Hello, (CC'ing Marcus to make sure he notices the discussion)
Am Montag, 22. Dezember 2014 schrieb John Johansen: > On 12/21/2014 08:34 AM, Christian Boltz wrote: > > this patch adds a profile for lessopen.sh which handles programms > > automatically executed by less (for example to get a file list out > > of tarballs). > > > > Patch by Marcus Meissner <meiss...@suse.com> > > > > References: https://bugzilla.opensuse.org/show_bug.cgi?id=906858 > > So I don't have any objections to the patch besides the comment > below. > > I question if it should be in the base profile set but can't > really think of a reason it shouldn't be as with the broad read > permissions, it shouldn't cause breakage unless the exec list > is incomplete. Exactly - I'm also not afraid of breaking something (and if we are wrong, bugreports will tell us ;-) > That said, it begs the question about confining less (harder) > and whether this would be better as a subprofile of it. > > > +Index: apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen.sh > > +=================================================================== > > +--- /dev/null > > ++++ apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen.sh > > +@@ -0,0 +1,39 @@ > > ++# Last Modified: Fri Nov 28 08:01:09 2014 > > ++#include <tunables/global> > > ++ > > ++/usr/bin/lessopen.sh { > > ++ #include <abstractions/base> > > ++ #include <abstractions/bash> > > ++ #include <abstractions/consoles> > > ++ #include <abstractions/perl> > > ++ > > ++ /** rk, > > ++ /bin/bash ix, > > ++ /bin/rpm rix, > > ++ /bin/tar rix, > > ++ /tmp/less.* rw, > > could we move the rw perms to a separate section from the exec perms A quick look at the lessopen.sh script indicates that writing the tempfile is done by using output redirection, so only lessopen.sh needs write access. Maybe we could change all the rix rules to "Cx -> less_helpers" and give the "less_helpers" hat only "/** rk," permissions. We could also Cx less into the "less_helpers" subprofile and only give it read access - however I think it's unlikely that less destroys the (temp)files it has to display ;-) Oh, and we could probably restrict write access to the owner ;-) > > ++ /usr/bin/bzip2 rix, > > ++ /usr/bin/cabextract rix, ... > > ++ #include <local/usr.bin.lessopen.sh> > > I'd like to see a stub file here to go along with the patch profiles/Makefile generates the local/* stubs for all profiles, so there's no need to add them manually. Regards, Christian Boltz -- > Immerhin ist Netscape 4 bei einigen Seiten konsequent. Du erinnerst > Dich an mein Großprojekt? Da stürzt er zuverlässig nach spätestens 2 > Klicks ab ;-)) Somit ist das Problem der abweichenden Darstellung > gelöst... Selbstmord wegen begründeter Versagensängste. Wink-wink... :-) [> Christian Boltz und Ratti in fontlinge-devel] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
