On Wed, Mar 22, 2017 at 09:06:34PM +0100, daniel curtis wrote: > There are, however, some issues, that makes me wonder. [Firstly]: during > profile testing it turned out that AbiWord needs an access > (requested_mask="r" denied_mask="r") to these two files: > > ✗ /etc/nsswitch.conf > ✗ /etc/passwd > > I would like to ask a simple question: AbiWord really needs this access?
Hello Daniel, This is fine, I expect abiword is using the getpwuid(3) family of APIs to find the home directory. > What is your opinions? [Secondly]: "/home/.ecryptfs/user1/.Private/" -- the > same thing as above: needed or not? If "yes" then should I use something > like this one (I'm thinking about rule): > > owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, > > As we know, privacy seems to be OK, because of the encrypted contents of > the files in this directory, right? Also; the use of 'owner'. This prefix > properly prevents access to the files from processes running under a > different uid. Am I right in this issue? ecryptfs is hard. By design the names shouldn't be anything predictable, so the only option available to AppArmor is to grant access to everything when you want a confined program to access the encrypted storage. The 'owner' flag of course just prevents you from using this program to gain access to -other- accounts' ecryptfs backing storage. Unconfined programs or profiles without this step would be limited to what the standard Unix discretionary access controls allow. > [Thirdly]: an access to "@{PROC}/[0-9]*/auxv". Just as above: it should be > allowed ("r") or not? Please remember: we are talking about word processing > application. Definitely allow; the aux vector provides programs a huge amount of useful information which the processes may need. > [Fourthly]: aa-genprof(8) utility recommended/created a rule for > '/usr/bin/abiword' with "mr" access. Short question: it is okay or I should > change it to e.g.: "mixr"? This depends upon internals of the abiword tool. 'ix' doesn't actually affect anything from apparmor's perspective so it's easy to give the access without knowing if it's needed or not. > By the way; AbiWord changelogs link is not working (404 Error) for: > Precise, Trusty and trusty-updates. There is an information about "The > requested URL", which "was not found on this server" etc. Changelogs, for > all the rest releases seems to work okay. > > (see: http://packages.ubuntu.com/precise/abiword) That's probably a result of https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1672555 -- thanks for pointing out the bug. I've added a comment. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor