[apparmor] openSUSE profile patches - part 2
Steve Beattie
steve at nxnw.org
Mon Aug 8 20:27:12 UTC 2011
Once again, comments inline.
On Sat, Aug 06, 2011 at 02:30:52PM +0200, Christian Boltz wrote:
> Various profile fixes/additions
> ---
> profiles/apparmor/profiles/extras/usr.sbin.cupsd | 25 ++++++++++++++++++-----
> 1 file changed, 20 insertions(+), 5 deletions(-)
Acked-By: Steve Beattie <sbeattie at ubuntu.com>, though see below.
(The cupsd profile that Ubuntu ships sadly has significantly deviated
from the extras starting point. Ubuntu carries it within its cups
package, not in its apparmor packages.)
> --- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
> +++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
> @@ -16,20 +16,31 @@
> capability setuid,
>
> /bin/bash ixr,
> + /bin/cat ix,
> +
> + /usr/bin/foomatic-rip ixr,
> + /etc/foomatic/** r,
> +
> + /usr/bin/gs ix,
> + /usr/lib/ghostscript/** m,
> + /usr/lib64/ghostscript/** m,
> + /usr/share/ghostscript/** r,
> + /etc/ghostscript/** r,
> +
> /dev/lp0 rw,
> /dev/tty rw,
> /dev/ttyS? w,
> /etc/cups rw,
> /etc/cups/ r,
> - /etc/cups/* r,
> + /etc/cups/** r,
> /etc/cups/certs w,
> /etc/cups/certs/* w,
> - /etc/cups/classes.conf rw,
> - /etc/cups/cupsd.conf rw,
> + /etc/cups/*.conf* rw,
> /etc/cups/ppd rw,
> + /etc/printcap rw,
> /etc/cups/printcap rw,
> - /etc/cups/printers.conf rw,
> /etc/cups/ssl rw,
> + /etc/cups/yes/* rw,
> /etc/hosts.allow r,
> /etc/hosts.deny r,
> /proc/meminfo r,
> @@ -39,11 +50,15 @@
> /usr/bin/smbspool ixr,
> /usr/lib/cups/backend/* ixr,
> /usr/lib/cups/filter/* ixr,
> - /usr/sbin/cupsd mr,
> + /usr/sbin/cupsd mixr,
> /usr/share/cups/** r,
> /var/log/cups/access_log rw,
> /var/log/cups/error_log rw,
> /var/spool/cups rw,
> + /var/spool/cups/** rw,
> /var/spool/cups/tmp w,
> /var/spool/cups/tmp/ r,
> + /var/run/cups/** rw,
The above likely needs to be:
/{,var/}run/cups/ rw,
/{,var/}run/cups/** rw,
> + /var/cache/cups/ rw,
> + /var/cache/cups/** rw,
> }
> From: Jeff Mahoney <jeffm at suse.com>
> Subject: profiles: update dhclient
> References: bnc#561152
>
> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
Acked-By: Steve Beattie <sbeattie at ubuntu.com>
> profiles/apparmor/profiles/extras/sbin.dhclient | 61 +++++++++++------
> profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
> 2 files changed, 61 insertions(+), 21 deletions(-)
>
> --- a/profiles/apparmor/profiles/extras/sbin.dhclient
> +++ b/profiles/apparmor/profiles/extras/sbin.dhclient
> @@ -11,12 +11,12 @@
> # raw sockets, and thus cannot be confined with NetDomain
> #
> # Should these programs have their own domains?
> -# /bin/ps mixr,
> -# /sbin/arp rmix,
> -# /usr/bin/dig rmix,
> -# /usr/bin/uptime rmix,
> -# /usr/bin/vmstat rmix,
> -# /usr/bin/w rmix,
> +# /bin/ps mrix,
> +# /sbin/arp mrix,
> +# /usr/bin/dig mrix,
> +# /usr/bin/uptime mrix,
> +# /usr/bin/vmstat mrix,
> +# /usr/bin/w mrix,
>
> #include <tunables/global>
>
> @@ -24,25 +24,30 @@
> #include <abstractions/base>
> #include <abstractions/bash>
> #include <abstractions/nameservice>
> - /sbin/dhclient rmix,
> - /sbin/dhclient-script rmix,
> - /bin/bash rmix,
> - /bin/df rmix,
> +
> + network packet packet,
> + network packet raw,
> +
> + /sbin/dhclient mrix,
> +
> + /sbin/dhclient-script mrix,
> + /bin/bash mrix,
> + /bin/df mrix,
> /bin/netstat Px,
> - /bin/ps mixr,
> + /bin/ps mrix,
> /dev/random r,
> /etc/dhclient.conf r,
> - @{PROC}/ r,
> - @{PROC}/interrupts r,
> - @{PROC}/net/dev r,
> - @{PROC}/rtc r,
> + @{PROC}/ r,
> + @{PROC}/interrupts r,
> + @{PROC}/*/net/dev r,
> + @{PROC}/rtc r,
> # following rule shouldn't work, self is a symlink
> - @{PROC}/self/status r,
> - /sbin/arp rmix,
> - /usr/bin/dig rmix,
> - /usr/bin/uptime rmix,
> - /usr/bin/vmstat rmix,
> - /usr/bin/w rmix,
> + @{PROC}/self/status r,
> + /sbin/arp mrix,
> + /usr/bin/dig mrix,
> + /usr/bin/uptime mrix,
> + /usr/bin/vmstat mrix,
> + /usr/bin/w mrix,
> /var/lib/dhcp/dhclient.leases rw,
> /var/lib/dhcp/dhclient-*.leases rw,
> /var/log/lastlog r,
> @@ -52,4 +57,18 @@
> /var/run/dhclient-*.pid rw,
> /var/spool r,
> /var/spool/mail r,
> +
> + # This one will need to be fleshed out depending on what the user is doing
> + /sbin/dhclient-script mrpx,
> +
> + /bin/grep mrix,
> + /bin/sleep mrix,
> + /etc/sysconfig/network/dhcp r,
> + /etc/sysconfig/network/scripts/functions.common r,
> + /etc/sysconfig/network/scripts/functions r,
> + /sbin/ip mrix,
> + /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
> + /var/lib/dhcp/* rw,
> + /var/run/nm-dhclient-*.conf r,
> +
> }
> --- /dev/null
> +++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
> @@ -0,0 +1,21 @@
> +# Last Modified: Tue Jan 25 16:48:30 2011
> +#include <tunables/global>
> +
> +# dhclient-script will call plugins from /etc/netconfig.d, so this
> +# will need to be extended on a per-site basis.
> +
> +/sbin/dhclient-script {
> + #include <abstractions/base>
> + #include <abstractions/bash>
> + #include <abstractions/consoles>
> +
> + /bin/bash rix,
> + /bin/grep rix,
> + /bin/sleep rix,
> + /bin/touch rix,
> + /dev/.sysconfig/network/** r,
> + /etc/netconfig.d/* mrix,
> + /etc/sysconfig/network/** r,
> + /sbin/dhclient-script r,
> + /sbin/ip rix,
> +}
> profile fixes/additions
>
> updated to match master by
> Christian Boltz <apparmor at cboltz.de>
> ---
> profiles/apparmor.d/sbin.syslog-ng | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> --- a/profiles/apparmor.d/sbin.syslog-ng
> +++ b/profiles/apparmor.d/sbin.syslog-ng
> @@ -19,12 +19,14 @@
> #include <abstractions/base>
> #include <abstractions/consoles>
> #include <abstractions/nameservice>
> + #include <abstractions/mysql>
>
> capability chown,
> capability dac_override,
> capability fsetid,
> capability fowner,
> capability sys_tty_config,
> + capability sys_resource,
>
> /dev/log w,
> /dev/syslog w,
> @@ -35,11 +37,14 @@
> /etc/hosts.deny r,
> /etc/hosts.allow r,
> /sbin/syslog-ng mr,
> + /usr/share/syslog-ng/** r,
> # chrooted applications
> @{CHROOT_BASE}/var/lib/*/dev/log w,
> - @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist rw,
> + @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
> @{CHROOT_BASE}/var/log/** w,
> @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
> + @{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
Again, s|var/|{,var/}| is probably needed. Otherwise, ACK.
> + /var/run/syslog-ng/additional-log-sockets.conf r,
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/sbin.syslog-ng>
>
> From: Jeff Mahoney <jeffm at suse.com>
> Subject: Fix for sshd profile
> References: bnc#457072
>
> Without this patch, sshd won't work in enforce mode.
>
> libselinux accesses /proc/filesystems to determine if it's enabled
> bash won't execute
> audit_control is probably from libselinux too
> ---
> profiles/apparmor/profiles/extras/usr.sbin.sshd | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> --- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
> +++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
> @@ -29,6 +29,8 @@
> capability kill,
> capability setgid,
> capability setuid,
> + capability audit_control,
I really, really dislike allowing audit_control. Basically, a confined
process with it can turn off audit logging by auditd/the audit
subsystem or manipulate it in such away as to hide audit events. Does
sshd really fail to start if audit_control is disallowed? I'd honestly
rather see a deny rule here.
> + capability sys_ptrace,
>
> /dev/ptmx rw,
> /dev/urandom r,
> @@ -43,11 +45,12 @@
>
> @{PROC}/[0-9]*/fd/ r,
> @{PROC}/[0-9]*/loginuid w,
> + @{PROC}/filesystems r,
>
> # should only be here for use in non-change-hat openssh
> # duplicated from EXEC hat
> /bin/ash Ux,
> - /bin/bash Ux,
> + /bin/bash rUx,
I suspect the other shells need 'r' access as well.
> /bin/bash2 Ux,
> /bin/bsh Ux,
> /bin/csh Ux,
> From: Jeff Mahoney <jeffm at suse.com>
> Subject: dnsmasq: Profile fixes
> References: bnc#666090 bnc#678749
>
> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
>
> Updated to match master by
> Christian Boltz <apparmor at cboltz.de>
> ---
> profiles/apparmor.d/usr.sbin.dnsmasq | 4 ++++
> 1 file changed, 4 insertions(+)
>
> --- a/profiles/apparmor.d/usr.sbin.dnsmasq
> +++ b/profiles/apparmor.d/usr.sbin.dnsmasq
> @@ -25,10 +25,12 @@
> /etc/dnsmasq.conf r,
> /etc/dnsmasq.d/ r,
> /etc/dnsmasq.d/* r,
> + /etc/ethers r,
>
> /usr/sbin/dnsmasq mr,
>
> /{,var/}run/*dnsmasq*.pid w,
> + /var/run/dnsmasq-forwarders r,
Again, s|var/|{,var/}|.
> /{,var/}run/dnsmasq/ r,
> /{,var/}run/dnsmasq/* rw,
>
> @@ -40,6 +42,8 @@
> # libvirt pid files for dnsmasq
> /{,var/}run/libvirt/network/ r,
> /{,var/}run/libvirt/network/*.pid rw,
> + /var/lib/libvirt/dnsmasq/ r,
> + /var/lib/libvirt/dnsmasq/*.hostsfile r,
I think this is okay, but I'm not that knowledgeable about the
interaction between dnsmasq and libvirt.
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.sbin.dnsmasq>
Thanks!
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110808/d16ec474/attachment.pgp>
More information about the AppArmor
mailing list