On Mon, Mar 11, 2013 at 09:12:57PM +0400, "Артём Н." wrote: > I can't found profiles for some programs, which I use. > I use Debian OS and make profiles for it, but I hope, if they will be included > in ubuntu packages, one time they will migrate from ubuntu to Debian. :-)
Thanks for this :) Probably easiest long-term is to file merge requests (like this one https://code.launchpad.net/~sdeziel/apparmor-profiles/fix-for-lp1133409/+merge/150605 though I'll admit using these tools is new for me...) > And I have some questions, for example: can I allow access to the file, if I > deny it earlier? What do you mean? If you use the 'deny' keyword, it takes precedence over the allowed permissions. (It's a cheap-o way to let users write .. less than optimal policies such as for Firefox while still protecting e.g. ~/.ssh/ or ~/.gnupg/.) > Dict: > # vim:syntax=apparmor > # Last Modified: Sun Mar 10 20:19:24 2013 > # Author: Artiom N. <[email protected]> > #include <tunables/global> > > /usr/sbin/dictd { > #include <abstractions/base> > #include <abstractions/nameservice> > > capability net_bind_service, > capability setuid, > capability setgid, > > /etc/dictd/** mr, > /etc/group mr, > /usr/share/dictd/** mr, > /usr/sbin/dictd mr, > /var/lib/dictd/** mrk, > owner /var/run/dictd.pid mrwk, > owner /run/dictd.pid mrwk, > } This is nice, I've now got this on my Ubuntu 12.10 system and made some queries succesfully. > DNSCrypt: > # Last Modified: Fri Mar 8 15:24:34 2013 > #include <tunables/global> > > /usr/sbin/dnscrypt-proxy { > #include <abstractions/base> > > capability sys_resource, > capability dac_override, > capability setgid, > capability setuid, > capability sys_chroot, > capability net_bind_service, > capability net_admin, > network inet udp, > > /etc/nsswitch.conf r, > /etc/passwd r, > /usr/sbin/dnscrypt-proxy mr, > /var/lib/dnscrypt rwk, > > > } Untested, not looked into how to test... > Fix for the usr/sbin/unbound: > /{,var/}run/unbound.pid rw, > + /run/unbound.pid rw, That's odd; the first should actually match the second. Can you reproduce this problem? > > My profile for the firefox, I think it's work correctly (now it includes some > trash): > ... These are a bit difficult to grasp; the permissions you removed by commenting out abstractions is easy enough to understand -- but removing permissions in profiles is difficult to do, since we don't want an update to break existing users. That's not to say every user needs overly permissive profiles, just that people who want tighter profiles than we ship are probably not going to be sharing or deploying other's profiles -- they'll want profiles tailored to their own environment. On the other hand, if you had to add permissions to the profiles, that'd be nice to know. Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
