On Tue, May 14, 2013 at 06:13:23PM +0300, Kaan Özdinçer wrote: > We talked about meeting with cboltz and he wrote me an email below. > Because of that. I tried to make apparmor profile for *mtr*
For confinement purposes, mtr is a nice, well-contained, and alas,
setuid root, program. Depending on your interests, it may be
interesting to see the issues around confining something more complex.
This profile looks good, though a couple of things:
> #include <tunables/global>
>
> /usr/sbin/mtr {
On debian/ubuntu, the path is /usr/bin/mtr, so changing the above to
/usr/{s,}bin/mtr
would work there as well.
> #include <abstractions/base>
> #include <abstractions/nameservice>
>
>
> capability net_raw,
> capability setgid,
> capability setuid,
>
> network inet raw,
> network inet6 raw,
>
>
> /usr/sbin/mtr mr,
Same path issue here.
> /usr/share/terminfo/x/xterm r,
I didn't end up needing this; however, my testing was with the X-less
version in the debian/ubuntu mtr-tiny package. More likely, you might
want to grant read access to /usr/share/terminfo/**, to compensate
for different terminal types.
>
> }
--
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
