Re: [apparmor] Too much noise

[John Johansen]

On 12/07/2017 02:00 PM, azu...@pobox.sk wrote:
> Hi,
> 
> i have this rule in my profile:
> owner /etc/passwd r,
> 
> Problem is, that application is running under lots of different UIDs and all 
> of them are trying to access /etc/passwd (which is not needed, only master 
> process, running under root, needs it). How to get rid of the noise in the 
> logs? I cannot do 'deny /etc/passwd r' as it will deny also root (master 
> process) to access /etc/passwd.
> 

you can try an undocumented unsupported experimental feature, that will be 
supported in the future but in a different form. Add the rule

  deny other /etc/passwd r,

this will deny access to tasks with uids that are not the owner of the file 
(fsuid != file uid), and the deny will quiet logging because it is a known 
denial.

The other way is to use two profiles one for the master process and another for 
all the other processes that should not be accessing the file, but this can be 
inconvenient to set up.


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] Too much noise

[azurit]

Hi,

i have this rule in my profile:
owner /etc/passwd r,

Problem is, that application is running under lots of different UIDs  
and all of them are trying to access /etc/passwd (which is not needed,  
only master process, running under root, needs it). How to get rid of  
the noise in the logs? I cannot do 'deny /etc/passwd r' as it will  
deny also root (master process) to access /etc/passwd.


azur



--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [profile] netstat: cannot open /proc/net/dev (permission denied.) Limited output.

[Christian Boltz]

Hello,

Am Mittwoch, 6. Dezember 2017, 22:20:41 CET schrieb Seth Arnold:
> On Wed, Dec 06, 2017 at 07:14:05PM +, daniel curtis wrote:

> > As we can see, there is a simple "DENIED" action referring to the
> > {PROC} folder. What all of you thinks about adding something like
> > this to the netstat profile? (Which one is a better choice? I would
> > like to use the first rule, because it uses a new '@{pid}' type.)

> I strongly recommend using:
> 
> @{PROC}/@{pids}/net/dev r,

The profile already allows reading a dozen files there, and I'd guess 
netstat is _the_ tool to read files in those directories.

So, silly question - is there anything in @{PROC}/@{pids}/net/ that 
netstat should _not_ be allowed to read? (I'm not familiar with what all 
those files provide, so maybe there are some sensitive files netstat 
shouldn't be allowed to read.)

If nothing in @{PROC}/@{pids}/net/ is more sensitive than what we 
already allow to read, what about
@{PROC}/@{pids}/net/* r,
or even
@{PROC}/@{pids}/net/** r,
?


Regards,

Christian Boltz
-- 
>du meinst die "persönliche Erfahrungen" der hier schreibenden, ja?
>dann ist es gut, dass du hier nicht gefragt hast was du zum sortieren
>deiner mails benutzen sollst. denn ansonsten wäre das wohl procmail.
Hehe, 1:0 für Dich. [> Michael Meyer und Thorsten Haude in suse-linux]


signature.asc
Description: This is a digitally signed message part.
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor