[apparmor] [profile] AbiWord: access to "/etc/nsswitch.conf", "/etc/passwd" files, ".ecryptfs/*/.Private/" folder and the proc filesystem ("/proc/[pid]/auxv").

Wed Mar 22 20:06:34 UTC 2017

Hi

A couple of months ago, I've created a working AbiWord profile (till now,
there is not any DENIED entries in log files, such as '/var/log/kern.log')
and, of course, I've done some tests: change font size, background color,
bolding, instering table etc.) The one problem, which I'm seeing for now is
that this profile was created on/for 12.04 LTS release (as I wrote: it was
done some time ago.)

There are, however, some issues, that makes me wonder. [Firstly]: during
profile testing it turned out that AbiWord needs an access
(requested_mask="r" denied_mask="r") to these two files:

✗ /etc/nsswitch.conf
✗ /etc/passwd

I would like to ask a simple question: AbiWord really needs this access?
What is your opinions? [Secondly]: "/home/.ecryptfs/user1/.Private/" -- the
same thing as above: needed or not? If "yes" then should I use something
like this one (I'm thinking about rule):

owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

As we know, privacy seems to be OK, because of the encrypted contents of
the files in this directory, right? Also; the use of 'owner'. This prefix
properly prevents access to the files from processes running under a
different uid. Am I right in this issue?

[Thirdly]: an access to "@{PROC}/[0-9]*/auxv". Just as above: it should be
allowed ("r") or not? Please remember: we are talking about word processing
application.

[Fourthly]: aa-genprof(8) utility recommended/created a rule for
'/usr/bin/abiword' with "mr" access. Short question: it is okay or I should
change it to e.g.: "mixr"?

This profile was created on 12.04 LTS Release, which is near EoL status and
for an AbiWord 2.9.2 version (while e.g. Xenial has 3.0.1-6 and Zesty has
3.0.2-2 version.) So for now, I will not paste the whole profile, because
of a changes made in a new - already mentioned above - AbiWord versions.
Changes, which I could not catch during a tests with Precise version --
2.9.2.

Of course, after system upgrade to the next, probably LTS release, I will
update profile, to catch all the changes, new features added in newer
AbiWord releases etc., and add appropriate AppArmor rules etc.

I just want to know your opinions about these things (First, second, third
and fourth points.) That's all for now.

Thanks, best regards.

By the way; AbiWord changelogs link is not working (404 Error) for:
Precise, Trusty and trusty-updates. There is an information about "The
requested URL", which "was not found on this server" etc. Changelogs, for
all the rest releases seems to work okay.

(see: http://packages.ubuntu.com/precise/abiword)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170322/94cb1f40/attachment.html>