[apparmor] Some profiles

Tue Mar 12 14:47:09 UTC 2013

12.03.2013 03:07, Seth Arnold пишет:
> Probably easiest long-term is to file merge requests (like this one
> https://code.launchpad.net/~sdeziel/apparmor-profiles/fix-for-lp1133409/+merge/150605
> though I'll admit using these tools is new for me...)
> 
>> And I have some questions, for example: can I allow access to the file, if I
>> deny it earlier?
> 
> What do you mean? If you use the 'deny' keyword, it takes precedence
> over the allowed permissions. (It's a cheap-o way to let users write ..
> less than optimal policies such as for Firefox while still protecting
> e.g. ~/.ssh/ or ~/.gnupg/.) 
I understand it now.
But I want to deny access to the directory and allow access for some files in it.
For example, I want to deny access for browsers on @{HOME}/.*, but default
profiles, which I included, contain rights to it...
I want to redefine rights without modifying default profiles.

> 
>> DNSCrypt:
>> # Last Modified: Fri Mar  8 15:24:34 2013
>> #include <tunables/global>
>>
>> /usr/sbin/dnscrypt-proxy {
>>   #include <abstractions/base>
>>
>>   capability sys_resource,
>>   capability dac_override,
>>   capability setgid,
>>   capability setuid,
>>   capability sys_chroot,
>>   capability net_bind_service,
>>   capability net_admin,
>>   network inet udp,
>>
>>   /etc/nsswitch.conf r,
>>   /etc/passwd r,
>>   /usr/sbin/dnscrypt-proxy mr,
>>   /var/lib/dnscrypt rwk,
>>
>>
>> }
> Untested, not looked into how to test...
I tested it. It works. :-)
If you want to test dnscrypt, you could download simple script from dnscrypt Git
repository, and create deb package.


>> Fix for the usr/sbin/unbound:
>>   /{,var/}run/unbound.pid         rw,
>> +  /run/unbound.pid                rw,
> That's odd; the first should actually match the second. Can you
> reproduce this problem?
It's my error (I downloaded some old profiles with /var/run for pid files), not
a problem.
Correction isn't necessary.

>> My profile for the firefox, I think it's work correctly (now it includes some
>> trash):
>> ...
> These are a bit difficult to grasp; the permissions you removed by
> commenting out abstractions is easy enough to understand -- but removing
> permissions in profiles is difficult to do, since we don't want an
> update to break existing users.
I have some browsers: Opera, Firefox, Chromium and other.
They need the same rights for user and system directories and I wrote
permissions for this browsers in the one file, which is included in browsers
profiles.

> On the other hand, if you had to add permissions to the profiles, that'd
> be nice to know.
Ok.