On 08/29/2014 08:57 AM, Jamie Strandboge wrote: > On 08/27/2014 06:36 PM, Jamie Strandboge wrote: >> # TODO: adjust when support finer-grained netlink rules > > I've added this comment to the preliminary patchset. > Updated for to allow getopt and setopt which turns out to be extremely common:
# Allow us to getattr, getopt, setop and shutdown for anonymous sockets unix (getattr, getopt, setopt, shutdown) peer=(addr=none), -- Jamie Strandboge http://www.ubuntu.com/
Author: Jamie Strandboge <ja...@canonical.com>
Description: update policy for abstract sockets. Man page updates
Forwarded: yes
Conversion of s/path/addr/ in rules by Steve Beattie
<steve.beat...@canonical.com>
---
profiles/apparmor.d/abstractions/X | 3 +++
profiles/apparmor.d/abstractions/base | 12 ++++++++++++
profiles/apparmor.d/abstractions/dbus-session-strict | 4 ++++
3 files changed, 19 insertions(+)
Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base
===================================================================
--- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/base
+++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base
@@ -122,6 +122,18 @@
# Checking for PID existence is quite common so add it by default for now
signal (receive, send) set=("exists"),
+ # Allow us to create and use abstract and anonymous sockets
+ unix peer=(label=@{profile_name}),
+
+ # Allow unconfined processes to us via unix sockets
+ unix (receive) peer=(label=unconfined),
+
+ # Allow us to create abstract and anonymous sockets
+ unix (create),
+
+ # Allow us to getattr, getopt, setop and shutdown for anonymous sockets
+ unix (getattr, getopt, setopt, shutdown) peer=(addr=none),
+
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
# filesystems generally. This does not appreciably decrease security with
# Ubuntu profiles because the user is expected to have access to files owned
Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict
===================================================================
--- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/dbus-session-strict
+++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict
@@ -13,6 +13,10 @@
/etc/machine-id r,
/var/lib/dbus/machine-id r,
+ unix (connect, receive, send)
+ type=stream
+ peer=(label=unconfined,addr="@/tmp/dbus-*"),
+
dbus send
bus=session
path=/org/freedesktop/DBus
Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X
===================================================================
--- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/X
+++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X
@@ -22,6 +22,9 @@
# the unix socket to use to connect to the display
/tmp/.X11-unix/* w,
+ unix (connect, receive, send)
+ type=stream
+ peer=(label=unconfined,addr="@/tmp/.X11-unix/X[0-9]*"),
/usr/include/X11/ r,
/usr/include/X11/** r,
Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice
===================================================================
--- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/nameservice
+++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice
@@ -87,5 +87,9 @@
network inet dgram,
network inet6 dgram,
+ # TODO: adjust when support finer-grained netlink rules
+ # Netlink raw needed for nscd
+ network netlink raw,
+
# interface details
@{PROC}/@{pid}/net/route r,
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
