Hi,
artiom:
> Diffs.
Thanks! See comments & questions below :)
> 29.06.2017 08:35, intrigeri пишет:
> --- /usr/share/doc/apparmor-profiles/extras/sbin.dhclient 2017-03-28
> 13:29:15.000000000 +0300
> +++ /etc/apparmor.d/sbin.dhclient 2017-06-27 22:48:18.314733833 +0300
Meta: I don't know if that's the best profile we have around for
dhclient. IIRC Ubuntu ships another one in src:isc-dhcp. Perhaps you
would like to have a look and try to merge them so we have one single,
great dhclient profile that everyone can ship?
> - /var/lib/NetworkManager/dhclient-*.conf r,
> - /var/lib/NetworkManager/dhclient-*.lease rw,
> + /var/lib/NetworkManager/dhclient*-*.conf r,
> + /var/lib/NetworkManager/dhclient*-*.lease rw,
> […]
> - /{,var/}run/dhclient-*.pid rw,
> + /{,var/}run/dhclient*-*.pid rw,
Why not, but I'm curious why: on my system the files I see in that
directory match the glob you're extending. Can you please paste the
corresponding denial logs?
If we really need to do that, I'd rather go one more step forward and
do this:
/var/lib/NetworkManager/dhclient*.conf r,
/var/lib/NetworkManager/dhclient*.lease rw,
/{,var/}run/dhclient*.pid rw,
> # This one will need to be fleshed out depending on what the user is doing
> /{usr/,}sbin/dhclient-script mrpix,
> + /{usr/,}lib/NetworkManager/nm-dhcp-helper mrpix,
We already have this:
/usr/lib/nm-dhcp-helper rix,
So please de-duplicate them :)
Note that the Ubuntu profile has a dedicated child profile for that
helper IIRC, which seems nicer.
> --- /usr/share/doc/apparmor-profiles/extras/usr.bin.man 2017-03-28
> 13:29:15.000000000 +0300
> +++ /etc/apparmor.d/usr.bin.man 2017-06-27 22:35:18.636780980 +0300
> @@ -16,12 +16,38 @@
>
> /usr/bin/man {
> #include <abstractions/base>
> - #include <abstractions/nameservice>
> + #include <abstractions/consoles>
> + #include <abstractions/user-manpages>
>
> capability setgid,
> capability setuid,
>
> - /usr/bin/man r,
> - /usr/lib/man-db/man Px,
> +
> +
> + /bin/gzip rix,
> + /bin/less rix,
> [...]
>
> }
Here you seem to be essentially dropping the separate profile for
/usr/lib/man-db/man, and merging its content into the profile for
/usr/bin/man. Why? Might it be that you've enabled the latter but not
the former, which would explain all kinds of breakage for the
man command?
> --- apparmor-2.11.0/profiles/apparmor.d/abstractions/nvidia 2014-06-06
> 22:50:58.000000000 +0400
> +++ /etc/apparmor.d/abstractions/nvidia 2017-06-27 23:01:45.972799697
> +0300
> + /dev/nvidia-modeset rw,
This was done upstream already. What's the drawback of not having it?
If it's serious enough, then I'll try to get this fix in Debian 9.
> --- icedove-45.8.0/debian/apparmor/usr.bin.thunderbird 2017-03-30
> 02:28:32.000000000 +0300
> +++ /etc/apparmor.d/usr.bin.thunderbird 2017-07-02 17:18:54.756579420
> +0300
> @@ -56,6 +56,7 @@
>
> # Addons (too lax for thunderbird)
> ##include <abstractions/ubuntu-browsers.d/firefox>
> + ##include <abstractions/ubuntu-browsers.d/firefox>
?
> --- apparmor-2.11.0/profiles/apparmor.d/abstractions/video 2007-08-29
> 03:05:56.000000000 +0400
> +++ /etc/apparmor.d/abstractions/video 2017-06-27 22:12:45.000000000
> +0300
> @@ -4,3 +4,5 @@
> # System devices
> /sys/class/video4linux r,
> /sys/class/video4linux/** r,
> +
> + /dev/video* rw,
I think this deserves an explanation: what profile / application would
benefit from this change? (I see no profile that includes this
abstraction on my system, in the apparmor tree, nor in the extra
profiles tree.)
Cheers,
--
intrigeri
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
