On Thu, Apr 14, 2016 at 02:23:58PM +0200, Christian Boltz wrote:
> Hello,
>
> this patch backports most profile additions from the latest 2.9 branch
> r3004, with the exception of new rule types (2.8 doesn't support dbus,
> ptrace etc.) and some noisy cleanups (like /proc/*/ -> @{PROC}/@{pid}/).
>
> I'll submit this patch as update for openSUSE 13.1 (which still uses
> 2.8.4) and would like to get a review ASAP ;-)
>
> (See also the mail I sent some minutes ago.)Acked-by: Seth Arnold <[email protected]> Thanks > > > > [ backport-profile-additions-from-2.9.diff ] > > === modified file 'profiles/apparmor.d/abstractions/X' > --- profiles/apparmor.d/abstractions/X 2013-01-04 17:45:19 +0000 > +++ profiles/apparmor.d/abstractions/X 2016-04-14 12:13:08 +0000 > @@ -19,6 +19,8 @@ > @{HOME}/.Xauthority r, > owner /{,var/}run/gdm{,3}/*/database r, > owner /{,var/}run/lightdm/authority/[0-9]* r, > + owner /{,var/}run/lightdm/*/xauthority r, > + owner /{,var/}run/user/*/gdm/Xauthority r, > > # the unix socket to use to connect to the display > /tmp/.X11-unix/* w, > @@ -32,9 +34,13 @@ > /usr/share/X11/** r, > /usr/X11R6/**.so* mr, > > + # EGL > + /usr/lib/@{multiarch}/egl/*.so* mr, > + > # DRI > /usr/lib{,32,64}/dri/** mr, > /usr/lib/@{multiarch}/dri/** mr, > + /usr/lib/fglrx/dri/** mr, > /dev/dri/** rw, > /etc/drirc r, > owner @{HOME}/.drirc r, > > === modified file 'profiles/apparmor.d/abstractions/aspell' > --- profiles/apparmor.d/abstractions/aspell 2012-01-18 18:15:57 +0000 > +++ profiles/apparmor.d/abstractions/aspell 2016-04-14 12:13:08 +0000 > @@ -8,4 +8,6 @@ > /usr/lib/aspell/ r, > /usr/lib/aspell/* r, > /usr/lib/aspell/*.so m, > + /usr/share/aspell/ r, > + /usr/share/aspell/* r, > /var/lib/aspell/* r, > > === modified file 'profiles/apparmor.d/abstractions/base' > --- profiles/apparmor.d/abstractions/base 2013-04-09 13:18:40 +0000 > +++ profiles/apparmor.d/abstractions/base 2016-04-14 12:13:08 +0000 > @@ -26,12 +26,14 @@ > /etc/locale/** r, > /etc/locale.alias r, > /etc/localtime r, > + /usr/share/locale-bundle/** r, > /usr/share/locale-langpack/** r, > /usr/share/locale/** r, > /usr/share/**/locale/** r, > /usr/share/zoneinfo/ r, > /usr/share/zoneinfo/** r, > /usr/share/X11/locale/** r, > + /{,var/}run/systemd/journal/dev-log w, > > /usr/lib{,32,64}/locale/** mr, > /usr/lib{,32,64}/gconv/*.so mr, > @@ -103,6 +105,9 @@ > # glibc malloc (man 5 proc) > @{PROC}/sys/vm/overcommit_memory r, > > + # Allow determining the highest valid capability of the running kernel > + @{PROC}/sys/kernel/cap_last_cap r, > + > # Workaround https://launchpad.net/bugs/359338 until upstream handles > stacked > # filesystems generally. This does not appreciably decrease security with > # Ubuntu profiles because the user is expected to have access to files > owned > > === modified file 'profiles/apparmor.d/abstractions/cups-client' > --- profiles/apparmor.d/abstractions/cups-client 2012-01-06 16:45:34 > +0000 > +++ profiles/apparmor.d/abstractions/cups-client 2016-04-14 12:13:08 > +0000 > @@ -12,7 +12,7 @@ > # discoverable system configuration for non-local cupsd > /etc/cups/client.conf r, > # client should be able to talk the local cupsd > - /{,var/}run/cups/cups.sock w, > + /{,var/}run/cups/cups.sock rw, > # client should be able to read user-specified cups configuration > owner @{HOME}/.cups/client.conf r, > owner @{HOME}/.cups/lpoptions r, > > === modified file 'profiles/apparmor.d/abstractions/fonts' > --- profiles/apparmor.d/abstractions/fonts 2013-10-14 23:31:38 +0000 > +++ profiles/apparmor.d/abstractions/fonts 2016-04-14 12:13:08 +0000 > @@ -52,3 +52,6 @@ > > # poppler CMap tables > /usr/share/poppler/cMap/** r, > + > + # data files for LibThai > + /usr/share/libthai/thbrk.tri r, > > === modified file 'profiles/apparmor.d/abstractions/freedesktop.org' > --- profiles/apparmor.d/abstractions/freedesktop.org 2014-09-11 00:40:14 > +0000 > +++ profiles/apparmor.d/abstractions/freedesktop.org 2016-04-14 12:13:08 > +0000 > @@ -11,6 +11,7 @@ > > # system configuration > /usr/share/applications/ r, > + /usr/share/applications/defaults.list r, > /usr/share/applications/mimeinfo.cache r, > /usr/share/applications/*.desktop r, > /usr/share/icons/ r, > @@ -30,6 +31,7 @@ > owner @{HOME}/.recently-used.xbel* rw, > owner @{HOME}/.local/share/recently-used.xbel* rw, > owner @{HOME}/.config/user-dirs.dirs r, > + owner @{HOME}/.config/mimeapps.list r, > owner @{HOME}/.local/share/applications/ r, > owner @{HOME}/.local/share/applications/*.desktop r, > owner @{HOME}/.local/share/applications/defaults.list r, > > === modified file 'profiles/apparmor.d/abstractions/nameservice' > --- profiles/apparmor.d/abstractions/nameservice 2014-11-17 23:28:51 > +0000 > +++ profiles/apparmor.d/abstractions/nameservice 2016-04-14 12:13:08 > +0000 > @@ -26,12 +26,21 @@ > /var/lib/extrausers/group r, > /var/lib/extrausers/passwd r, > > + # When using sssd, the passwd and group files are stored in an alternate > path > + # and the nss plugin also needs to talk to a pipe > + /var/lib/sss/mc/group r, > + /var/lib/sss/mc/passwd r, > + /var/lib/sss/pipes/nss rw, > + > /etc/resolv.conf r, > # on systems using resolvconf, /etc/resolv.conf is a symlink to > # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in > # /etc/resolvconf/run/resolv.conf > /{,var/}run/resolvconf/resolv.conf r, > /etc/resolvconf/run/resolv.conf r, > + # on systems using systemd's networkd, /etc/resolv.conf is a symlink to > + # /run/systemd/resolve/resolv.conf > + /{,var/}run/systemd/resolve/resolv.conf r, > > /etc/samba/lmhosts r, > /etc/services r, > > === modified file 'profiles/apparmor.d/abstractions/p11-kit' > --- profiles/apparmor.d/abstractions/p11-kit 2013-09-12 14:25:56 +0000 > +++ profiles/apparmor.d/abstractions/p11-kit 2016-04-14 12:13:08 +0000 > @@ -19,6 +19,9 @@ > /usr/share/p11-kit/modules/ r, > /usr/share/p11-kit/modules/* r, > > + # gnome-keyring pkcs11 module > + owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw, > + > # p11-kit also supports reading user configuration from ~/.pkcs11 depending > # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not > be > # included in this abstraction. > > === modified file 'profiles/apparmor.d/abstractions/php5' > --- profiles/apparmor.d/abstractions/php5 2010-03-30 17:34:32 +0000 > +++ profiles/apparmor.d/abstractions/php5 2016-04-14 12:13:08 +0000 > @@ -11,8 +11,8 @@ > # ------------------------------------------------------------------ > > # shared snippets for config files > - /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r, > - /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r, > + /etc/php5/**/ r, > + /etc/php5/**.ini r, > > # Xlibs > /usr/X11R6/lib{,32,64}/lib*.so* mr, > @@ -30,3 +30,6 @@ > > # MySQL extension > /usr/share/mysql/** r, > + > + # Zend opcache > + /tmp/.ZendSem.* rwlk, > > === modified file 'profiles/apparmor.d/abstractions/samba' > --- profiles/apparmor.d/abstractions/samba 2013-12-23 21:16:59 +0000 > +++ profiles/apparmor.d/abstractions/samba 2016-04-14 12:13:08 +0000 > @@ -13,7 +13,7 @@ > /usr/share/samba/*.dat r, > /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, > /var/cache/samba/ w, > - /var/lib/samba/**.tdb rwk, > + /var/lib/samba/** rwk, > /var/log/samba/cores/ rw, > /var/log/samba/cores/** rw, > /var/log/samba/log.* w, > > === modified file 'profiles/apparmor.d/abstractions/ssl_certs' > --- profiles/apparmor.d/abstractions/ssl_certs 2013-11-25 23:42:19 +0000 > +++ profiles/apparmor.d/abstractions/ssl_certs 2016-04-14 12:13:08 +0000 > @@ -12,6 +12,10 @@ > /etc/ssl/ r, > /etc/ssl/certs/ r, > /etc/ssl/certs/* r, > + /etc/pki/trust/ r, > + /etc/pki/trust/* r, > + /etc/pki/trust/anchors/ r, > + /etc/pki/trust/anchors/** r, > /usr/share/ca-certificates/ r, > /usr/share/ca-certificates/** r, > /usr/share/ssl/certs/ca-bundle.crt r, > @@ -19,3 +23,7 @@ > /usr/local/share/ca-certificates/** r, > /var/lib/ca-certificates/ r, > /var/lib/ca-certificates/** r, > + > + # acmetool > + /var/lib/acme/certs/*/chain r, > + /var/lib/acme/certs/*/cert r, > > === modified file 'profiles/apparmor.d/abstractions/ssl_keys' > --- profiles/apparmor.d/abstractions/ssl_keys 2010-12-20 20:29:10 +0000 > +++ profiles/apparmor.d/abstractions/ssl_keys 2016-04-14 12:13:08 +0000 > @@ -16,3 +16,7 @@ > /etc/ssl/ r, > /etc/ssl/** r, > > + # acmetool > + /var/lib/acme/live/* r, > + /var/lib/acme/certs/** r, > + /var/lib/acme/keys/** r, > > === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/java' > --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2013-01-03 > 23:37:41 +0000 > +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2016-04-14 > 12:13:08 +0000 > @@ -12,6 +12,8 @@ > /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java, > /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java, > /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java, > + owner /{,var/}run/user/*/icedteaplugin-*/ rw, > + owner /{,var/}run/user/*/icedteaplugin-*/** rwk, > > # Profile for the supported OpenJDK in Ubuntu. This doesn't require the > # unfortunate workarounds of the proprietary Javas, so have a separate > > === modified file > 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia' > --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia > 2013-01-09 23:15:59 +0000 > +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia > 2016-04-14 12:13:08 +0000 > @@ -55,3 +55,6 @@ > > # Virus scanners > /usr/bin/clamscan Cx -> sanitized_helper, > + > + # gxine (LP: #1057642) > + /var/lib/xine/gxine.desktop r, > > === modified file > 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common' > --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common > 2012-01-17 14:22:11 +0000 > +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common > 2016-04-14 12:13:08 +0000 > @@ -5,10 +5,10 @@ > # > @{PROC}/[0-9]*/fd/ r, > /usr/lib/** rm, > - /bin/bash ixr, > - /bin/dash ixr, > - /bin/grep ixr, > - /bin/sed ixr, > + /{,usr/}bin/bash ixr, > + /{,usr/}bin/dash ixr, > + /{,usr/}bin/grep ixr, > + /{,usr/}bin/sed ixr, > /usr/bin/m4 ixr, > > # Since all the ubuntu-browsers.d abstractions need this, just include it > > === modified file > 'profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration' > --- profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration > 2013-07-01 15:51:11 +0000 > +++ profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration > 2016-04-14 12:13:08 +0000 > @@ -33,3 +33,9 @@ > /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, > /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, > /etc/xdg/xfce4/helpers.rc r, > + > + # unity webapps integration. Could go in its own abstraction > + owner /run/user/*/dconf/user rw, > + owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk, > + /usr/bin/debconf-communicate Cxr -> sanitized_helper, > + owner @{HOME}/.config/libaccounts-glib/accounts.db rk, > > === modified file 'profiles/apparmor.d/abstractions/ubuntu-email' > --- profiles/apparmor.d/abstractions/ubuntu-email 2012-05-18 20:30:22 > +0000 > +++ profiles/apparmor.d/abstractions/ubuntu-email 2016-04-14 12:13:08 > +0000 > @@ -10,6 +10,8 @@ > /usr/bin/balsa Cx -> sanitized_helper, > /usr/bin/claws-mail Cx -> sanitized_helper, > /usr/bin/evolution Cx -> sanitized_helper, > + /usr/bin/geary Cx -> sanitized_helper, > + /usr/bin/gnome-gmail Cx -> sanitized_helper, > /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper, > /usr/bin/kmail Cx -> sanitized_helper, > /usr/bin/mailody Cx -> sanitized_helper, > > === modified file 'profiles/apparmor.d/abstractions/ubuntu-helpers' > --- profiles/apparmor.d/abstractions/ubuntu-helpers 2013-01-03 23:44:14 > +0000 > +++ profiles/apparmor.d/abstractions/ubuntu-helpers 2016-04-14 12:13:08 > +0000 > @@ -33,6 +33,7 @@ > > profile sanitized_helper { > #include <abstractions/base> > + #include <abstractions/X> > > # Allow all networking > network inet, > @@ -53,11 +54,15 @@ > # permissions for /usr/share, but for now just do this. (LP: #972367) > /usr/share/software-center/* Pixr, > > + # Allow exec of texlive font build scripts (LP: #1010909) > + /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr, > + > # While the chromium and chrome sandboxes are setuid root, they only link > # in limited libraries so glibc's secure execution should be enough to not > # require the santized_helper (ie, LD_PRELOAD will only use standard system > # paths (man ld.so)). > /usr/lib/chromium-browser/chromium-browser-sandbox PUxr, > + /usr/lib/chromium-browser/chrome-sandbox PUxr, > /opt/google/chrome/chrome-sandbox PUxr, > /opt/google/chrome/google-chrome Pixr, > /opt/google/chrome/chrome Pixr, > > === modified file 'profiles/apparmor.d/abstractions/user-mail' > --- profiles/apparmor.d/abstractions/user-mail 2010-12-22 22:55:18 +0000 > +++ profiles/apparmor.d/abstractions/user-mail 2016-04-14 12:13:08 +0000 > @@ -1,6 +1,7 @@ > # ------------------------------------------------------------------ > # > # Copyright (C) 2002-2006 Novell/SUSE > +# Copyright (C) 2014 Canonical Ltd. > # > # This program is free software; you can redistribute it and/or > # modify it under the terms of version 2 of the GNU General Public > @@ -12,8 +13,8 @@ > owner @{HOME}/[mM]ail/ r, > owner @{HOME}/[mM]ail/** rwl, > owner @{HOME}/postponed* rwl, > - /var/spool/mail/ r, > - /var/spool/mail/* rwl, > + /var/{,spool/}mail/ r, > + /var/{,spool/}mail/* rwl, > owner @{HOME}/mbox.lock* rwl, > owner @{HOME}/mbox rw, > owner @{HOME}/inbox rw, > > === modified file 'profiles/apparmor.d/apache2.d/phpsysinfo' > --- profiles/apparmor.d/apache2.d/phpsysinfo 2011-07-14 12:57:57 +0000 > +++ profiles/apparmor.d/apache2.d/phpsysinfo 2016-04-14 12:13:08 +0000 > @@ -5,36 +5,44 @@ > #include <abstractions/apache2-common> > #include <abstractions/base> > #include <abstractions/nameservice> > + #include <abstractions/php5> > #include <abstractions/python> > > - /bin/dash ixr, > - /bin/df ixr, > - /bin/mount ixr, > - /bin/uname ixr, > + /{,usr/}bin/dash ixr, > + /{,usr/}bin/df ixr, > + /{,usr/}bin/mount ixr, > + /{,usr/}bin/uname ixr, > /dev/bus/usb/ r, > /dev/bus/usb/** r, > /etc/debian_version r, > /etc/lsb-release r, > /etc/mtab r, > /etc/phpsysinfo/config.php r, > + /etc/udev/udev.conf r, > /proc/** r, > + /sys/bus/ r, > /sys/bus/pci/devices/ r, > + /sys/bus/pci/slots/ r, > + /sys/bus/pci/slots/** r, > + /sys/bus/usb/devices/ r, > + /sys/class/ r, > /sys/devices/** r, > + /usr/bin/ r, > /usr/bin/apt-cache ixr, > /usr/bin/dpkg-query ixr, > /usr/bin/lsb_release ixr, > /usr/bin/lspci ixr, > /usr/bin/who ixr, > - /usr/sbin/lsusb ixr, > + /usr/{,s}bin/lsusb ixr, > /usr/share/phpsysinfo/** r, > + /var/lib/dpkg/arch r, > /var/lib/dpkg/available r, > /var/lib/dpkg/status r, > /var/lib/dpkg/triggers/* r, > /var/lib/dpkg/updates/ r, > - /var/lib/misc/usb.ids r, > + /var/lib/{misc,usbutils}/usb.ids r, > /var/log/apache2/access.log w, > /var/log/apache2/error.log w, > /{,var/}run/utmp rk, > /usr/share/misc/pci.ids r, > - > } > > === modified file 'profiles/apparmor.d/sbin.syslog-ng' > --- profiles/apparmor.d/sbin.syslog-ng 2012-01-09 12:28:25 +0000 > +++ profiles/apparmor.d/sbin.syslog-ng 2016-04-14 12:13:08 +0000 > @@ -20,6 +20,7 @@ > #include <abstractions/consoles> > #include <abstractions/nameservice> > #include <abstractions/mysql> > + #include <abstractions/openssl> > > capability chown, > capability dac_override, > @@ -34,7 +35,10 @@ > /dev/syslog w, > /dev/tty10 rw, > /dev/xconsole rw, > + /etc/machine-id r, > /etc/syslog-ng/* r, > + /etc/syslog-ng/conf.d/ r, > + /etc/syslog-ng/conf.d/* r, > @{PROC}/kmsg r, > /etc/hosts.deny r, > /etc/hosts.allow r, > @@ -47,6 +51,10 @@ > @{CHROOT_BASE}/var/log/** w, > @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw, > @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw, > + /{var,var/run,run}/log/journal/ r, > + /{var,var/run,run}/log/journal/*/ r, > + /{var,var/run,run}/log/journal/*/*.journal r, > + /{var/,}run/syslog-ng.ctl a, > /{var/,}run/syslog-ng/additional-log-sockets.conf r, > > # Site-specific additions and overrides. See local/README for details. > > === modified file 'profiles/apparmor.d/usr.sbin.identd' > --- profiles/apparmor.d/usr.sbin.identd 2011-07-14 12:57:57 +0000 > +++ profiles/apparmor.d/usr.sbin.identd 2016-04-14 12:13:08 +0000 > @@ -23,7 +23,9 @@ > /usr/sbin/identd rmix, > @{PROC}/net/tcp r, > @{PROC}/net/tcp6 r, > - /{,var/}run/identd.pid w, > + /{,var/}run/identd.pid w, > + /{,var/}run/identd/ w, > + /{,var/}run/identd/identd.pid w, > > # Site-specific additions and overrides. See local/README for details. > #include <local/usr.sbin.identd> > > === modified file 'profiles/apparmor.d/usr.sbin.smbd' > --- profiles/apparmor.d/usr.sbin.smbd 2014-08-11 21:24:23 +0000 > +++ profiles/apparmor.d/usr.sbin.smbd 2016-04-14 12:13:08 +0000 > @@ -17,6 +17,7 @@ > capability net_bind_service, > capability setgid, > capability setuid, > + capability sys_admin, # needed to store ACLS in the security.NTACL > namespace > capability sys_resource, > capability sys_tty_config, > > > === modified file 'profiles/apparmor.d/usr.sbin.smbldap-useradd' > --- profiles/apparmor.d/usr.sbin.smbldap-useradd 2012-01-10 18:06:24 > +0000 > +++ profiles/apparmor.d/usr.sbin.smbldap-useradd 2016-04-14 12:13:08 > +0000 > @@ -8,7 +8,7 @@ > #include <abstractions/perl> > > /dev/tty rw, > - /bin/bash ix, > + /{,usr/}bin/bash ix, > /etc/init.d/nscd Cx, > /etc/shadow r, > /etc/smbldap-tools/smbldap.conf r, > @@ -26,9 +26,9 @@ > > capability sys_ptrace, > > - /bin/bash r, > - /bin/mountpoint rix, > - /bin/systemctl rix, > + /{,usr/}bin/bash r, > + /{,usr/}bin/mountpoint rix, > + /{,usr/}bin/systemctl rix, > /dev/tty rw, > /etc/init.d/nscd r, > /etc/rc.status r, > > > > Regards, > > Christian Boltz > -- > Multitasking - one computer keeps several users/admins busy. > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
