Hello, Am Donnerstag, 19. Dezember 2013 schrieb Tyler Hicks: > The AppArmor kernel now checks for both read and write permissions > when a process calls connect() on a UNIX domain socket. > > The patch updates a four abstractions that were found to be needing > changes after the kernel change.
Does this affect all sockets? There are some more "candidates" I found while grepping through the profiles: # grep -r ' w,' . |grep -v '/ w,' # pid files, logs etc. manually removed from the list ./abstractions/nameservice: /{,var/}run/avahi-daemon/socket w, ./abstractions/base: /dev/log w, ./abstractions/mdns: /{,var/}run/mdnsd w, ./abstractions/apparmor_api/change_profile:@{PROC}/@{tid}/attr/{current,exec} w, ./abstractions/apache2-common: @{PROC}/@{pid}/attr/current w, ./abstractions/X: /tmp/.X11-unix/* w, ./usr.lib.dovecot.dovecot-auth: /var/spool/postfix/private/dovecot-auth w, ./usr.sbin.winbindd: /var/lib/samba/winbindd_privileged/pipe w, ./usr.sbin.winbindd: /var/log/samba/log.winbindd-idmap w, ./usr.sbin.winbindd: /{var/,}run/samba/winbindd/pipe w, ./sbin.syslogd: /dev/tty* w, ./sbin.syslog-ng: /dev/log w, ./sbin.syslog-ng: /dev/syslog w, ./sbin.syslog-ng: @{CHROOT_BASE}/var/lib/*/dev/log w, ./usr.sbin.nscd.orig: /{,var/}run/avahi-daemon/socket w, ./usr.sbin.dovecot: /var/spool/postfix/private/* w, ./usr.sbin.avahi-daemon: /{,var/}run/avahi-daemon/socket w, Do you think some of them need to be changed from w to rw? If yes, which ones? Regards, Christian Boltz -- Gegen nachhaltige Zweifel, ob die SSL-Verschlüsselung in Windows wirklich noch den erwarteten Schutz vor unerwünschten Lauschern bieten kann, hilft damit letztlich nur der Wechsel des Betriebssystems. [http://www.heise.de/ct/artikel/Microsofts-Hintertuer-1921730.html] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor