Add profile for origami

Jamie Strandboge jamie at canonical.com
Tue Jun 8 17:17:53 BST 2010 

Seth Arnold submitted[1] AppArmor profiles for origami[2][3] some time
ago (sorry for the delay Seth). I am not an origami or Folding at Home
user. The following is the Debian/Ubuntu description:

Description: command-line management tool for Folding @ Home clients
 origami allows you to install, monitor, archive or restore Folding @
 Home data on your local machine.  It also allows for central
 deployment, monitoring, archiving, restoration and updating the
 username and team data via the network to ssh-accessible machines.
 origami supports cron-based scheduling, 32bit or 64bit and network
 proxy settings.

It seems very clear from the profile that origami would benefit from an
appamor profile. Though I have several questions/comments:

* this looks a bit scary:
  /tmp/finstall ix,
  ...
  /tmp/sh-thd-* rw,
  /tmp/tmp* rw,

 I think I would much prefer (assuming it can be done):
  owner /tmp/finstall ix,
  ...
  owner /tmp/sh-thd-* rw,
  owner /tmp/tmp* rw,

 Same goes for /tmp file in etc.init.d.origami

* this is very general, is it possible/practical to limit this more
(granted, it is 'i', but still...):
  /bin/* rix,
  /usr/bin/* rix,
  /sbin/* rix,
  /usr/sbin/* rix,

* can you explain why all the access to passwd, shadow, group and
gshadow is needed?

* would all the pam stuff be better served by
abstractions/authentication and utmp by abstractions/wutmp?

* /proc/ should be @{PROC}/

* the writing of cron files seems to be a hole, since those are
unconfined. Is this strictly required? Should a profile
for /var/spool/cron/crontabs/origami be developed?

* are the install script and origami scripts different or the same? It
seems that installation/removal should (maybe?) be unconfined with
normal operation as confined. As I am not an origami user, this may not
be feasible.

At first I was a bit concerned by write access to /etc/rc*/*origami, but
then noticed your profile for /etc/init.d/origami is quite strict.

[1] https://bugs.launchpad.net/ubuntu/+source/origami/+bug/523028
[2] http://launchpadlibrarian.net/39294269/usr.bin.origami
[3] http://launchpadlibrarian.net/39294280/etc.init.d.origami


-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100608/c455bab5/attachment.pgp

More information about the AppArmor mailing list