On Wed, Aug 27, 2014 at 04:47:01PM -0500, Jamie Strandboge wrote: > On 08/27/2014 04:34 PM, Jamie Strandboge wrote: > > > Starting a subthread for some additions to John's patches. This series > > assumes > > John's 12 patches are applied and includes updates to the apparmor.d man > > page > > and some policy updates. I expect I might have to adjust this a bit, but > > wanted > > to send it up for comment. Let's have an ACK mean to apply it once it is > > safe to > > do so. > > > > Attached is a patch for: > - the base abstraction for common abstract and anonymous rules (comments > included per rule) > - dbus-session-strict to add a rule for connecting to the dbus session > abstract > socket. I used 'peer=(label=unconfined)' here, but I could probably lose > the > explicit label if people preferred that
I don't like the label=unconfined on the dbus socket -- that would make it harder to confine dbus. > - X to add a rule for connecting to the X abstract socket. Same as for > dbus-session-strict > - nameservice to add a rule for connecting to a netlink raw. This change > could > possibly be excluded, but applications using networking (at least on > Ubuntu) > all seem to need it. Excluding it would mean systems using nscd would need > to > add this and ones not using it would have a noisy denial Hmm. Netlink grants a lot. Can we make this any finer? Thanks > > > -- > Jamie Strandboge http://www.ubuntu.com/ > Author: Jamie Strandboge <[email protected]> > Description: update policy for abstract sockets. Man page updates > > Conversion of s/path/addr/ in rules by Steve Beattie > <[email protected]> > > --- > profiles/apparmor.d/abstractions/X | 3 +++ > profiles/apparmor.d/abstractions/base | 12 ++++++++++++ > profiles/apparmor.d/abstractions/dbus-session-strict | 4 ++++ > 3 files changed, 19 insertions(+) > > Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base > =================================================================== > --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/base > +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base > @@ -122,6 +122,18 @@ > # Checking for PID existence is quite common so add it by default for now > signal (receive, send) set=("exists"), > > + # Allow us to create and use abstract and anonymous sockets > + unix peer=(label=@{profile_name}), > + > + # Allow unconfined processes to us via unix sockets > + unix (receive) peer=(label=unconfined), > + > + # Allow us to create abstract and anonymous sockets > + unix (create), > + > + # Allow us to getattr and shutdown for anonymous sockets > + unix (getattr, shutdown) peer=(addr=none), > + > # Workaround https://launchpad.net/bugs/359338 until upstream handles > stacked > # filesystems generally. This does not appreciably decrease security with > # Ubuntu profiles because the user is expected to have access to files > owned > Index: > apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict > =================================================================== > --- > apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/dbus-session-strict > +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict > @@ -13,6 +13,10 @@ > /etc/machine-id r, > /var/lib/dbus/machine-id r, > > + unix (connect, receive, send) > + type=stream > + peer=(label=unconfined,addr="@/tmp/dbus-*"), > + > dbus send > bus=session > path=/org/freedesktop/DBus > Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X > =================================================================== > --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/X > +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X > @@ -22,6 +22,9 @@ > > # the unix socket to use to connect to the display > /tmp/.X11-unix/* w, > + unix (connect, receive, send) > + type=stream > + peer=(label=unconfined,addr="@/tmp/.X11-unix/X[0-9]*"), > > /usr/include/X11/ r, > /usr/include/X11/** r, > Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice > =================================================================== > --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/nameservice > +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice > @@ -87,5 +87,8 @@ > network inet dgram, > network inet6 dgram, > > + # Netlink raw needed for nscd > + network netlink raw, > + > # interface details > @{PROC}/@{pid}/net/route r, > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
