On Wed, Jan 04, 2012 at 10:43:31AM -0600, Jamie Strandboge wrote:
> From the bug[1]:
>
> It was discovered that nss will try to load .so files from
> ~/.pki/nssdb/. Eg:
> open("/home/<username>/.pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT
> (No such file or directory)
>
> The private-files abstraction should explicitly deny writes to this
> directory. Since nss also stores certificates, etc in this directory,
> should use something like:
> audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
>
> Attached is a patch to achieve this (and fixes 2 spelling errors).Acked-By: Steve Beattie <[email protected]> for both trunk and the apparmor 2.7 branch. Thanks! > Author: Jamie Strandboge <[email protected]> > Description: Disallow writing and linking to @{HOME}/.pki/nssdb/ .so files > Bug-Ubuntu: https://launchpad.net/bugs/911847 > Forwarded: yes > Index: apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files > =================================================================== > --- apparmor-2.7.0.orig/profiles/apparmor.d/abstractions/private-files > 2011-04-18 08:55:50.000000000 -0500 > +++ apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files > 2012-01-04 10:23:11.000000000 -0600 > @@ -1,6 +1,6 @@ > # vim:syntax=apparmor > -# privacy-violations contains rules for common files that you want to > explicity > -# deny access > +# privacy-violations contains rules for common files that you want to > +# explicitly deny access > > # privacy violations (don't audit files under $HOME otherwise get a > # lot of false positives when reading contents of directories) > @@ -16,6 +16,7 @@ > audit deny @{HOME}/bin/** wl, > audit deny @{HOME}/.config/autostart/** wl, > audit deny @{HOME}/.kde/Autostart/** wl, > + audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl, > > # don't allow reading/updating of run control files > deny @{HOME}/.*rc mrk, > Index: apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files-strict > =================================================================== > --- apparmor-2.7.0.orig/profiles/apparmor.d/abstractions/private-files-strict > 2011-01-07 10:44:47.000000000 -0600 > +++ apparmor-2.7.0/profiles/apparmor.d/abstractions/private-files-strict > 2012-01-04 10:23:33.000000000 -0600 > @@ -1,6 +1,6 @@ > # vim:syntax=apparmor > # privacy-violations-strict contains additional rules for sensitive > -# files that you want to explicity deny access > +# files that you want to explicitly deny access > > #include <abstractions/private-files> > -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
