[apparmor] [PATCH] private-files should disallow writing to .pki so files

[Jamie Strandboge]

From the bug[1]:

It was discovered that nss will try to load .so files from
~/.pki/nssdb/. Eg:
open("/home/<username>/.pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT
(No such file or directory)

The private-files abstraction should explicitly deny writes to this
directory. Since nss also stores certificates, etc in this directory,
should use something like:
  audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,

Attached is a patch to achieve this (and fixes 2 spelling errors).

[1]https://launchpad.net/bugs/911847

-- 
Jamie Strandboge             | http://www.canonical.com

Author: Jamie Strandboge <ja...@canonical.com>
Description: Disallow writing and linking to @{HOME}/.pki/nssdb/ .so files
Bug-Ubuntu: https://launchpad.net/bugs/911847
Forwarded: yes
Index: apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files
===================================================================
--- apparmor-2.7.0.orig/profiles/apparmor.d/abstractions/private-files	2011-04-18 08:55:50.000000000 -0500
+++ apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files	2012-01-04 10:23:11.000000000 -0600
@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
-# privacy-violations contains rules for common files that you want to explicity
-# deny access
+# privacy-violations contains rules for common files that you want to
+# explicitly deny access
 
   # privacy violations (don't audit files under $HOME otherwise get a
   # lot of false positives when reading contents of directories)
@@ -16,6 +16,7 @@
   audit deny @{HOME}/bin/** wl,
   audit deny @{HOME}/.config/autostart/** wl,
   audit deny @{HOME}/.kde/Autostart/** wl,
+  audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
 
   # don't allow reading/updating of run control files
   deny @{HOME}/.*rc mrk,
Index: apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files-strict
===================================================================
--- apparmor-2.7.0.orig/profiles/apparmor.d/abstractions/private-files-strict	2011-01-07 10:44:47.000000000 -0600
+++ apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files-strict	2012-01-04 10:23:33.000000000 -0600
@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 # privacy-violations-strict contains additional rules for sensitive
-# files that you want to explicity deny access
+# files that you want to explicitly deny access
 
   #include <abstractions/private-files>
 

signature.asc
Description: This is a digitally signed message part

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor