Re: [apparmor] [patch] update netstat profile

Mon, 07 Aug 2017 08:08:06 -0700 

On Sun, Aug 06, 2017 at 08:31:56PM +0200, Christian Boltz wrote:
> Hello,
> 
> $subject.
> - allow reading @{PROC}/@{pid}/net/netstat and @{PROC}/@{pid}/net/snmp
> - drop owner conditional - /proc/*/net/* is always owned by root, and
>   the owner conditional means breaking netstat for non-root users
> - drop "@{PROC}/@{pids}/fd r," - /proc/*/fd is a directory, so this rule
>   would never apply
> 
> This is an "extra" profile, which means updating it in trunk is enough ;-)

Acked-by: Steve Beattie <[email protected]>

I noticed while testing this that I also saw a couple of rejections for
@{PROC}/@{pid}/net/udplite and  @{PROC}/@{pid}/net/udplit6, it'd be nice
to get those added as well.

Thanks.

> === modified file 'profiles/apparmor/profiles/extras/bin.netstat'
> --- profiles/apparmor/profiles/extras/bin.netstat       2016-12-03 09:59:01 
> +0000
> +++ profiles/apparmor/profiles/extras/bin.netstat       2017-08-06 18:27:06 
> +0000
> @@ -2,6 +2,7 @@
>  # ------------------------------------------------------------------
>  #
>  #    Copyright (C) 2002-2005 Novell/SUSE
> +#    Copyright (C) 2017 Christian Boltz
>  #
>  #    This program is free software; you can redistribute it and/or
>  #    modify it under the terms of version 2 of the GNU General Public
> @@ -27,15 +28,16 @@
>    /etc/networks r,
>    @{PROC} r,
>    @{PROC}/@{pids}/cmdline r,
> -  @{PROC}/@{pids}/fd r,
>    @{PROC}/net r,
>    @{PROC}/net/* r,
>    @{PROC}/@{pids}/fd/ r,
> -  owner @{PROC}/@{pid}/net/raw r,
> -  owner @{PROC}/@{pid}/net/raw6 r,
> -  owner @{PROC}/@{pid}/net/tcp r,
> -  owner @{PROC}/@{pid}/net/tcp6 r,
> -  owner @{PROC}/@{pid}/net/udp r,
> -  owner @{PROC}/@{pid}/net/udp6 r,
> -  owner @{PROC}/@{pid}/net/unix r,
> +  @{PROC}/@{pid}/net/netstat r,
> +  @{PROC}/@{pid}/net/raw r,
> +  @{PROC}/@{pid}/net/snmp r,
> +  @{PROC}/@{pid}/net/raw6 r,
> +  @{PROC}/@{pid}/net/tcp r,
> +  @{PROC}/@{pid}/net/tcp6 r,
> +  @{PROC}/@{pid}/net/udp r,
> +  @{PROC}/@{pid}/net/udp6 r,
> +  @{PROC}/@{pid}/net/unix r,
>  }

-- 
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/

Attachment: signature.asc
Description: PGP signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to