On Wed, Sep 03, 2014 at 02:06:15PM -0500, Jamie Strandboge wrote: > On 08/29/2014 08:57 AM, Jamie Strandboge wrote: > > On 08/27/2014 06:36 PM, Jamie Strandboge wrote: > >> # TODO: adjust when support finer-grained netlink rules > > > > I've added this comment to the preliminary patchset. > > > Updated for to allow getopt and setopt which turns out to be extremely common: > > # Allow us to getattr, getopt, setop and shutdown for anonymous sockets > unix (getattr, getopt, setopt, shutdown) peer=(addr=none), > > > -- > Jamie Strandboge http://www.ubuntu.com/
Acked-by: Seth Arnold <[email protected]> Thanks > Author: Jamie Strandboge <[email protected]> > Description: update policy for abstract sockets. Man page updates > Forwarded: yes > > Conversion of s/path/addr/ in rules by Steve Beattie > <[email protected]> > > --- > profiles/apparmor.d/abstractions/X | 3 +++ > profiles/apparmor.d/abstractions/base | 12 ++++++++++++ > profiles/apparmor.d/abstractions/dbus-session-strict | 4 ++++ > 3 files changed, 19 insertions(+) > > Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base > =================================================================== > --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/base > +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base > @@ -122,6 +122,18 @@ > # Checking for PID existence is quite common so add it by default for now > signal (receive, send) set=("exists"), > > + # Allow us to create and use abstract and anonymous sockets > + unix peer=(label=@{profile_name}), > + > + # Allow unconfined processes to us via unix sockets > + unix (receive) peer=(label=unconfined), > + > + # Allow us to create abstract and anonymous sockets > + unix (create), > + > + # Allow us to getattr, getopt, setop and shutdown for anonymous sockets > + unix (getattr, getopt, setopt, shutdown) peer=(addr=none), > + > # Workaround https://launchpad.net/bugs/359338 until upstream handles > stacked > # filesystems generally. This does not appreciably decrease security with > # Ubuntu profiles because the user is expected to have access to files > owned > Index: > apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict > =================================================================== > --- > apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/dbus-session-strict > +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict > @@ -13,6 +13,10 @@ > /etc/machine-id r, > /var/lib/dbus/machine-id r, > > + unix (connect, receive, send) > + type=stream > + peer=(label=unconfined,addr="@/tmp/dbus-*"), > + > dbus send > bus=session > path=/org/freedesktop/DBus > Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X > =================================================================== > --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/X > +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X > @@ -22,6 +22,9 @@ > > # the unix socket to use to connect to the display > /tmp/.X11-unix/* w, > + unix (connect, receive, send) > + type=stream > + peer=(label=unconfined,addr="@/tmp/.X11-unix/X[0-9]*"), > > /usr/include/X11/ r, > /usr/include/X11/** r, > Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice > =================================================================== > --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/nameservice > +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice > @@ -87,5 +87,9 @@ > network inet dgram, > network inet6 dgram, > > + # TODO: adjust when support finer-grained netlink rules > + # Netlink raw needed for nscd > + network netlink raw, > + > # interface details > @{PROC}/@{pid}/net/route r, > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
