Re: [apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
On Fri, Jun 20, 2014 at 05:08:09PM -0500, Jamie Strandboge wrote: > Hrmm, this was clearly an oversight on my part: > > [ Jamie Strandboge ] > * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch: > Adjust the base abstraction for signals and ptrace mediation. Profiles > that use the base abstraction can deny any of the granted permissions to > achieve tighter confinement. > > I've taken a todo to post this to the list. Sorry... No problem, thanks for pushing this. In any event, there is clearly enough support for including it in the apache2-common abstraction, so I went ahead and committed that patch as well. -- Steve Beattie http://NxNW.org/~steve/ signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
On 06/20/2014 04:20 PM, Steve Beattie wrote: > On Fri, Jun 20, 2014 at 10:17:26AM -0700, John Johansen wrote: >> If any of the hats use the base provided abstraction they are going to >> get signals and tracing from unconfined anyways. > > Not if they're using trunk's abstractions/base: > > $ bzr up > All changes applied successfully. > Updated to revision 2542 of branch > bzr+ssh://bazaar.launchpad.net/+branch/apparmor > $ grep signal profiles/apparmor.d/abstractions/base > $ > > So we on the ubuntu side need to push the patch that adds that to > abstractions/base. > Hrmm, this was clearly an oversight on my part: [ Jamie Strandboge ] * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch: Adjust the base abstraction for signals and ptrace mediation. Profiles that use the base abstraction can deny any of the granted permissions to achieve tighter confinement. I've taken a todo to post this to the list. Sorry... -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
On Fri, Jun 20, 2014 at 10:17:26AM -0700, John Johansen wrote: > If any of the hats use the base provided abstraction they are going to > get signals and tracing from unconfined anyways. Not if they're using trunk's abstractions/base: $ bzr up All changes applied successfully. Updated to revision 2542 of branch bzr+ssh://bazaar.launchpad.net/+branch/apparmor $ grep signal profiles/apparmor.d/abstractions/base $ So we on the ubuntu side need to push the patch that adds that to abstractions/base. > So I think it makes sense to have this as the default for apache > hats, and if the user really wants something tighter they will need > to tweak policy. I expect that most hats will include abstractions/base. And if they want it tighter, then they can do as you say, tweak policy. -- Steve Beattie http://NxNW.org/~steve/ signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
On 06/18/2014 05:44 PM, Steve Beattie wrote: > Allow apache hats to receive signals from unconfined. > > [I'm on the fence about this. On the one hand, unconfined should be able > to kill thing in hats. On the other, using apache2ctl/apachectl is > preferred to shutdown apache, and it uses the apache binary itself (and > the profile it runs under) to kill its children.] > Generally speaking taking away signals from unconfined is unexpected and can really break the system, its really unexpected for most sysadmins. So the general rule for includes has been to mimic the old unconfined behavior, and if tighter confinement is needed then a profile can use denies or not use the base includes we supply. If any of the hats use the base provided abstraction they are going to get signals and tracing from unconfined anyways. So I think it makes sense to have this as the default for apache hats, and if the user really wants something tighter they will need to tweak policy. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
On Wed, Jun 18, 2014 at 05:44:03PM -0700, Steve Beattie wrote: > Allow apache hats to receive signals from unconfined. > > [I'm on the fence about this. On the one hand, unconfined should be able > to kill thing in hats. On the other, using apache2ctl/apachectl is > preferred to shutdown apache, and it uses the apache binary itself (and > the profile it runs under) to kill its children.] Without this, a sysadmin or automated monitoring tools attempting to send signals to Apache will fail by default. For example, "pkill -U www-data" wouldn't work. This is, I think, extremely unexpected. Also, manipulating the system from "unconfined" has been a long-standing "not protected" state in AppArmor (e.g. setting up hardlinks that bypass path rules), so it seems strange to start trying to protect a profile from "unconfined" only for signals. -Kees > > --- > profiles/apparmor.d/abstractions/apache2-common |2 ++ > 1 file changed, 2 insertions(+) > > Index: b/profiles/apparmor.d/abstractions/apache2-common > === > --- a/profiles/apparmor.d/abstractions/apache2-common > +++ b/profiles/apparmor.d/abstractions/apache2-common > @@ -4,6 +4,8 @@ > >#include > > + # Allow unconfined processes to send us signals by default > + signal (receive) peer=unconfined, ># Allow apache to send us signals by default >signal (receive) peer=/usr/sbin/apache2, ># Allow us to signal ourselves > > > -- > AppArmor mailing list > AppArmor@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor -- Kees Cook -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
On Wed, Jun 18, 2014 at 05:44:03PM -0700, Steve Beattie wrote: > Allow apache hats to receive signals from unconfined. > > [I'm on the fence about this. On the one hand, unconfined should be able > to kill thing in hats. On the other, using apache2ctl/apachectl is > preferred to shutdown apache, and it uses the apache binary itself (and > the profile it runs under) to kill its children.] I could imagine the deployment where enforcing apachectl use would make sense but there's lots of reasons why someone would send signals to Apache processes beyond shutting down. I think this patch makes more sense for more people. Acked-by: Seth Arnold Thanks > --- > profiles/apparmor.d/abstractions/apache2-common |2 ++ > 1 file changed, 2 insertions(+) > > Index: b/profiles/apparmor.d/abstractions/apache2-common > === > --- a/profiles/apparmor.d/abstractions/apache2-common > +++ b/profiles/apparmor.d/abstractions/apache2-common > @@ -4,6 +4,8 @@ > >#include > > + # Allow unconfined processes to send us signals by default > + signal (receive) peer=unconfined, ># Allow apache to send us signals by default >signal (receive) peer=/usr/sbin/apache2, ># Allow us to signal ourselves > > signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
Allow apache hats to receive signals from unconfined. [I'm on the fence about this. On the one hand, unconfined should be able to kill thing in hats. On the other, using apache2ctl/apachectl is preferred to shutdown apache, and it uses the apache binary itself (and the profile it runs under) to kill its children.] --- profiles/apparmor.d/abstractions/apache2-common |2 ++ 1 file changed, 2 insertions(+) Index: b/profiles/apparmor.d/abstractions/apache2-common === --- a/profiles/apparmor.d/abstractions/apache2-common +++ b/profiles/apparmor.d/abstractions/apache2-common @@ -4,6 +4,8 @@ #include + # Allow unconfined processes to send us signals by default + signal (receive) peer=unconfined, # Allow apache to send us signals by default signal (receive) peer=/usr/sbin/apache2, # Allow us to signal ourselves -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor