[ubuntu-hardened] a question

js at johest.de js at johest.de
Thu Dec 12 07:07:10 UTC 2013 

Hi Seth,

comments inline

On 12.12.2013 03:54, Seth Arnold wrote:
> On Wed, Dec 11, 2013 at 10:29:06PM +0100, js at johest.de wrote:
>> i just started on an apparmor profile for postgresql, which seemed
>> not to be in progress (according to website). As i dont know how to
>> "upload" it, i will attach it to the mail.
> 
> Many of the "enthusiast" profiles are stored in bazaar,
> https://code.launchpad.net/~apparmor-dev/apparmor-profiles/master
> 
> For postgresql, debfx has started a profile:
> 
> http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/14.04/usr.lib.postgresql.bin.postgres
> 
> (At least your profile name looks related to his, abstractions look the
> same...)

Yep, debfx pointed me to the page yesterday in the chat, and i took some 
of his code cause it looked good :-)
Or looked at that stage better then mine.

> 
>> Is my first try so please dont kill me.
>> 
>> I guess i need to improve on the several libaries and mask the
>> version numbers, or is there any guide for that, regarding the
>> lifetime and the expectet version changes within an release? The
>> profile is working so far, apparmor doesnt complain and postgresql
>> is working.
> 
> Nice! A few comments inline:
> 
>> # Author: Joerg Stephan <js at johest.de>
>> 
>> 
>> #include <tunables/global>
>> 
>> /usr/lib/postgresql/[0-9.]*/bin/postgres flags=(complain) {
>> 
>> 	 #include <abstractions/base>
>> 	 #include <abstractions/nameservice>
>>   	 #include <abstractions/ssl_keys>
>> 
>> 	network,
> 
> It'd be nice to have this as tight as possible. This grants a fair 
> amount
> of networking access.
> 
>> 
>> 
>> 	/etc/postgresql/[0-9.]*/main/** r,
>> 	/var/lib/postgresql/[0-9.]*/main/** rw,
>> 	/var/run/postgresql/** rw,
>> 	/run/postgresql/** rw,
>> 	/usr/share/postgresql/[0-9.}*/** r,
> 
> I'd be tempted to simplify these to:
> 
> /etc/postgresql/** r,
> /var/lib/postgresql/** rw,
> /{var,}/run/postgresql/** rw,
> /usr/share/postgresql/** r,
> 
> I don't think the version numbers contribute enough to carry them 
> around.
> Postgresql might as well own all the files in directories given to it..
> 
>> 
>> 	@{PROC}/ r,
>>   	owner @{PROC}/[0-9]*/com_adj rw,
>> 	owner @{PROC}/[0-9]*/oom_adj rw,
> 
> The com_adj line can be deleted, there's no com_adj control file.
> 
> 
>> 	/lib/x86_64-linux-gnu/libssl.so.1.0.0 rm,
>> 	/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 rm,
>> 	/lib/x86_64-linux-gnu/libpam.so.0.83.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1 rm,
>> 	/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2 rm,
>> 	/lib/x86_64-linux-gnu/libcom_err.so.2.1 rm,
>> 	/lib/x86_64-linux-gnu/libc-2.17.so rm,
>> 	/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.8.3 rm,
>> 	/lib/x86_64-linux-gnu/libm-2.17.so rm,
>> 	/lib/x86_64-linux-gnu/libdl-2.17.so rm,
>> 	/usr/lib/x86_64-linux-gnu/libkrb5.so.3.3 rm,
>> 	/usr/lib/x86_64-linux-gnu/libkrb5.so.26.0.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1 rm,
>> 	/lib/x86_64-linux-gnu/libaudit.so.1.0.0 rm,
>> 	/lib/x86_64-linux-gnu/liblzma.so.5.0.0 rm,
>> 	/lib/x86_64-linux-gnu/libz.so.1.2.8 rm,
>> 	/usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.8.3 rm,
>> 	/lib/x86_64-linux-gnu/libpthread-2.17.so rm,
>> 	/lib/x86_64-linux-gnu/libresolv-2.17.so	rm,
>> 	/lib/x86_64-linux-gnu/libkeyutils.so.1.4 rm,
>> 	/usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1 rm,
>> 	/usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25 rm,
>> 	/usr/lib/x86_64-linux-gnu/libgssapi.so.3.0.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libgnutls.so.26.22.6 rm,
>> 	/lib/x86_64-linux-gnu/libgcrypt.so.11.7.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libheimntlm.so.0.1.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libheimbase.so.1.0.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libhcrypto.so.4.1.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libroken.so.18.1.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libtasn1.so.3.2.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.0.0 rm,
>> 	/lib/x86_64-linux-gnu/libgpg-error.so.0.10.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libwind.so.0.0.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libhx509.so.5.0.0 rm,
>> 	/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6 rm,
>> 	/lib/x86_64-linux-gnu/libcrypt-2.17.so rm,
> 
> All the libraries should already be covered by <abstractions/base> -- 
> it
> grants, e.g.,
> 
>   /lib/@{multiarch}/lib*.so*      mr,
>   ...
>   /usr/lib{,32,64}/*.so*         mr,
> 
> I believe that all of these can be removed from the profile.
> 
>> 	/usr/lib/locale/locale-archive rm,
> 
> This one ought to be covered by the <abstractions/base> rule:
> 
>   /usr/lib{,32,64}/locale/**             mr,
> 
>> 	/etc/ld.so.cache r,
>> 
> 
> And again, covered by <abstractions/base>:
> 
>   /etc/ld.so.cache               mr,
> 
> 
>> }
>> 

Well okay, maybe as an hint,
i just switched apparmor to complain mode and so took all the used files 
from the syslog. Even with the abstract rules above it still complained 
about the files i added below than.

> 
> It might be nice to add something like:
> 
>   #include <local/postgresql>
> 
> so local modifications can be made without too much trouble.
> 
> Perhaps a <tunables/postgresql> to allow specifying a socket for the
> server and clients to use? Or a storage path to databases?
> 

Okay, sounds fair

> Thanks!

Thanks to you

Jörg

More information about the ubuntu-hardened mailing list