[apparmor] [patch] openSUSE profile patches - part 1
Steve Beattie
steve at nxnw.org
Mon Aug 8 19:20:19 UTC 2011
On Sat, Aug 06, 2011 at 01:46:28PM +0200, Christian Boltz wrote:
> the openSUSE apparmor package contains several profile patches.
> Jeff asked me to get them upstream ;-)
Thanks. At one point I reviewed and incorporated some of the patches
that openSUSE is carrying, but I neglected to send feedback on why I
didn't incorporate the ones I didn't take; sorry about that.
Comments inline.
> From: Jeff Mahoney <jeffm at suse.com>
> Subject: apparmor-profiles: Add support for eDirectory calls from nscd
> References: bnc#621394
>
> eDirectory hooks into nscd and provides its own libraries. In order for
> this to operate properly with AppArmor, it needs to be told about these
> libraries.
Are these libraries used by anything besides nscd, e.g. by applications
directly when nscd is not running? If not, I'd rather see them go into
the nscd profile instead of abstractions/nameservice, since it's
included in almost every profile.
> This patch adds a new abstract profile and includes it in the nameservice
> profile.
>
> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
> ---
> profiles/apparmor.d/abstractions/nameservice | 3 +++
> profiles/apparmor.d/abstractions/novell-edirectory | 13 +++++++++++++
> 2 files changed, 16 insertions(+)
>
> --- a/profiles/apparmor.d/abstractions/nameservice
> +++ b/profiles/apparmor.d/abstractions/nameservice
> @@ -72,6 +72,9 @@
> # kerberos
> #include <abstractions/kerberosclient>
>
> + # Novell eDirectory
> + #include <abstractions/novell-edirectory>
> +
> # TCP/UDP network access
> network inet stream,
> network inet6 stream,
> --- /dev/null
> +++ b/profiles/apparmor.d/abstractions/novell-edirectory
> @@ -0,0 +1,13 @@
> +# $Id$
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2010 Novell/SUSE
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +
> + /opt/novell/eDirectory/lib/lib*so* r,
> + /opt/novell/eDirectory/lib64/lib*so* r,
Also, shouldn't these be 'mr'? Surely if they're shared libraries,
they'll be mmap(PROT_EXEC)', no?
> ---
> profiles/apparmor.d/abstractions/ldapclient | 21 +++++++++++++++++++++
> profiles/apparmor.d/abstractions/nameservice | 8 +++-----
> 2 files changed, 24 insertions(+), 5 deletions(-)
>
> --- /dev/null
> +++ b/profiles/apparmor.d/abstractions/ldapclient
> @@ -0,0 +1,21 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2011 Novell/SUSE
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +
> + # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
> + /etc/ldap.conf r,
> + /etc/ldap.secret r,
> + /etc/openldap/* r,
> + /etc/openldap/cacerts/* r,
> +
> + # SASL plugins and config
> + /etc/sasl2/* r,
> + /usr/lib{,32,64}/sasl2/* r,
Again, should the plugins have 'mr' permission? And perhaps tighten it
to 'lib*so*'? Or are there sasl modules that don't match that pattern?
Should we have a sasl abstraction?
Otherwise, I like this patch.
> + #include <abstractions/ssl_certs>
> --- a/profiles/apparmor.d/abstractions/nameservice
> +++ b/profiles/apparmor.d/abstractions/nameservice
> @@ -16,8 +16,6 @@
> /etc/group r,
> /etc/host.conf r,
> /etc/hosts r,
> - /etc/ldap.conf r,
> - /etc/ldap.secret r,
> /etc/nsswitch.conf r,
> /etc/gai.conf r,
> /etc/passwd r,
> @@ -32,9 +30,6 @@
>
> /etc/samba/lmhosts r,
> /etc/services r,
> - # all openldap config
> - /etc/openldap/* r,
> - /etc/ldap/** r,
> # db backend
> /var/lib/misc/*.db r,
> # The Name Service Cache Daemon can cache lookups, sometimes leading
> @@ -60,6 +55,9 @@
> # nis
> #include <abstractions/nis>
>
> + # ldap
> + #include <abstractions/ldapclient>
> +
> # winbind
> #include <abstractions/winbind>
>
> From: Jeff Mahoney <jeffm at suse.com>
> Subject: profile: ntpd -N needs sys_nice
> References: bnc#657054
>
> ntpd -N allows the administrator to increase or decrease priority of the
> ntp server. Since the profile doesn't allow it, the operation is denied.
>
> This patch adds support for that operation.
>
> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
Acked-By: Steve Beattie <sbeattie at ubuntu.com>
> ---
> profiles/apparmor.d/usr.sbin.ntpd | 1 +
> 1 file changed, 1 insertion(+)
>
> --- a/profiles/apparmor.d/usr.sbin.ntpd
> +++ b/profiles/apparmor.d/usr.sbin.ntpd
> @@ -24,6 +24,7 @@
> capability sys_chroot,
> capability sys_resource,
> capability sys_time,
> + capability sys_nice,
>
> network inet dgram,
> network inet stream,
> From: Jeff Mahoney <jeffm at suse.com>
> Subject: profiles: Add openssl abstraction
> References: bnc#623886
>
> Profiles that use openssl have been adding the openssl files piecemeal.
>
> This patch creates a new openssl abstraction that can be inherited by
> all profiles that use it.
>
>
> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
Acked-By: Steve Beattie <sbeattie at ubuntu.com>
(though a similar copyright header for the added abstraction similar to
other abstractions would be appreciated.)
>
> Patch for
> - profiles/apparmor.d/abstractions/ssl_certs
> - profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork (second chunk)
> updated by Christian Boltz <apparmor at cboltz.de>
> (didn't apply to trunk)
>
> ---
> profiles/apparmor.d/abstractions/openssl | 4 ++++
> profiles/apparmor.d/abstractions/ssl_certs | 4 ++++
> profiles/apparmor/profiles/extras/usr.lib.postfix.smtp | 2 +-
> profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd | 2 +-
> profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork | 2 +-
> profiles/apparmor/profiles/extras/usr.sbin.imapd | 2 +-
> profiles/apparmor/profiles/extras/usr.sbin.ipop2d | 2 +-
> profiles/apparmor/profiles/extras/usr.sbin.ipop3d | 2 +-
> 8 files changed, 14 insertions(+), 6 deletions(-)
[SNIP]
> From: Jeff Mahoney <jeffm at suse.com>
> Subject: dhcpd: Fix apparmor profile
> References: bnc#692428
>
> This patch adds the network rules needed, corrects the path to dhcpd.leases,
> and adds the path for TSIG DNS keys.
>
> Reported-by: Andrew Beames <suseforum at roocomputing.co.uk>
> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
>
> updated to match trunk by
> Christian Boltz <apparmor at cboltz.de>
>
> Question:
> - /var/lib/dhcp/dhcpd.leases* rwl,
> + /var/lib/dhcp/db/dhcpd.leases* rwl,
>
> Should I use {,db/} for backward compatibility? Or was the path wrong
> from the beginning? (On openSUSE 11.4, the path with .../db/... is
> correct, and I don't have dhcpd running on an older system.)
On the current Ubuntu development release, isc-dhcp-server looks to
use /var/lib/dhcp/dhcpd.leases*, so I'd use the backwards compatible
option. Also note that on older Ubuntu releases, the dhcpd.leases*
files live in /var/lib/dhcp3/.
Otherwise, this is fine.
> --- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd 2011-07-14 12:57:57 +0000
> +++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd 2011-08-06 11:24:38 +0000
> @@ -21,12 +21,17 @@
> capability setuid,
> capability sys_chroot,
>
> + network inet raw,
> + network packet raw,
> +
> /db/dhcpd.leases* lrw,
> /etc/dhcpd.conf r,
> + /etc/named.d/* r,
> /etc/hosts.allow r,
> /etc/hosts.deny r,
> + @{PROC}/net/dev r,
> /usr/sbin/dhcpd rmix,
> - /var/lib/dhcp/dhcpd.leases* rwl,
> + /var/lib/dhcp/db/dhcpd.leases* rwl,
> /var/lib/dhcp/etc/dhcpd.conf r,
> /{,var/}run/dhcpd.pid wl,
> }
>
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110808/e806541f/attachment.pgp>
More information about the AppArmor
mailing list