[apparmor] [patch] /var/log/lastlog k permission (wutmp-v-l-lastlog-k.diff)

Christian Boltz apparmor at cboltz.de
Tue Aug 16 11:07:37 UTC 2011 

Hallo Leute,

Am Dienstag, 16. August 2011 schrieb Steve Beattie:
> On Sat, Aug 13, 2011 at 11:27:42PM +0200, Christian Boltz wrote:
> > The k permission should be merged into abstractions/wutmp IMHO.

> Yes, please. Acked-By: Steve Beattie <sbeattie at ubuntu.com>
> 
> Also, as a followup, you may wish to convert the useradd and userdel
> profiles to using the wutmp abstraction.

Not only those. Grep says that are some other candidates ;-)

a) obvious changes

./apparmor.d/usr.lib.dovecot.dovecot-auth:  #include <abstractions/wutmp>
./apparmor.d/usr.lib.dovecot.dovecot-auth:  /{,var/}run/utmp k,

k permission can be removed from dovecot-auth since it's in the wutmp
abstraction now


b) rw usage of at least one of the files listed in abstractions/wutmp

Note that switching to abstractions/wutmp will add some permissions
to those profiles (the abstraction contains 3 files, the profiles
listed below only one or two of them).

./apparmor/profiles/extras/usr.sbin.useradd:  /var/log/lastlog rw,
./apparmor/profiles/extras/usr.sbin.useradd:  /{,var/}run/utmp rw,

./apparmor/profiles/extras/usr.sbin.userdel:  /var/log/lastlog rw,
./apparmor/profiles/extras/usr.sbin.userdel:  /{,var/}run/utmp rw,

./apparmor/profiles/extras/usr.sbin.sendmail.sendmail:  /{,var/}run/utmp               rw,

./apparmor/profiles/extras/usr.sbin.sendmail:  /{,var/}run/utmp               rw,

./apparmor.d/sbin.syslogd:  /{,var/}run/utmp                 rw,


c) read-only usage of wutmp files

Here the wutmp abstractin would add even more permissions.

./apparmor/profiles/extras/usr.sbin.in.fingerd:  /var/log/lastlog       r,
./apparmor/profiles/extras/usr.sbin.in.fingerd:  /{,var/}run/utmp          r,

./apparmor/profiles/extras/usr.sbin.in.ntalkd:  /{,var/}run/utmp                r,

./apparmor/profiles/extras/sbin.dhclient:  /var/log/lastlog            r,
./apparmor/profiles/extras/sbin.dhclient:  /var/log/wtmp               r,

./apparmor.d/abstractions/ubuntu-konsole:  /{,var/}run/utmp r,

./apparmor.d/abstractions/ubuntu-xterm:  /{,var/}run/utmp r,

./apparmor.d/apache2.d/phpsysinfo:    /{,var/}run/utmp rk,


Which of these profiles should be changed to use abstractions/wutmp?


Regards,

Christian Boltz
-- 
> [Strings in C] Das würde alles nur Aussagen über die glibc erlauben.
Aha, die ist Dir nicht autoritativ genug. Jetzt kenne ich endlich
Dein eigentliches Problem: Der Papst muss die 0 am Ende absegnen ;-)
[> Thorsten Haude und Jan Trippler in suse-linux]

More information about the AppArmor mailing list