On 08/27/2014 04:34 PM, Jamie Strandboge wrote: > Starting a subthread for some additions to John's patches. This series assumes > John's 12 patches are applied and includes updates to the apparmor.d man page > and some policy updates. I expect I might have to adjust this a bit, but > wanted > to send it up for comment. Let's have an ACK mean to apply it once it is safe > to > do so. >
Attached is a patch for: - the base abstraction for common abstract and anonymous rules (comments included per rule) - dbus-session-strict to add a rule for connecting to the dbus session abstract socket. I used 'peer=(label=unconfined)' here, but I could probably lose the explicit label if people preferred that - X to add a rule for connecting to the X abstract socket. Same as for dbus-session-strict - nameservice to add a rule for connecting to a netlink raw. This change could possibly be excluded, but applications using networking (at least on Ubuntu) all seem to need it. Excluding it would mean systems using nscd would need to add this and ones not using it would have a noisy denial -- Jamie Strandboge http://www.ubuntu.com/
Author: Jamie Strandboge <[email protected]> Description: update policy for abstract sockets. Man page updates Conversion of s/path/addr/ in rules by Steve Beattie <[email protected]> --- profiles/apparmor.d/abstractions/X | 3 +++ profiles/apparmor.d/abstractions/base | 12 ++++++++++++ profiles/apparmor.d/abstractions/dbus-session-strict | 4 ++++ 3 files changed, 19 insertions(+) Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base =================================================================== --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/base +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base @@ -122,6 +122,18 @@ # Checking for PID existence is quite common so add it by default for now signal (receive, send) set=("exists"), + # Allow us to create and use abstract and anonymous sockets + unix peer=(label=@{profile_name}), + + # Allow unconfined processes to us via unix sockets + unix (receive) peer=(label=unconfined), + + # Allow us to create abstract and anonymous sockets + unix (create), + + # Allow us to getattr and shutdown for anonymous sockets + unix (getattr, shutdown) peer=(addr=none), + # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked # filesystems generally. This does not appreciably decrease security with # Ubuntu profiles because the user is expected to have access to files owned Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict =================================================================== --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/dbus-session-strict +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict @@ -13,6 +13,10 @@ /etc/machine-id r, /var/lib/dbus/machine-id r, + unix (connect, receive, send) + type=stream + peer=(label=unconfined,addr="@/tmp/dbus-*"), + dbus send bus=session path=/org/freedesktop/DBus Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X =================================================================== --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/X +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X @@ -22,6 +22,9 @@ # the unix socket to use to connect to the display /tmp/.X11-unix/* w, + unix (connect, receive, send) + type=stream + peer=(label=unconfined,addr="@/tmp/.X11-unix/X[0-9]*"), /usr/include/X11/ r, /usr/include/X11/** r, Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice =================================================================== --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/nameservice +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice @@ -87,5 +87,8 @@ network inet dgram, network inet6 dgram, + # Netlink raw needed for nscd + network netlink raw, + # interface details @{PROC}/@{pid}/net/route r,
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
