On Thu, Dec 19, 2013 at 10:16:35PM -0800, Tyler Hicks wrote: > The AppArmor kernel now checks for both read and write permissions when > a process calls connect() on a UNIX domain socket. > > The patch updates a four abstractions that were found to be needing > changes after the kernel change. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
Thanks for all these fixes. Acked-by: Seth Arnold <seth.arn...@canonical.com> > --- > profiles/apparmor.d/abstractions/cups-client | 2 +- > profiles/apparmor.d/abstractions/dbus | 2 +- > profiles/apparmor.d/abstractions/p11-kit | 3 +++ > profiles/apparmor.d/abstractions/private-files-strict | 2 ++ > 4 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/profiles/apparmor.d/abstractions/cups-client > b/profiles/apparmor.d/abstractions/cups-client > index fa9f8df..f38ac09 100644 > --- a/profiles/apparmor.d/abstractions/cups-client > +++ b/profiles/apparmor.d/abstractions/cups-client > @@ -12,7 +12,7 @@ > # discoverable system configuration for non-local cupsd > /etc/cups/client.conf r, > # client should be able to talk the local cupsd > - /{,var/}run/cups/cups.sock w, > + /{,var/}run/cups/cups.sock rw, > # client should be able to read user-specified cups configuration > owner @{HOME}/.cups/client.conf r, > owner @{HOME}/.cups/lpoptions r, > diff --git a/profiles/apparmor.d/abstractions/dbus > b/profiles/apparmor.d/abstractions/dbus > index 129a756..f0644c0 100644 > --- a/profiles/apparmor.d/abstractions/dbus > +++ b/profiles/apparmor.d/abstractions/dbus > @@ -10,5 +10,5 @@ > # ------------------------------------------------------------------ > > # System socket. Be careful when including this abstraction. > - /{,var/}run/dbus/system_bus_socket w, > + /{,var/}run/dbus/system_bus_socket rw, > dbus bus=system, > diff --git a/profiles/apparmor.d/abstractions/p11-kit > b/profiles/apparmor.d/abstractions/p11-kit > index a56fcee..84b7b11 100644 > --- a/profiles/apparmor.d/abstractions/p11-kit > +++ b/profiles/apparmor.d/abstractions/p11-kit > @@ -19,6 +19,9 @@ > /usr/share/p11-kit/modules/ r, > /usr/share/p11-kit/modules/* r, > > + # gnome-keyring pkcs11 module > + owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw, > + > # p11-kit also supports reading user configuration from ~/.pkcs11 depending > # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not > be > # included in this abstraction. > diff --git a/profiles/apparmor.d/abstractions/private-files-strict > b/profiles/apparmor.d/abstractions/private-files-strict > index cc4d67e..91851b8 100644 > --- a/profiles/apparmor.d/abstractions/private-files-strict > +++ b/profiles/apparmor.d/abstractions/private-files-strict > @@ -9,6 +9,8 @@ > audit deny @{HOME}/.ssh/** mrwkl, > audit deny @{HOME}/.gnome2_private/** mrwkl, > audit deny @{HOME}/.gnome2/keyrings/** mrwkl, > + # don't allow access to any gnome-keyring modules > + audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl, > audit deny @{HOME}/.mozilla/** mrwkl, > audit deny @{HOME}/.config/chromium/** mrwkl, > audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl, > -- > 1.8.3.2
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor