[ubuntu-hardened] a question

Seth Arnold seth.arnold at canonical.com
Thu Dec 12 02:54:21 UTC 2013 

On Wed, Dec 11, 2013 at 10:29:06PM +0100, js at johest.de wrote:
> i just started on an apparmor profile for postgresql, which seemed
> not to be in progress (according to website). As i dont know how to
> "upload" it, i will attach it to the mail.

Many of the "enthusiast" profiles are stored in bazaar,
https://code.launchpad.net/~apparmor-dev/apparmor-profiles/master

For postgresql, debfx has started a profile:

http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/14.04/usr.lib.postgresql.bin.postgres

(At least your profile name looks related to his, abstractions look the
same...)

> Is my first try so please dont kill me.
> 
> I guess i need to improve on the several libaries and mask the
> version numbers, or is there any guide for that, regarding the
> lifetime and the expectet version changes within an release? The
> profile is working so far, apparmor doesnt complain and postgresql
> is working.

Nice! A few comments inline:

> # Author: Joerg Stephan <js at johest.de>
> 
> 
> #include <tunables/global>
> 
> /usr/lib/postgresql/[0-9.]*/bin/postgres flags=(complain) {
> 
> 	 #include <abstractions/base>
> 	 #include <abstractions/nameservice>
>   	 #include <abstractions/ssl_keys>
> 
> 	network,

It'd be nice to have this as tight as possible. This grants a fair amount
of networking access.

> 	
> 
> 	/etc/postgresql/[0-9.]*/main/** r,
> 	/var/lib/postgresql/[0-9.]*/main/** rw,
> 	/var/run/postgresql/** rw,
> 	/run/postgresql/** rw,
> 	/usr/share/postgresql/[0-9.}*/** r,

I'd be tempted to simplify these to:

/etc/postgresql/** r,
/var/lib/postgresql/** rw,
/{var,}/run/postgresql/** rw,
/usr/share/postgresql/** r,

I don't think the version numbers contribute enough to carry them around.
Postgresql might as well own all the files in directories given to it..

> 
> 	@{PROC}/ r,
>   	owner @{PROC}/[0-9]*/com_adj rw,
> 	owner @{PROC}/[0-9]*/oom_adj rw,

The com_adj line can be deleted, there's no com_adj control file.


> 	/lib/x86_64-linux-gnu/libssl.so.1.0.0 rm,
> 	/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 rm,
> 	/lib/x86_64-linux-gnu/libpam.so.0.83.0 rm,
> 	/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1 rm,
> 	/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2 rm,
> 	/lib/x86_64-linux-gnu/libcom_err.so.2.1 rm,
> 	/lib/x86_64-linux-gnu/libc-2.17.so rm,
> 	/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.8.3 rm,
> 	/lib/x86_64-linux-gnu/libm-2.17.so rm,
> 	/lib/x86_64-linux-gnu/libdl-2.17.so rm,
> 	/usr/lib/x86_64-linux-gnu/libkrb5.so.3.3 rm,	
> 	/usr/lib/x86_64-linux-gnu/libkrb5.so.26.0.0 rm,
> 	/usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1 rm,
> 	/lib/x86_64-linux-gnu/libaudit.so.1.0.0 rm,
> 	/lib/x86_64-linux-gnu/liblzma.so.5.0.0 rm,
> 	/lib/x86_64-linux-gnu/libz.so.1.2.8 rm,
> 	/usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.8.3 rm,
> 	/lib/x86_64-linux-gnu/libpthread-2.17.so rm,
> 	/lib/x86_64-linux-gnu/libresolv-2.17.so	rm,
> 	/lib/x86_64-linux-gnu/libkeyutils.so.1.4 rm,
> 	/usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1 rm,
> 	/usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25 rm,
> 	/usr/lib/x86_64-linux-gnu/libgssapi.so.3.0.0 rm,	
> 	/usr/lib/x86_64-linux-gnu/libgnutls.so.26.22.6 rm,
> 	/lib/x86_64-linux-gnu/libgcrypt.so.11.7.0 rm,
> 	/usr/lib/x86_64-linux-gnu/libheimntlm.so.0.1.0 rm,
> 	/usr/lib/x86_64-linux-gnu/libheimbase.so.1.0.0 rm,	
> 	/usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0 rm,
> 	/usr/lib/x86_64-linux-gnu/libhcrypto.so.4.1.0 rm,
> 	/usr/lib/x86_64-linux-gnu/libroken.so.18.1.0 rm,	
> 	/usr/lib/x86_64-linux-gnu/libtasn1.so.3.2.0 rm,
> 	/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.0.0 rm,
> 	/lib/x86_64-linux-gnu/libgpg-error.so.0.10.0 rm,
> 	/usr/lib/x86_64-linux-gnu/libwind.so.0.0.0 rm,
> 	/usr/lib/x86_64-linux-gnu/libhx509.so.5.0.0 rm,
> 	/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6 rm,
> 	/lib/x86_64-linux-gnu/libcrypt-2.17.so rm,

All the libraries should already be covered by <abstractions/base> -- it
grants, e.g.,

  /lib/@{multiarch}/lib*.so*      mr,
  ...
  /usr/lib{,32,64}/*.so*         mr,

I believe that all of these can be removed from the profile.

> 	/usr/lib/locale/locale-archive rm,

This one ought to be covered by the <abstractions/base> rule:

  /usr/lib{,32,64}/locale/**             mr,

> 	/etc/ld.so.cache r,
> 

And again, covered by <abstractions/base>:

  /etc/ld.so.cache               mr,


> }
> 

It might be nice to add something like:

  #include <local/postgresql>

so local modifications can be made without too much trouble.

Perhaps a <tunables/postgresql> to allow specifying a socket for the
server and clients to use? Or a storage path to databases?

Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20131211/89de8f1d/attachment.pgp>

More information about the ubuntu-hardened mailing list