /usr/bin/man r,
> -  /usr/lib/man-db/man Px,
> +
> +
> +  /bin/gzip rix,
> +  /bin/less rix,
> [...]
>  
>  }

Here you seem to be essentially dropping the separate profile for
/usr/lib/man-db/man, and merging its content into the profile for
/usr/bin/man. Why? Might it be that you've enabled the latter but not
the former, which would explain all kinds of breakage for the
man command?

> --- apparmor-2.11.0/profiles/apparmor.d/abstractions/nvidia	2014-06-06 22:50:58.000000000 +0400
> +++ /etc/apparmor.d/abstractions/nvidia	2017-06-27 23:01:45.972799697 +0300
> +  /dev/nvidia-modeset rw,

This was done upstream already. What's the drawback of not having it?
If it's serious enough, then I'll try to get this fix in Debian 9.

> --- icedove-45.8.0/debian/apparmor/usr.bin.thunderbird	2017-03-30 02:28:32.000000000 +0300
> +++ /etc/apparmor.d/usr.bin.thunderbird	2017-07-02 17:18:54.756579420 +0300
> @@ -56,6 +56,7 @@
>  
>    # Addons (too lax for thunderbird)
>    ##include <abstractions/ubuntu-browsers.d/firefox>
> +  ##include <abstractions/ubuntu-browsers.d/firefox>

?

> --- apparmor-2.11.0/profiles/apparmor.d/abstractions/video	2007-08-29 03:05:56.000000000 +0400
> +++ /etc/apparmor.d/abstractions/video	2017-06-27 22:12:45.000000000 +0300
> @@ -4,3 +4,5 @@
>    # System devices
>    /sys/class/video4linux r,
>    /sys/class/video4linux/** r,
> +
> +  /dev/video* rw,

I think this deserves an explanation: what profile / application would
benefit from this change? (I see no profile that includes this
abstraction on my system, in the apparmor tree, nor in the extra
profiles tree.)

Cheers,
-- 
intrigeri



More information about the AppArmor mailing list