Any advice/comment from the security team on this please? ** Description changed:
Currently debian/apparmor-profile defines: /var/tmp/** rw, This is quite wide. Can we narrow it down? There are a couple of alternative opportunities here: 1) Remove that line, and define instead more specific path rules, such as "/var/tmp/krb5_*.rcache2 rwk" that we recently added. A risk here is that it's difficult for us to determine and track the necessary paths, since some may be related to functionality that we don't have dep8 test coverage for. 2) Retain that line, add a "k", move slapd to a native systemd service and use PrivateTmp=yes. A third opportunity, independent of the above, is to move the rules to an abstraction that any sasl+gssapi+krb5 -using service could include. + + This discussion came up in + https://code.launchpad.net/~racb/ubuntu/+source/openldap/+git/openldap/+merge/396853, + but we focused on fixing only the immediate issue there, leaving this + bug open for another time. ** Merge proposal linked: https://code.launchpad.net/~racb/ubuntu/+source/openldap/+git/openldap/+merge/396853 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1913306 Title: slapd Apparmor profile allows /tmp widely Status in openldap package in Ubuntu: Triaged Bug description: Currently debian/apparmor-profile defines: /var/tmp/** rw, This is quite wide. Can we narrow it down? There are a couple of alternative opportunities here: 1) Remove that line, and define instead more specific path rules, such as "/var/tmp/krb5_*.rcache2 rwk" that we recently added. A risk here is that it's difficult for us to determine and track the necessary paths, since some may be related to functionality that we don't have dep8 test coverage for. 2) Retain that line, add a "k", move slapd to a native systemd service and use PrivateTmp=yes. A third opportunity, independent of the above, is to move the rules to an abstraction that any sasl+gssapi+krb5 -using service could include. This discussion came up in https://code.launchpad.net/~racb/ubuntu/+source/openldap/+git/openldap/+merge/396853, but we focused on fixing only the immediate issue there, leaving this bug open for another time. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1913306/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
