[apparmor] [patch 7/9] profiles - finish @{PROC} conversion
This patch finishes the conversion from /proc to the @{PROC} tunable within profiles and abstractions. It also adjusts some of the /proc/*/something usages to @{PROC}/[0-9]*/something to restrict things to just the /proc/pid directories. (A followup patch will convert these to use @{pid} from the kernelvars tunable.) --- profiles/apparmor.d/abstractions/apache2-common |2 +- profiles/apparmor.d/apache2.d/phpsysinfo |2 +- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth |2 +- profiles/apparmor.d/usr.sbin.avahi-daemon|2 +- profiles/apparmor.d/usr.sbin.nmbd|2 +- profiles/apparmor.d/usr.sbin.smbd|4 ++-- profiles/apparmor/profiles/extras/usr.sbin.cupsd |4 ++-- profiles/apparmor/profiles/extras/usr.sbin.sshd |4 ++-- 8 files changed, 11 insertions(+), 11 deletions(-) Index: b/profiles/apparmor.d/apache2.d/phpsysinfo === --- a/profiles/apparmor.d/apache2.d/phpsysinfo +++ b/profiles/apparmor.d/apache2.d/phpsysinfo @@ -17,7 +17,7 @@ /etc/lsb-release r, /etc/mtab r, /etc/phpsysinfo/config.php r, -/proc/** r, +@{PROC}/** r, /sys/bus/pci/devices/ r, /sys/devices/** r, /usr/bin/apt-cache ixr, Index: b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth === --- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth +++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth @@ -11,7 +11,7 @@ capability chown, capability dac_override, - /proc/*/mounts r, + @{PROC}/[0-9]*/mounts r, /usr/lib/dovecot/dovecot-auth mr, /{,var/}run/dovecot/** rw, # required for postfix+dovecot integration Index: b/profiles/apparmor.d/usr.sbin.smbd === --- a/profiles/apparmor.d/usr.sbin.smbd +++ b/profiles/apparmor.d/usr.sbin.smbd @@ -24,8 +24,8 @@ /etc/netgroup r, /etc/printcap r, /etc/samba/* rwk, - /proc/*/mounts r, - /proc/sys/kernel/core_pattern r, + @{PROC}/[0-9]*/mounts r, + @{PROC}/sys/kernel/core_pattern r, /usr/lib*/samba/vfs/*.so mr, /usr/lib*/samba/charset/*.so mr, /usr/lib*/samba/auth/script.so mr, Index: b/profiles/apparmor.d/usr.sbin.avahi-daemon === --- a/profiles/apparmor.d/usr.sbin.avahi-daemon +++ b/profiles/apparmor.d/usr.sbin.avahi-daemon @@ -17,7 +17,7 @@ /etc/avahi/hosts r, /etc/avahi/services/ r, /etc/avahi/services/*.service r, - /proc/*/fd/ r, + @{PROC}/[0-9]*/fd/ r, /usr/sbin/avahi-daemon mr, /usr/share/avahi/introspection/*.introspect r, /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r, Index: b/profiles/apparmor.d/abstractions/apache2-common === --- a/profiles/apparmor.d/abstractions/apache2-common +++ b/profiles/apparmor.d/abstractions/apache2-common @@ -11,7 +11,7 @@ /usr/share/apache2/** r, # changehat itself - /proc/*/attr/currentw, + @{PROC}/[0-9]*/attr/currentw, # htaccess files - for what ever it is worth /**/.htaccessr, Index: b/profiles/apparmor.d/usr.sbin.nmbd === --- a/profiles/apparmor.d/usr.sbin.nmbd +++ b/profiles/apparmor.d/usr.sbin.nmbd @@ -7,7 +7,7 @@ capability net_bind_service, - /proc/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/core_pattern r, /usr/sbin/nmbd mr, Index: b/profiles/apparmor/profiles/extras/usr.sbin.cupsd === --- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd +++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd @@ -43,8 +43,8 @@ /etc/cups/yes/* rw, /etc/hosts.allow r, /etc/hosts.deny r, - /proc/meminfo r, - /proc/sys/dev/parport/** r, + @{PROC}/meminfo r, + @{PROC}/sys/dev/parport/** r, /sys/class/usb r, /usr/bin/perl ix, /usr/bin/smbspool ixr, Index: b/profiles/apparmor/profiles/extras/usr.sbin.sshd === --- a/profiles/apparmor/profiles/extras/usr.sbin.sshd +++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd @@ -40,8 +40,8 @@ /etc/hosts.deny r, /etc/modules.conf r, /etc/ssh/* r, - /proc/*/oom_adj rw, - /proc/*/oom_score_adj rw, + @{PROC}/[0-9]*/oom_adj rw, + @{PROC}/[0-9]*/oom_score_adj rw, /usr/sbin/sshd mrix, /var/log/btmp r, /{,var/}run w, -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch 4/9] profiles - fix apparmor_api abstractions
The apparmor_api abstractions make the mistake of including tunables directly, which is a no-no since the variable definitions in tunables need to occur in the preamble of a profile, not embedded within it. This patch removes those includes, and replaces them documentation of tunables are necessary, as some of the expected ones are not part of tunables/global. It also adjust the kernelvars tunable's definition of the @{pid} regex, as the current parser does not support nesting of {} groupings, which breaks any profile that attempts to use the tunable. --- profiles/apparmor.d/abstractions/apparmor_api/examine |4 ++-- profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint |5 +++-- profiles/apparmor.d/abstractions/apparmor_api/introspect |4 ++-- profiles/apparmor.d/abstractions/apparmor_api/is_enabled |4 ++-- profiles/apparmor.d/tunables/kernelvars |5 - 5 files changed, 13 insertions(+), 9 deletions(-) Index: b/profiles/apparmor.d/abstractions/apparmor_api/examine === --- a/profiles/apparmor.d/abstractions/apparmor_api/examine +++ b/profiles/apparmor.d/abstractions/apparmor_api/examine @@ -6,7 +6,7 @@ # # -- -#include tunables/proc -#include tunables/kernelvars +# Make sure to include at least tunables/proc and tunables/kernelvars +# when using this abstraction, if not tunables/global. @{PROC}/@{pids}/attr/{current,prev,exec} r, Index: b/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint === --- a/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint +++ b/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint @@ -8,6 +8,7 @@ #permissions needed for aa_find_mountpoint -#include tunables/proc +# Make sure to include at least tunables/proc and tunables/kernelvars +# when using this abstraction, if not tunables/global. -@{proc}/*/mounts r, +@{PROC}/@{pids}/mounts r, Index: b/profiles/apparmor.d/abstractions/apparmor_api/introspect === --- a/profiles/apparmor.d/abstractions/apparmor_api/introspect +++ b/profiles/apparmor.d/abstractions/apparmor_api/introspect @@ -6,7 +6,7 @@ # # -- -#include tunables/proc -#include tunables/kernelvars +# Make sure to include at least tunables/proc and tunables/kernelvars +# when using this abstraction, if not tunables/global. @{PROC}/@{tid}/attr/{current,prev,exec} r, Index: b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled === --- a/profiles/apparmor.d/abstractions/apparmor_api/is_enabled +++ b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled @@ -8,8 +8,8 @@ # permissions needed for aa_is_enabled -#include tunables/sys -#include tunables/apparmorfs +# Make sure to include at least tunables/sys and tunables/apparmorfs +# when using this abstraction, if not tunables/global. #include abstractions/apparmor_api/find_mountpoint @{sys}/module/apparmor/parameters/enabled r, Index: b/profiles/apparmor.d/tunables/kernelvars === --- a/profiles/apparmor.d/tunables/kernelvars +++ b/profiles/apparmor.d/tunables/kernelvars @@ -10,7 +10,10 @@ # that will become kernel vars at some point # until kernel vars are implemented just use a pattern [0-9]{1,6} -@{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},} +# and until the parser supports nested groupings like +# @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},} +# use +@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} #same pattern as @{pid} for now @{tid}=@{pid} -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch 9/9] profiles - dnsmasq: allow writes to /{, var/}run/sendsigs.omit.d/*dnsmasq.pid for network manager integration
Author: Jamie Strandboge ja...@canonical.com Description: allow writes to /{,var/}run/sendsigs.omit.d/*dnsmasq.pid for network manager integration Bug-Ubuntu: https://launchpad.net/bugs/941808 --- profiles/apparmor.d/usr.sbin.dnsmasq |1 + 1 file changed, 1 insertion(+) Index: b/profiles/apparmor.d/usr.sbin.dnsmasq === --- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -53,6 +53,7 @@ # NetworkManager integration /{,var/}run/nm-dns-dnsmasq.conf r, + /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w, # Site-specific additions and overrides. See local/README for details. #include local/usr.sbin.dnsmasq -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch 2/9] profiles - separate out logprof checks from parser checks
This patch separates out make check in the profiles/ directory into two sub targets, for checking profiles against the built parser and aa-logprof respectively. The logprof check currently makes some assumptions about the environment that make it difficult to run in a minimal chroot environment. --- profiles/Makefile |8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) Index: b/profiles/Makefile === --- a/profiles/Makefile +++ b/profiles/Makefile @@ -84,11 +84,17 @@ IGNORE_FILES=${EXTRAS_SOURCE}/README CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*)) .PHONY: check -check: +check: check-parser check-logprof + +.PHONY: check-parser +check-parser: @echo *** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser $(Q)for profile in ${CHECK_PROFILES} ; do \ [ -n ${VERBOSE} ] echo Testing $${profile} ; \ ${PARSER} -S -b ${PWD}/apparmor.d $${profile} /dev/null || exit 1; \ done + +.PHONY: check-logprof +check-logprof: @echo *** Checking profiles from ${PROFILES_SOURCE} against logprof $(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null || exit 1 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch 1/9] profiles - fix make check
When I corrected the profiles/Makefile to automatically find files to install, I converted one variable name but missed a later location where that variable was used, which broke the 'make check' target, because directories would be handed to the apparmor parser. This patch corrects that and also makes the VERBOSE flag report each profile name as it's being handed to the parser. --- profiles/Makefile |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: b/profiles/Makefile === --- a/profiles/Makefile +++ b/profiles/Makefile @@ -81,12 +81,13 @@ LOGPROF=perl -I../utils/ ../utils/aa-log endif IGNORE_FILES=${EXTRAS_SOURCE}/README -CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*)) +CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*)) .PHONY: check check: @echo *** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser $(Q)for profile in ${CHECK_PROFILES} ; do \ + [ -n ${VERBOSE} ] echo Testing $${profile} ; \ ${PARSER} -S -b ${PWD}/apparmor.d $${profile} /dev/null || exit 1; \ done @echo *** Checking profiles from ${PROFILES_SOURCE} against logprof -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch 5/9] profiles - update skype profile
Author: Jamie Strandboge ja...@canonical.com Bug-Ubuntu: https://launchpad.net/bugs/933440 Forwarded: yes This is a very slightly updated version of the skype profile update that Jamie Strandboge submitted, but did not get a review. The only addition over the previously submitted version is rw access to @{HOME}/.config/Skype/Skype.conf. --- profiles/apparmor/profiles/extras/usr.bin.skype | 75 ++-- 1 file changed, 58 insertions(+), 17 deletions(-) Index: b/profiles/apparmor/profiles/extras/usr.bin.skype === --- a/profiles/apparmor/profiles/extras/usr.bin.skype +++ b/profiles/apparmor/profiles/extras/usr.bin.skype @@ -1,40 +1,81 @@ -# Last Modified: Mon Oct 26 13:29:13 2009 -# REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53 -# Additional profiling based on work by ÐндÑей Ðалинин, LP: #226624 +# Last Modified: Thu Jul 5 11:06:45 2009 +# Additional profiling based on work by: +# - ÐндÑей Ðалинин, LP: #226624 +# - Jamie Strandboge and Ivan Frederiks, LP: #933440 #include tunables/global /usr/bin/skype flags=(complain) { #include abstractions/audio #include abstractions/base + #include abstractions/dbus-session #include abstractions/fonts #include abstractions/freedesktop.org + #include abstractions/gnome + #include abstractions/ibus #include abstractions/kde #include abstractions/nameservice #include abstractions/nvidia + #include abstractions/ssl_certs #include abstractions/user-tmp #include abstractions/X - # are these needed? - /proc/*/cmdline r, + @{PROC}/sys/kernel/{ostype,osrelease} r, + @{PROC}/[0-9]*/net/arp r, + owner @{PROC}/[0-9]*/auxv r, + owner @{PROC}/[0-9]*/cmdline r, + owner @{PROC}/[0-9]*/fd/ r, + owner @{PROC}/[0-9]*/task/ r, + owner @{PROC}/[0-9]*/task/[0-9]*/stat r, + + /sys/devices/**/power_supply/**/online r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r, + + /dev/ r, + owner /{dev,run}/shm/pulse-shm* m, + /dev/snd/* m, /dev/video* mrw, + /var/cache/libx11/compose/* r, # should this be in a separate KDE abstraction? - @{HOME}/.kde/share/config/kioslaverc r, + owner @{HOME}/.kde/share/config/kioslaverc r, /usr/bin/skype mr, + /etc/xdg/sni-qt.conf rk, + /etc/xdg/Trolltech.conf rk, /usr/share/skype/** kr, + /usr/share/skype/**/*.qm mr, /usr/share/skype/sounds/*.wav kr, + /usr/lib/@{multiarch}/pango/** mr, - @{HOME}/.Skype/ rw, - @{HOME}/.Skype/** krw, - @{HOME}/.config/* kr, - - @{HOME}/.mozilla/ r, - @{HOME}/.mozilla/*/ r, - @{HOME}/.mozilla/*/*/ r, - @{HOME}/.mozilla/*/*/bookmarkbackups/ r, - @{HOME}/.mozilla/*/*/chrome/ r, - @{HOME}/.mozilla/*/*/extensions/ r, - @{HOME}/.mozilla/*/*/prefs.js r, + # For opening links in the browser (still requires explicit access to execute + # the browser) + /usr/bin/xdg-open ixr, + + owner @{HOME}/.Skype/ rw, + owner @{HOME}/.Skype/** krw, + owner @{HOME}/.config/ r, + owner @{HOME}/.config/*/ r, + owner @{HOME}/.config/Skype/Skype.conf rw, + owner @{HOME}/.config/Trolltech.conf kr, + + # Skype traverses the .mozilla directory and needs access to prefs.js + owner @{HOME}/.mozilla/ r, + owner @{HOME}/.mozilla/**/ r, + owner @{HOME}/.mozilla/*/*/prefs.js r, + + # Skype also looks around in these directories + /{,usr/,usr/local/}lib/ r, + + # Recent skype builds have an executable stack, so it tries to mmap certain + # files. Let's deny them for now. + deny /etc/passwd m, + deny /etc/group m, + deny /usr/share/fonts/** m, + + # Silence a few non-needed writes + deny /var/cache/fontconfig/ w, + deny owner @{HOME}/.fontconfig/ w, + deny owner @{HOME}/.fontconfig/*.cache-*.TMP* w, } -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] Fwd: Re: [patch 1/9] profiles - fix make check
Forgot to CC the list Original Message Subject: Re: [apparmor] [patch 1/9] profiles - fix make check Date: Tue, 18 Dec 2012 08:39:44 -0600 From: Jamie Strandboge ja...@canonical.com To: Steve Beattie st...@nxnw.org On 12/18/2012 08:17 AM, Steve Beattie wrote: When I corrected the profiles/Makefile to automatically find files to install, I converted one variable name but missed a later location where that variable was used, which broke the 'make check' target, because directories would be handed to the apparmor parser. This patch corrects that and also makes the VERBOSE flag report each profile name as it's being handed to the parser. Acked-By: Jamie Strandboge ja...@canonical.com -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 2/9] profiles - separate out logprof checks from parser checks
On 12/18/2012 08:17 AM, Steve Beattie wrote: This patch separates out make check in the profiles/ directory into two sub targets, for checking profiles against the built parser and aa-logprof respectively. The logprof check currently makes some assumptions about the environment that make it difficult to run in a minimal chroot environment. Acked-By: Jamie Strandboge ja...@canonical.com -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 3/9] profiles - nvidia abstraction cleanups
On 12/18/2012 08:17 AM, Steve Beattie wrote: This patch modifies the nvidia abstraction to add the livdpau wrapper config file for nvidia workarounds. It also converts the /proc/ rules to use the @{PROC} tunable. And finally, it converts the ubuntu-browsers.d/multimedia abstraction to use the nvidia abstraction. This is much better than before. Thanks! Acked-By: Jamie Strandboge ja...@canonical.com -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 6/9] profiles - add users XCompose file to X abstraction
On 12/18/2012 08:18 AM, Steve Beattie wrote: In testing the skype profile, I found access to my @{HOME}/.XCompose was being rejected. This patch updates the X abstraction to take a user's defined XCompose key shortcuts into account. Acked-By: Jamie Strandboge ja...@canonical.com -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 7/9] profiles - finish @{PROC} conversion
On 12/18/2012 08:18 AM, Steve Beattie wrote: This patch finishes the conversion from /proc to the @{PROC} tunable within profiles and abstractions. It also adjusts some of the /proc/*/something usages to @{PROC}/[0-9]*/something to restrict things to just the /proc/pid directories. (A followup patch will convert these to use @{pid} from the kernelvars tunable.) Nice! Acked-By: Jamie Strandboge ja...@canonical.com -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 9/9] profiles - dnsmasq: allow writes to /{, var/}run/sendsigs.omit.d/*dnsmasq.pid for network manager integration
On 12/18/2012 08:18 AM, Steve Beattie wrote: Author: Jamie Strandboge ja...@canonical.com Description: allow writes to /{,var/}run/sendsigs.omit.d/*dnsmasq.pid for network manager integration Bug-Ubuntu: https://launchpad.net/bugs/941808 Another implicitly ACKd by your submission patch which gets us to 2 ACKs. Acked-By: Jamie Strandboge ja...@canonical.com -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Learning apparmor
On 12/17/2012 05:29 PM, Christian Boltz wrote: Besides that, John forgot to mention Ux, Px and Cx (and Pix, Cix and PUx). They basically do the same as their lowercase counterparts, but are more secure because they clean the environment variables (LD_PRELOAD, PATH etc.) before executing the child program. In other words: It's recommended to use the uppercase variant of the exec rules (except if a program really needs unmodified environment variables). It is recommended to use the uppercase variants, but keep in mind they do not clean out all environment variables-- only those specified in glibc's secure-exec (ie, PATH is *not* scrubbed). I wrote up something a while back discussing this[1]. [1]https://wiki.ubuntu.com/SecurityTeam/AppArmorPolicyReview#Execute_rules -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 1/9] profiles - fix make check
On Tue, Dec 18, 2012 at 06:17:56AM -0800, Steve Beattie wrote: When I corrected the profiles/Makefile to automatically find files to install, I converted one variable name but missed a later location where that variable was used, which broke the 'make check' target, because directories would be handed to the apparmor parser. This patch corrects that and also makes the VERBOSE flag report each profile name as it's being handed to the parser. --- profiles/Makefile |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Acked-By: Seth Arnold seth.arn...@canonical.com Index: b/profiles/Makefile === --- a/profiles/Makefile +++ b/profiles/Makefile @@ -81,12 +81,13 @@ LOGPROF=perl -I../utils/ ../utils/aa-log endif IGNORE_FILES=${EXTRAS_SOURCE}/README -CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*)) +CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*)) .PHONY: check check: @echo *** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser $(Q)for profile in ${CHECK_PROFILES} ; do \ + [ -n ${VERBOSE} ] echo Testing $${profile} ; \ ${PARSER} -S -b ${PWD}/apparmor.d $${profile} /dev/null || exit 1; \ done @echo *** Checking profiles from ${PROFILES_SOURCE} against logprof -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 4/9] profiles - fix apparmor_api abstractions
On Tue, Dec 18, 2012 at 06:17:59AM -0800, Steve Beattie wrote: The apparmor_api abstractions make the mistake of including tunables directly, which is a no-no since the variable definitions in tunables need to occur in the preamble of a profile, not embedded within it. This patch removes those includes, and replaces them documentation of tunables are necessary, as some of the expected ones are not part of tunables/global. It also adjust the kernelvars tunable's definition of the @{pid} regex, as the current parser does not support nesting of {} groupings, which breaks any profile that attempts to use the tunable. There's an extraneous comment left in, just use a pattern [0-9]{1,6}. That line might as well be deleted, you've got the better pattern immediately afterwards. But with or without that line deleted.. Acked-By: Seth Arnold seth.arn...@canonical.com --- profiles/apparmor.d/abstractions/apparmor_api/examine |4 ++-- profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint |5 +++-- profiles/apparmor.d/abstractions/apparmor_api/introspect |4 ++-- profiles/apparmor.d/abstractions/apparmor_api/is_enabled |4 ++-- profiles/apparmor.d/tunables/kernelvars |5 - 5 files changed, 13 insertions(+), 9 deletions(-) Index: b/profiles/apparmor.d/abstractions/apparmor_api/examine === --- a/profiles/apparmor.d/abstractions/apparmor_api/examine +++ b/profiles/apparmor.d/abstractions/apparmor_api/examine @@ -6,7 +6,7 @@ # # -- -#include tunables/proc -#include tunables/kernelvars +# Make sure to include at least tunables/proc and tunables/kernelvars +# when using this abstraction, if not tunables/global. @{PROC}/@{pids}/attr/{current,prev,exec} r, Index: b/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint === --- a/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint +++ b/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint @@ -8,6 +8,7 @@ #permissions needed for aa_find_mountpoint -#include tunables/proc +# Make sure to include at least tunables/proc and tunables/kernelvars +# when using this abstraction, if not tunables/global. -@{proc}/*/mounts r, +@{PROC}/@{pids}/mounts r, Index: b/profiles/apparmor.d/abstractions/apparmor_api/introspect === --- a/profiles/apparmor.d/abstractions/apparmor_api/introspect +++ b/profiles/apparmor.d/abstractions/apparmor_api/introspect @@ -6,7 +6,7 @@ # # -- -#include tunables/proc -#include tunables/kernelvars +# Make sure to include at least tunables/proc and tunables/kernelvars +# when using this abstraction, if not tunables/global. @{PROC}/@{tid}/attr/{current,prev,exec} r, Index: b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled === --- a/profiles/apparmor.d/abstractions/apparmor_api/is_enabled +++ b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled @@ -8,8 +8,8 @@ # permissions needed for aa_is_enabled -#include tunables/sys -#include tunables/apparmorfs +# Make sure to include at least tunables/sys and tunables/apparmorfs +# when using this abstraction, if not tunables/global. #include abstractions/apparmor_api/find_mountpoint @{sys}/module/apparmor/parameters/enabled r, Index: b/profiles/apparmor.d/tunables/kernelvars === --- a/profiles/apparmor.d/tunables/kernelvars +++ b/profiles/apparmor.d/tunables/kernelvars @@ -10,7 +10,10 @@ # that will become kernel vars at some point # until kernel vars are implemented just use a pattern [0-9]{1,6} -@{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},} +# and until the parser supports nested groupings like +# @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},} +# use +@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} #same pattern as @{pid} for now @{tid}=@{pid} -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Learning apparmor
On 12/18/2012 09:31 AM, Diane Trout wrote: Thank you for the quite detailed response to my first questions. Can you have overlaping rules in one file? within a profile overlapping rules have their permissions merged for the parts of the rules that overlap, except for exec qualifiers where the most specific one is chosen. Also apparmor rules are declarative so that order does not matter. Oh and I suppose I should mention the deny prefix while I am at it. You can specify deny rules that remove/ensure certain privileges are not granted. Deny rules take precedence over allow rules and can be used to remove permissions from a broad allow rule. eg. deny /etc/shadow rw, allow /etc/* r, e.g. profile spectrum-common /usr/bin/{spectrum2_manager,spectrum2} { # acccess config file /etc/sepectrum2/** r, } # manager should be able to launch children /usr/bin/spectrum2_manager { /usr/bin/spectrum2 rm, } #daemon should access net /usr/bin/spectrum2 { #include abstractions/nameservice } If given that, would the spectrum-common rules apply to both? Sorry, this is not supported currently. You would need to make an abstraction to share the rules. I'm also assuming that if there's a way to use it ix is also a good choice. (Especially if I want to wrap my pbuilder jobs). yes, ix is a good way to just right a generic profile. It is often used to do things like confine shells. Is there a more detailed explanation of the between P and C modes? P/p - search for a profile in namespaces list of profiles C/c - search for a profile in the current profiles local list The namespaces list of profiles is the set of profiles that are checked against when an unconfined application execs an application. In fact you can think of unconfined having the following exec rule /** pix, where if it doesn't find a matching profile it allows the exec, inheriting the unconfined profile. The profile local list is never used unless specified by C/cx and allows for a profile to have custom helper profiles. Eg. Firefox may have a helper profile for evince that is different than the system evince profile. The difference between P/p, and between C/c is that P/C - cause the secure exec flag to be set, which will cause glibc to remove some environment variables (eg. LD_PRELOAD). But others will not be touched (eg. PATH). I am not aware of a complete list of the environment variables that get touched beyond the glibc code it self. Note: this also relies on the linked C lib to actually do the clearing during early start up, if the application was linked against a C lib that doesn't support this then there is no difference between P/p nor C/c. p/c - do not set the secure exec flag so glibc should not do any environment scrubbing. P/C - are the safer options but sometimes wrapper scripts set environment variables to launch an application in a specific way, and they can break the scripts. Firefox used to do this and might still The man page implies both require that there is a profile defined for the subprocess. One requires a profile, one requires a local profile. Right, what this means is that the exec is failed if Px, px, Cx, cx, do not find a profile that matches. If you want an exec to succeed regardless of whether a profile is present you need to specify what to do for a fallback, which is either i - inherit u - unconfined so Pix, pix, Cix, cix, Pux, pux, Cux, cux -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch] backport profile updates to 2.8 branch
Hello, the attached patch backports most of the profile updates we currently have in trunk to the 2.8 branch. Backported from trunk to the 2.8 branch: - additional/alternative paths in various abstractions - /bin/ping - /{usr/,}bin/ping - update mailinglist address in extra profiles README Not backported (= remaining differences): - move extra profiles to /usr/share/apparmor/extra-profiles/ (I doubt we should do this in a minor release) - capability block_suspend for usr.sbin.nscd (because the 2.8 parser doesn't support it - which is a problem on its own) Regards, Christian Boltz -- [Im Bugtracker nachsehen] Da weiss man gleich, ob die Software einen Bug hat, oder man selbst...[Franz Alt in suse-linux] Backported from trunk to the 2.8 branch: - additional/alternative paths in various abstractions - /bin/ping - /{usr/,}bin/ping - update mailinglist address in extra profiles README Not backported (= remaining differences): - move extra profiles to /usr/share/apparmor/extra-profiles/ (I doubt we should do this in a minor release) - capability block_suspend for usr.sbin.nscd (because the 2.8 parser doesn't support it) === modified file 'profiles/apparmor.d/abstractions/fonts' --- profiles/apparmor.d/abstractions/fonts 2012-03-02 21:08:03 + +++ profiles/apparmor.d/abstractions/fonts 2012-12-18 21:44:33 + @@ -37,8 +37,8 @@ @{HOME}/.fonts/ r, @{HOME}/.fonts/** r, @{HOME}/.fonts.cache-2 mr, - @{HOME}/.fontconfig/ r, - @{HOME}/.fontconfig/** mrl, + @{HOME}/.{,cache/}fontconfig/ r, + @{HOME}/.{,cache/}fontconfig/** mrl, @{HOME}/.fonts.conf.d/r, @{HOME}/.fonts.conf.d/** r, === modified file 'profiles/apparmor.d/abstractions/gnome' --- profiles/apparmor.d/abstractions/gnome 2012-01-11 13:17:32 + +++ profiles/apparmor.d/abstractions/gnome 2012-12-18 21:44:33 + @@ -83,3 +83,6 @@ # mime-types /etc/gnome/defaults.list r, /usr/share/gnome/applications/mimeinfo.cache r, + + # poppler CMap tables + /usr/share/poppler/cMap/** r, === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/java' --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2012-03-02 19:03:04 + +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2012-12-18 21:44:33 + @@ -4,9 +4,11 @@ owner @{HOME}/.java/deployment/deployment.properties k, /etc/java-*/ r, /etc/java-*/** r, - /usr/lib/jvm/java-6-openjdk*/jre/lib/*/IcedTeaPlugin.so mr, + /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/*/IcedTeaPlugin.so mr, /usr/lib/jvm/java-6-openjdk/jre/bin/java cx - browser_openjdk, /usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx - browser_openjdk, + /usr/lib/jvm/java-7-openjdk/jre/bin/java cx - browser_openjdk, + /usr/lib/jvm/java-7-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx - browser_openjdk, /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx - browser_java, /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx - browser_java, /usr/lib/j2*-ibm/jre/bin/java cx - browser_java, @@ -44,8 +46,8 @@ /var/lib/dbus/machine-id r, /usr/bin/env ix, -/usr/lib/jvm/java-6-openjdk*/jre/bin/java ix, -/usr/lib/jvm/java-6-openjdk*/jre/lib/i386/client/classes.jsa m, +/usr/lib/jvm/java-{6,7}-openjdk*/jre/bin/java ix, +/usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m, # Why would java need this? deny /usr/bin/gconftool-2 x, === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration' --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2012-01-17 14:00:56 + +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2012-12-18 21:44:34 + @@ -29,3 +29,6 @@ # Exo-aware applications /usr/bin/exo-open ixr, + /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, + /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, + /etc/xdg/xfce4/helpers.rc r, === modified file 'profiles/apparmor.d/abstractions/ubuntu-helpers' --- profiles/apparmor.d/abstractions/ubuntu-helpers 2012-05-02 12:44:55 + +++ profiles/apparmor.d/abstractions/ubuntu-helpers 2012-12-18 21:44:34 + @@ -43,10 +43,11 @@ /bin/* Pixr, /sbin/* Pixr, /usr/bin/* Pixr, + /usr/local/bin/* Pixr, /usr/sbin/* Pixr, - # Allow exec of libexec applications in /usr/lib* - /usr/lib*/{,**/}* Pixr, + # Allow exec of libexec applications in /usr/lib* and /usr/local/lib* + /usr/{,local/}lib*/{,**/}* Pixr, # Allow exec of software-center scripts. We may need to allow wider # permissions for /usr/share, but for now just do this. (LP: #972367) @@ -65,7 +66,7 @@ # Full access / r, /** rwkl, - /{,usr/}lib{,32,64}/{,**/}*.so{,.*} m, + /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m, # Dangerous files audit deny owner /**/* m, # compiled libraries === modified file
Re: [apparmor] [patch 5/9] profiles - update skype profile
Hello, I'm not using skype, but I have a comment on the patch nevertheless ;-) Am Dienstag, 18. Dezember 2012 schrieb Steve Beattie: --- a/profiles/apparmor/profiles/extras/usr.bin.skype +++ b/profiles/apparmor/profiles/extras/usr.bin.skype [...] # should this be in a separate KDE abstraction? - @{HOME}/.kde/share/config/kioslaverc r, + owner @{HOME}/.kde/share/config/kioslaverc r, KDE on openSUSE uses ~/.kde4/ - what about owner @{HOME}/.kde{4,}/share/config/kioslaverc r, (Note: I don't know if skype is clever enough to check ~/.kde4 ;-) Regards, Christian Boltz -- ...was dann wieder in polnisch, tschechisch und auf'm Mars versagt. :-) Die Sprachen habe ich noch nie benötigt. Und auf dem Mars gibts ne eigene Distri (für 21-Saugnapf-Tastaturen). [ Ratti und Jan Trippler in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] owner usage for @{HOME} rules
Hi all, I am wondering why some of the profile abstractions are not using the owner prefix with the variable @{HOME} while many others do (and some mix both)? Some stats from my Ubuntu 12.04 box: $ grep -crE '^[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep -v :0$ /etc/apparmor.d/abstractions/kde:7 /etc/apparmor.d/abstractions/X:2 /etc/apparmor.d/abstractions/audio:3 /etc/apparmor.d/abstractions/libvirt-qemu:1 /etc/apparmor.d/abstractions/gnupg:6 /etc/apparmor.d/abstractions/fonts:8 /etc/apparmor.d/abstractions/gnome:12 /etc/apparmor.d/abstractions/bash:4 /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 /etc/apparmor.d/abstractions/web-data:2 $ grep -crE '^[[:space:]]*owner[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep -v :0$ /etc/apparmor.d/abstractions/X:1 /etc/apparmor.d/abstractions/audio:4 /etc/apparmor.d/abstractions/user-tmp:2 /etc/apparmor.d/abstractions/user-write:9 /etc/apparmor.d/abstractions/user-download:6 /etc/apparmor.d/abstractions/user-mail:9 /etc/apparmor.d/abstractions/enchant:2 /etc/apparmor.d/abstractions/ibus:3 /etc/apparmor.d/abstractions/ubuntu-media-players:2 /etc/apparmor.d/abstractions/xdg-desktop:4 /etc/apparmor.d/abstractions/user-manpages:3 /etc/apparmor.d/abstractions/freedesktop.org:12 /etc/apparmor.d/abstractions/base:1 /etc/apparmor.d/abstractions/aspell:1 /etc/apparmor.d/abstractions/cups-client:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/java:6 /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity:1 Thanks in advance, Simon -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 2/9] profiles - separate out logprof checks from parser checks
On 12/18/2012 06:17 AM, Steve Beattie wrote: his patch separates out make check in the profiles/ directory into two sub targets, for checking profiles against the built parser and aa-logprof respectively. The logprof check currently makes some assumptions about the environment that make it difficult to run in a minimal chroot environment. err, While I like the idea I have problems with turning on check-logprof by default. logprof is out of date and needs updating there are several profile elements it just does not handle at the moment. So unless we put the effort into fixing logprof I don't think that check should be on by default -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] Fwd: Re: owner usage for @{HOME} rules
Sigh, forgot to reply all... Original Message Subject: Re: [apparmor] owner usage for @{HOME} rules Date: Tue, 18 Dec 2012 16:38:41 -0600 From: Jamie Strandboge ja...@canonical.com To: Simon Deziel simon.dez...@gmail.com On 12/18/2012 04:26 PM, Simon Deziel wrote: Hi all, I am wondering why some of the profile abstractions are not using the owner prefix with the variable @{HOME} while many others do (and some mix both)? Some stats from my Ubuntu 12.04 box: $ grep -crE '^[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep -v :0$ /etc/apparmor.d/abstractions/kde:7 /etc/apparmor.d/abstractions/X:2 /etc/apparmor.d/abstractions/audio:3 /etc/apparmor.d/abstractions/libvirt-qemu:1 /etc/apparmor.d/abstractions/gnupg:6 /etc/apparmor.d/abstractions/fonts:8 /etc/apparmor.d/abstractions/gnome:12 /etc/apparmor.d/abstractions/bash:4 /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 /etc/apparmor.d/abstractions/web-data:2 $ grep -crE '^[[:space:]]*owner[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep -v :0$ /etc/apparmor.d/abstractions/X:1 /etc/apparmor.d/abstractions/audio:4 /etc/apparmor.d/abstractions/user-tmp:2 /etc/apparmor.d/abstractions/user-write:9 /etc/apparmor.d/abstractions/user-download:6 /etc/apparmor.d/abstractions/user-mail:9 /etc/apparmor.d/abstractions/enchant:2 /etc/apparmor.d/abstractions/ibus:3 /etc/apparmor.d/abstractions/ubuntu-media-players:2 /etc/apparmor.d/abstractions/xdg-desktop:4 /etc/apparmor.d/abstractions/user-manpages:3 /etc/apparmor.d/abstractions/freedesktop.org:12 /etc/apparmor.d/abstractions/base:1 /etc/apparmor.d/abstractions/aspell:1 /etc/apparmor.d/abstractions/cups-client:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/java:6 /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity:1 My guess is that most of the ones without explicit owner match predate 'owner' in apparmor. It would be worthwhile to update the ones where it makes sense to do so. Eg, this one would for sure not be one we would want to add owner to: /etc/apparmor.d/abstractions/web-data: @{HOME}/public_html/ r, /etc/apparmor.d/abstractions/web-data: @{HOME}/public_html/** r, Also, abstractions/ubuntu-browsers.d/user-files was intentional as well: # Allow read to all files user has DAC access to and write access to all # files owned by the user in $HOME. @{HOME}/ r, @{HOME}/** r, owner @{HOME}/** w, owner @{HOME}/Desktop/** r, A quick glance at the others indicates they could probably be changed without issue. -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 4/9] profiles - fix apparmor_api abstractions
On 12/18/2012 06:17 AM, Steve Beattie wrote: The apparmor_api abstractions make the mistake of including tunables directly, which is a no-no since the variable definitions in tunables need to occur in the preamble of a profile, not embedded within it. This patch removes those includes, and replaces them documentation of tunables are necessary, as some of the expected ones are not part of tunables/global. It also adjust the kernelvars tunable's definition of the @{pid} regex, as the current parser does not support nesting of {} groupings, which breaks any profile that attempts to use the tunable. So I'll ack it if you don't object to me reverting it when I fix the parser :) -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Fwd: Re: owner usage for @{HOME} rules
On 12-12-18 05:39 PM, Jamie Strandboge wrote: Sigh, forgot to reply all... Original Message Subject: Re: [apparmor] owner usage for @{HOME} rules Date: Tue, 18 Dec 2012 16:38:41 -0600 From: Jamie Strandboge ja...@canonical.com To: Simon Deziel simon.dez...@gmail.com On 12/18/2012 04:26 PM, Simon Deziel wrote: Hi all, I am wondering why some of the profile abstractions are not using the owner prefix with the variable @{HOME} while many others do (and some mix both)? Some stats from my Ubuntu 12.04 box: $ grep -crE '^[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep -v :0$ /etc/apparmor.d/abstractions/kde:7 /etc/apparmor.d/abstractions/X:2 /etc/apparmor.d/abstractions/audio:3 /etc/apparmor.d/abstractions/libvirt-qemu:1 /etc/apparmor.d/abstractions/gnupg:6 /etc/apparmor.d/abstractions/fonts:8 /etc/apparmor.d/abstractions/gnome:12 /etc/apparmor.d/abstractions/bash:4 /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 /etc/apparmor.d/abstractions/web-data:2 $ grep -crE '^[[:space:]]*owner[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep -v :0$ /etc/apparmor.d/abstractions/X:1 /etc/apparmor.d/abstractions/audio:4 /etc/apparmor.d/abstractions/user-tmp:2 /etc/apparmor.d/abstractions/user-write:9 /etc/apparmor.d/abstractions/user-download:6 /etc/apparmor.d/abstractions/user-mail:9 /etc/apparmor.d/abstractions/enchant:2 /etc/apparmor.d/abstractions/ibus:3 /etc/apparmor.d/abstractions/ubuntu-media-players:2 /etc/apparmor.d/abstractions/xdg-desktop:4 /etc/apparmor.d/abstractions/user-manpages:3 /etc/apparmor.d/abstractions/freedesktop.org:12 /etc/apparmor.d/abstractions/base:1 /etc/apparmor.d/abstractions/aspell:1 /etc/apparmor.d/abstractions/cups-client:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/java:6 /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity:1 My guess is that most of the ones without explicit owner match predate 'owner' in apparmor. Ah, that makes sense. It would be worthwhile to update the ones where it makes sense to do so. Eg, this one would for sure not be one we would want to add owner to: /etc/apparmor.d/abstractions/web-data: @{HOME}/public_html/ r, /etc/apparmor.d/abstractions/web-data: @{HOME}/public_html/** r, Yes, indeed. Also, abstractions/ubuntu-browsers.d/user-files was intentional as well: # Allow read to all files user has DAC access to and write access to all # files owned by the user in $HOME. @{HOME}/ r, @{HOME}/** r, owner @{HOME}/** w, owner @{HOME}/Desktop/** r, The rule owner @{HOME}/Desktop/** r, is superfluous isn't it? A quick glance at the others indicates they could probably be changed without issue. OK, so I'll try to send a patch here. Thanks! Simon -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Fwd: Re: owner usage for @{HOME} rules
On 12/18/2012 02:54 PM, Simon Deziel wrote: On 12-12-18 05:39 PM, Jamie Strandboge wrote: Sigh, forgot to reply all... Original Message Subject: Re: [apparmor] owner usage for @{HOME} rules Date: Tue, 18 Dec 2012 16:38:41 -0600 From: Jamie Strandboge ja...@canonical.com To: Simon Deziel simon.dez...@gmail.com On 12/18/2012 04:26 PM, Simon Deziel wrote: Hi all, I am wondering why some of the profile abstractions are not using the owner prefix with the variable @{HOME} while many others do (and some mix both)? Some stats from my Ubuntu 12.04 box: $ grep -crE '^[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep -v :0$ /etc/apparmor.d/abstractions/kde:7 /etc/apparmor.d/abstractions/X:2 /etc/apparmor.d/abstractions/audio:3 /etc/apparmor.d/abstractions/libvirt-qemu:1 /etc/apparmor.d/abstractions/gnupg:6 /etc/apparmor.d/abstractions/fonts:8 /etc/apparmor.d/abstractions/gnome:12 /etc/apparmor.d/abstractions/bash:4 /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 /etc/apparmor.d/abstractions/web-data:2 $ grep -crE '^[[:space:]]*owner[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep -v :0$ /etc/apparmor.d/abstractions/X:1 /etc/apparmor.d/abstractions/audio:4 /etc/apparmor.d/abstractions/user-tmp:2 /etc/apparmor.d/abstractions/user-write:9 /etc/apparmor.d/abstractions/user-download:6 /etc/apparmor.d/abstractions/user-mail:9 /etc/apparmor.d/abstractions/enchant:2 /etc/apparmor.d/abstractions/ibus:3 /etc/apparmor.d/abstractions/ubuntu-media-players:2 /etc/apparmor.d/abstractions/xdg-desktop:4 /etc/apparmor.d/abstractions/user-manpages:3 /etc/apparmor.d/abstractions/freedesktop.org:12 /etc/apparmor.d/abstractions/base:1 /etc/apparmor.d/abstractions/aspell:1 /etc/apparmor.d/abstractions/cups-client:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/java:6 /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity:1 My guess is that most of the ones without explicit owner match predate 'owner' in apparmor. Ah, that makes sense. It would be worthwhile to update the ones where it makes sense to do so. Eg, this one would for sure not be one we would want to add owner to: /etc/apparmor.d/abstractions/web-data: @{HOME}/public_html/ r, /etc/apparmor.d/abstractions/web-data: @{HOME}/public_html/** r, Yes, indeed. Also, abstractions/ubuntu-browsers.d/user-files was intentional as well: # Allow read to all files user has DAC access to and write access to all # files owned by the user in $HOME. @{HOME}/ r, @{HOME}/** r, owner @{HOME}/** w, owner @{HOME}/Desktop/** r, The rule owner @{HOME}/Desktop/** r, is superfluous isn't it? yes, it will get subsumed by @{HOME}/** r, and since permissions are accumulated the tighter owner restrictions will be lost. A quick glance at the others indicates they could probably be changed without issue. OK, so I'll try to send a patch here. Thanks! Simon -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor