Hello,
Am Donnerstag, 19. Dezember 2013 schrieb Tyler Hicks:
> The AppArmor kernel now checks for both read and write permissions
> when a process calls connect() on a UNIX domain socket.
>
> The patch updates a four abstractions that were found to be needing
> changes after the kernel change.
Does this affect all sockets?
There are some more "candidates" I found while grepping through the profiles:
# grep -r ' w,' . |grep -v '/ w,' # pid files, logs etc. manually removed
from the list
./abstractions/nameservice: /{,var/}run/avahi-daemon/socket w,
./abstractions/base: /dev/log w,
./abstractions/mdns: /{,var/}run/mdnsd w,
./abstractions/apparmor_api/change_profile:@{PROC}/@{tid}/attr/{current,exec} w,
./abstractions/apache2-common: @{PROC}/@{pid}/attr/current
w,
./abstractions/X: /tmp/.X11-unix/* w,
./usr.lib.dovecot.dovecot-auth: /var/spool/postfix/private/dovecot-auth w,
./usr.sbin.winbindd: /var/lib/samba/winbindd_privileged/pipe w,
./usr.sbin.winbindd: /var/log/samba/log.winbindd-idmap w,
./usr.sbin.winbindd: /{var/,}run/samba/winbindd/pipe w,
./sbin.syslogd: /dev/tty* w,
./sbin.syslog-ng: /dev/log w,
./sbin.syslog-ng: /dev/syslog w,
./sbin.syslog-ng: @{CHROOT_BASE}/var/lib/*/dev/log w,
./usr.sbin.nscd.orig: /{,var/}run/avahi-daemon/socket w,
./usr.sbin.dovecot: /var/spool/postfix/private/* w,
./usr.sbin.avahi-daemon: /{,var/}run/avahi-daemon/socket w,
Do you think some of them need to be changed from w to rw? If yes, which ones?
Regards,
Christian Boltz
--
Gegen nachhaltige Zweifel, ob die SSL-Verschlüsselung in Windows
wirklich noch den erwarteten Schutz vor unerwünschten Lauschern bieten
kann, hilft damit letztlich nur der Wechsel des Betriebssystems.
[http://www.heise.de/ct/artikel/Microsofts-Hintertuer-1921730.html]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
