Bug#877581: apparmor: Ensure Linux 4.14 does not break abstractions/nameservice

Wed, 11 Oct 2017 21:39:56 -0700 

Control: retitle -1 apparmor: Ensure our AppArmor policy does not break stuff 
with Linux 4.14
Control: tag -1 - patch
Control: tag -1 - pending

I've upgraded my system to 4.14 and had to adjust no less than 7 profiles
*after* applying Christian's patch to abstractions/nameservice.

They're spread over multiple source packages but I figured it would be
nice to at least share my tweaks (attached) so anyone affected can
temporarily apply them locally, and everyone who wants can start
pushing them to the correct upstream / source package.

I suspect more is coming. Ubuntu / OpenSUSE probably already have
some of this stuff.


diff --git a/apparmor.d/abstractions/nameservice b/apparmor.d/abstractions/nameservice
index 6c9bde39..4322cf17 100644
--- a/apparmor.d/abstractions/nameservice
+++ b/apparmor.d/abstractions/nameservice
@@ -89,6 +89,12 @@
   network inet  dgram,
   network inet6 dgram,
 
+  # TODO: replace with more specific "unix" rules once support for them
+  # arrives in the Linux kernel (probably in 4.15) and gives us detailed
+  # log messages
+  network unix dgram,
+  network unix stream,
+
   # TODO: adjust when support finer-grained netlink rules
   # Netlink raw needed for nscd
   network netlink raw,
diff --git a/apparmor.d/abstractions/tor b/apparmor.d/abstractions/tor
index 15601a4a..5e494adc 100644
--- a/apparmor.d/abstractions/tor
+++ b/apparmor.d/abstractions/tor
@@ -6,6 +6,8 @@
   network tcp,
   network udp,
 
+  network unix dgram,
+
   capability chown,
   capability dac_read_search,
   capability fowner,
diff --git a/apparmor.d/sbin.dhclient b/apparmor.d/sbin.dhclient
index 7b6a06d8..17723dab 100644
--- a/apparmor.d/sbin.dhclient
+++ b/apparmor.d/sbin.dhclient
@@ -16,6 +16,9 @@ profile dhclient /{usr/,}sbin/dhclient {
   network packet,
   network raw,
 
+  network unix dgram,
+  network unix stream,
+
   @{PROC}/[0-9]*/net/ r,
   @{PROC}/[0-9]*/net/** r,
 
@@ -89,12 +92,15 @@ profile dhclient /{usr/,}sbin/dhclient {
 
   /run/NetworkManager/private-dhcp rw,
   signal (send) peer=/{usr/,}sbin/dhcient,
+  signal (send) peer=dhcient,
 
   /var/lib/NetworkManager/*lease r,
   signal (receive) peer=/usr/sbin/NetworkManager,
   ptrace (readby) peer=/usr/sbin/NetworkManager,
   network inet dgram,
   network inet6 dgram,
+
+  network unix stream,
 }
 
 /usr/lib/connman/scripts/dhclient-script {
diff --git a/apparmor.d/torbrowser.Browser.firefox b/apparmor.d/torbrowser.Browser.firefox
index 1d6421e7..3ec73b0f 100644
--- a/apparmor.d/torbrowser.Browser.firefox
+++ b/apparmor.d/torbrowser.Browser.firefox
@@ -10,6 +10,7 @@
   # @{HOME}/ r,
 
   #dbus,
+  network netlink raw,
   network tcp,
 
   deny /etc/host.conf r,
diff --git a/apparmor.d/usr.bin.pulseaudio b/apparmor.d/usr.bin.pulseaudio
index 20d5bc25..2817ab55 100644
--- a/apparmor.d/usr.bin.pulseaudio
+++ b/apparmor.d/usr.bin.pulseaudio
@@ -25,6 +25,8 @@
   unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
   ptrace (read,trace) peer=@{profile_name},
 
+  network unix dgram,
+
   /usr/bin/pulseaudio mixr,
 
   /etc/pulse/ r,
diff --git a/apparmor.d/usr.sbin.cupsd b/apparmor.d/usr.sbin.cupsd
index 053d1c1f..ca884e2d 100644
--- a/apparmor.d/usr.sbin.cupsd
+++ b/apparmor.d/usr.sbin.cupsd
@@ -47,6 +47,8 @@
   network econet dgram,
   network ash dgram,
 
+  network unix stream,
+
   /{usr/,}bin/bash ixr,
   /{usr/,}bin/dash ixr,
   /{usr/,}bin/hostname ixr,
diff --git a/apparmor.d/usr.sbin.haveged b/apparmor.d/usr.sbin.haveged
index 0e611388..ad1bee6d 100644
--- a/apparmor.d/usr.sbin.haveged
+++ b/apparmor.d/usr.sbin.haveged
@@ -7,6 +7,8 @@
   # Required for ioctl RNDADDENTROPY
   capability sys_admin,
 
+  network unix stream,
+
   owner @{PROC}/@{pid}/status r,
 
   @{PROC}/sys/kernel/osrelease r,
diff --git a/apparmor.d/usr.sbin.libvirtd b/apparmor.d/usr.sbin.libvirtd
index 4c4a751c..e905c95c 100644
--- a/apparmor.d/usr.sbin.libvirtd
+++ b/apparmor.d/usr.sbin.libvirtd
@@ -37,9 +37,16 @@
   network packet dgram,
   network packet raw,
 
+  network netlink raw,
+  network unix dgram,
+  network unix stream,
+
   ptrace (trace) peer=unconfined,
   ptrace (trace) peer=/usr/sbin/libvirtd,
   ptrace (trace) peer=libvirt-*,
+  ptrace (trace) peer=/usr/sbin/dnsmasq,
+
+  signal (send) set=("hup") peer=/usr/sbin/dnsmasq,
 
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.

Reply via email to