[apparmor] Fixed profiles for Debian 9

Wed Jul 5 20:16:46 UTC 2017

> Hi,
> 
> artiom:
>> Diffs.
> 
> Thanks! See comments & questions below :)
> 
>> 29.06.2017 08:35, intrigeri пишет:
> 
>> --- /usr/share/doc/apparmor-profiles/extras/sbin.dhclient	2017-03-28 13:29:15.000000000 +0300
>> +++ /etc/apparmor.d/sbin.dhclient	2017-06-27 22:48:18.314733833     +0300
> 
> Meta: I don't know if that's the best profile we have around for
> dhclient. IIRC Ubuntu ships another one in src:isc-dhcp. Perhaps you
> would like to have a look and try to merge them so we have one single,
> great dhclient profile that everyone can ship?
> 
OMG. But, I use Debian, not Ubuntu. And this profile is working for me.

>> -  /var/lib/NetworkManager/dhclient-*.conf  r,
>> -  /var/lib/NetworkManager/dhclient-*.lease rw,
>> +  /var/lib/NetworkManager/dhclient*-*.conf  r,
>> +  /var/lib/NetworkManager/dhclient*-*.lease rw,
>> […]
>> -  /{,var/}run/dhclient-*.pid  rw,
>> +  /{,var/}run/dhclient*-*.pid rw,
> 
> Why not, but I'm curious why: on my system the files I see in that
> directory match the glob you're extending. Can you please paste the
> corresponding denial logs?
> 
I can paste directory listing for this (and similar) file:
$ ls /var/lib/NetworkManager/dhclient*-*.conf

/var/lib/NetworkManager/dhclient6-wlan0.conf
/var/lib/NetworkManager/dhclient-wlan0.conf

`dhclient6`, not `dhclient`.

> If we really need to do that, I'd rather go one more step forward and
> do this:
> 
>   /var/lib/NetworkManager/dhclient*.conf r,
>   /var/lib/NetworkManager/dhclient*.lease rw,
>   /{,var/}run/dhclient*.pid rw,
> 
Ok, it's possible.

>>    # This one will need to be fleshed out depending on what the user is doing
>>    /{usr/,}sbin/dhclient-script mrpix,
>> +  /{usr/,}lib/NetworkManager/nm-dhcp-helper mrpix,
> 
> We already have this:
> 
>   /usr/lib/nm-dhcp-helper     rix,
> 
> So please de-duplicate them :)
> 
I don't remember, but I think, that mapping capability (`m`) was necessary.

> Note that the Ubuntu profile has a dedicated child profile for that
> helper IIRC, which seems nicer.
> 
Ok, maybe it's a better.

>> --- /usr/share/doc/apparmor-profiles/extras/usr.bin.man	2017-03-28 13:29:15.000000000 +0300
>> +++ /etc/apparmor.d/usr.bin.man	2017-06-27 22:35:18.636780980 +0300
>> @@ -16,12 +16,38 @@
>>  
>>  /usr/bin/man {
>>    #include <abstractions/base>
>> -  #include <abstractions/nameservice>
>> +  #include <abstractions/consoles>
>> +  #include <abstractions/user-manpages>
>>  
>>    capability setgid,
>>    capability setuid,
>>  
>> -  /usr/bin/man r,
>> -  /usr/lib/man-db/man Px,
>> +
>> +
>> +  /bin/gzip rix,
>> +  /bin/less rix,
>> [...]
>>  
>>  }
> 
> Here you seem to be essentially dropping the separate profile for
> /usr/lib/man-db/man, and merging its content into the profile for
> /usr/bin/man. Why? Might it be that you've enabled the latter but not
> the former, which would explain all kinds of breakage for the
> man command?
> 
I have merged profiles from another Debian system (with working,
non-broken Apparmor) and maybe, it's old profile.
But it works.

Original profile:
/etc/apparmor.d# aa-enforce usr.bin.man
Setting /etc/apparmor.d/usr.bin.man to enforce mode.
/etc/apparmor.d# LANG=C man ls
man: can't open the manpath configuration file /etc/manpath.config

audit: type=1400 audit(1499284631.014:481): apparmor="DENIED"
operation="open" profile="/usr/bin/man" name="/etc/apparmor.d/"
pid=27542 comm="man" requested_mask=="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1499284631.014:482): apparmor="DENIED"
operation="open" profile="/usr/bin/man" name="/etc/manpath.config"
pid=27542 comm="man" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

After I have added /etc/manpath.config to the profile, man was denied
access to files, like /usr/share/man, /usr/local/share/man,
/var/cache/man/index.db and etc.

 audit[6311]: AVC apparmor="DENIED" operation="open"
profile="/usr/bin/man" name="/usr/share/man/" pid=6311 comm="man"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 audit[6311]: AVC apparmor="DENIED" operation="open"
profile="/usr/bin/man" name="/usr/local/share/man/" pid=6311 comm="man"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 audit[6311]: AVC apparmor="DENIED" operation="open"
profile="/usr/bin/man" name="/usr/local/share/man/" pid=6311 comm="man"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 audit[6311]: AVC apparmor="DENIED" operation="open"
profile="/usr/bin/man" name="/usr/share/man/" pid=6311 comm="man"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 audit[6311]: AVC apparmor="DENIED" operation="open"
profile="/usr/bin/man" name="/usr/share/man/" pid=6311 comm="man"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I simply use working profile.

>> --- apparmor-2.11.0/profiles/apparmor.d/abstractions/nvidia	2014-06-06 22:50:58.000000000 +0400
>> +++ /etc/apparmor.d/abstractions/nvidia	2017-06-27 23:01:45.972799697 +0300
>> +  /dev/nvidia-modeset rw,
> 
> This was done upstream already. What's the drawback of not having it?
> If it's serious enough, then I'll try to get this fix in Debian 9.
> 
It was necessary for the Thunderbird starting, but not enough to make it
work correctly (with themes support).

>> --- icedove-45.8.0/debian/apparmor/usr.bin.thunderbird	2017-03-30 02:28:32.000000000 +0300
>> +++ /etc/apparmor.d/usr.bin.thunderbird	2017-07-02 17:18:54.756579420 +0300
>> @@ -56,6 +56,7 @@
>>  
>>    # Addons (too lax for thunderbird)
>>    ##include <abstractions/ubuntu-browsers.d/firefox>
>> +  ##include <abstractions/ubuntu-browsers.d/firefox>
> 
> ?
> 
It's a trash, I forgot to delete.

>> --- apparmor-2.11.0/profiles/apparmor.d/abstractions/video	2007-08-29 03:05:56.000000000 +0400
>> +++ /etc/apparmor.d/abstractions/video	2017-06-27 22:12:45.000000000 +0300
>> @@ -4,3 +4,5 @@
>>    # System devices
>>    /sys/class/video4linux r,
>>    /sys/class/video4linux/** r,
>> +
>> +  /dev/video* rw,
> 
> I think this deserves an explanation: what profile / application would
> benefit from this change? (I see no profile that includes this
> abstraction on my system, in the apparmor tree, nor in the extra
> profiles tree.)
> 
I think, this is duplicate of the old stuff for the old Linux Skype:
usr.bin.skype:  /dev/video* mrw,
Maybe, it's need for Thunderbird, but I don't want to test it now: I'm
writing some letters.