On 08/29/2014 08:57 AM, Jamie Strandboge wrote: > On 08/27/2014 06:36 PM, Jamie Strandboge wrote: >> # TODO: adjust when support finer-grained netlink rules > > I've added this comment to the preliminary patchset. > Updated for to allow getopt and setopt which turns out to be extremely common:
# Allow us to getattr, getopt, setop and shutdown for anonymous sockets unix (getattr, getopt, setopt, shutdown) peer=(addr=none), -- Jamie Strandboge http://www.ubuntu.com/
Author: Jamie Strandboge <ja...@canonical.com> Description: update policy for abstract sockets. Man page updates Forwarded: yes Conversion of s/path/addr/ in rules by Steve Beattie <steve.beat...@canonical.com> --- profiles/apparmor.d/abstractions/X | 3 +++ profiles/apparmor.d/abstractions/base | 12 ++++++++++++ profiles/apparmor.d/abstractions/dbus-session-strict | 4 ++++ 3 files changed, 19 insertions(+) Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base =================================================================== --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/base +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base @@ -122,6 +122,18 @@ # Checking for PID existence is quite common so add it by default for now signal (receive, send) set=("exists"), + # Allow us to create and use abstract and anonymous sockets + unix peer=(label=@{profile_name}), + + # Allow unconfined processes to us via unix sockets + unix (receive) peer=(label=unconfined), + + # Allow us to create abstract and anonymous sockets + unix (create), + + # Allow us to getattr, getopt, setop and shutdown for anonymous sockets + unix (getattr, getopt, setopt, shutdown) peer=(addr=none), + # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked # filesystems generally. This does not appreciably decrease security with # Ubuntu profiles because the user is expected to have access to files owned Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict =================================================================== --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/dbus-session-strict +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict @@ -13,6 +13,10 @@ /etc/machine-id r, /var/lib/dbus/machine-id r, + unix (connect, receive, send) + type=stream + peer=(label=unconfined,addr="@/tmp/dbus-*"), + dbus send bus=session path=/org/freedesktop/DBus Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X =================================================================== --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/X +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X @@ -22,6 +22,9 @@ # the unix socket to use to connect to the display /tmp/.X11-unix/* w, + unix (connect, receive, send) + type=stream + peer=(label=unconfined,addr="@/tmp/.X11-unix/X[0-9]*"), /usr/include/X11/ r, /usr/include/X11/** r, Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice =================================================================== --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/nameservice +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice @@ -87,5 +87,9 @@ network inet dgram, network inet6 dgram, + # TODO: adjust when support finer-grained netlink rules + # Netlink raw needed for nscd + network netlink raw, + # interface details @{PROC}/@{pid}/net/route r,
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor