Several applications are linking against p11-kit[1] and we are seeing AppArmor denials in Ubuntu as a result[2][3].
From the README in the toplevel source: "[P11-KIT] Provides a way to load and enumerate PKCS#11 modules. Provides a standard configuration setup for installing PKCS#11 modules in such a way that they're discoverable." File locatations are described in [4]. There is a global configuration file in /etc/pkcs11/pkcs11.conf. Per module configuration happens in /etc/pkcs11/<module name>. There is also user configuration in ~/.pkcs11, but IMO this should not be allowed in the abstraction. Example configuration can be seen in the upstream documentation[5]. This will likely need to be refined as more applications use p11-kit. Attached is a second patch to add p11-kit to the authentication abstraction, since PKCS#11 deals with cryptographic tokens used in authentication. This could conceivably also be added to the gnome abstraction since anything using gnome-keyring will now require the pk11-kit abstraction, but since most gnome applications don't use gnome-keyring I don't think this is desired. [1]http://p11-glue.freedesktop.org/doc/p11-kit/ [2]https://launchpad.net/bugs/912752 [3]https://launchpad.net/bugs/912754 [4]http://p11-glue.freedesktop.org/doc/p11-kit/config-locations.html [5]http://p11-glue.freedesktop.org/doc/p11-kit/config-example.html -- Jamie Strandboge | http://www.canonical.com
------------------------------------------------------------ revno: 1903 committer: Jamie Strandboge <ja...@canonical.com> branch nick: apparmor-trunk timestamp: Fri 2012-01-06 11:45:44 -0600 message: add p11-kit abstraction (LP: #912754, LP: #912752) From the README in the toplevel source: "[P11-KIT] Provides a way to load and enumerate PKCS#11 modules. Provides a standard configuration setup for installing PKCS#11 modules in such a way that they're discoverable." File locatations are described in [1]. There is a global configuration file in /etc/pkcs11/pkcs11.conf. Per module configuration happens in /etc/pkcs11/<module name>. There is also user configuration in ~/.pkcs11, but IMO this should not be allowed in the abstraction. Example configuration can be seen in the upstream documentation[2]. This will likely need to be refined as more applications use p11-kit. [1]http://p11-glue.freedesktop.org/doc/p11-kit/config-locations.html [2]http://p11-glue.freedesktop.org/doc/p11-kit/config-example.html Acked-by: Jamie Strandboge <ja...@canonical.com> diff: === added file 'profiles/apparmor.d/abstractions/p11-kit' --- profiles/apparmor.d/abstractions/p11-kit 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/abstractions/p11-kit 2012-01-06 17:45:44 +0000 @@ -0,0 +1,18 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /etc/pkcs11/ r, + /etc/pkcs11/pkcs11.conf r, + /etc/pkcs11/modules/ r, + /etc/pkcs11/modules/* r, + + # p11-kit also supports reading user configuration from ~/.pkcs11 depending + # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be + # included in this abstraction.
------------------------------------------------------------ revno: 1904 committer: Jamie Strandboge <ja...@canonical.com> branch nick: apparmor-trunk timestamp: Fri 2012-01-06 11:46:52 -0600 message: add p11-kit to authentication abstraction Acked-by: Jamie Strandboge <ja...@canonical.com> diff: === modified file 'profiles/apparmor.d/abstractions/authentication' --- profiles/apparmor.d/abstractions/authentication 2011-03-23 19:24:11 +0000 +++ profiles/apparmor.d/abstractions/authentication 2012-01-06 17:46:52 +0000 @@ -1,7 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009-2011 Canonical Ltd +# Copyright (C) 2009-2012 Canonical Ltd # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -47,3 +47,5 @@ # smbpass #include <abstractions/smbpass> + # p11-kit (PKCS#11 modules configuration) + #include <abstractions/p11-kit>
signature.asc
Description: This is a digitally signed message part
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
