[apparmor] [PATCH] 02/04 abstraction updates for abstract, anonymous and netlink

Seth Arnold seth.arnold at canonical.com
Wed Aug 27 22:55:32 UTC 2014 

On Wed, Aug 27, 2014 at 04:47:01PM -0500, Jamie Strandboge wrote:
> On 08/27/2014 04:34 PM, Jamie Strandboge wrote:
> 
> > Starting a subthread for some additions to John's patches. This series assumes
> > John's 12 patches are applied and includes updates to the apparmor.d man page
> > and some policy updates. I expect I might have to adjust this a bit, but wanted
> > to send it up for comment. Let's have an ACK mean to apply it once it is safe to
> > do so.
> > 
> 
> Attached is a patch for:
>  - the base abstraction for common abstract and anonymous rules (comments
>    included per rule)
>  - dbus-session-strict to add a rule for connecting to the dbus session abstract
>    socket. I used 'peer=(label=unconfined)' here, but I could probably lose the
>    explicit label if people preferred that

I don't like the label=unconfined on the dbus socket -- that would make it
harder to confine dbus.

>  - X to add a rule for connecting to the X abstract socket. Same as for
>    dbus-session-strict
>  - nameservice to add a rule for connecting to a netlink raw. This change could
>    possibly be excluded, but applications using networking (at least on Ubuntu)
>    all seem to need it. Excluding it would mean systems using nscd would need to
>    add this and ones not using it would have a noisy denial

Hmm. Netlink grants a lot. Can we make this any finer?

Thanks

> 
> 
> -- 
> Jamie Strandboge                 http://www.ubuntu.com/

> Author: Jamie Strandboge <jamie at canonical.com>
> Description: update policy for abstract sockets. Man page updates
> 
> Conversion of s/path/addr/ in rules by Steve Beattie
>   <steve.beattie at canonical.com>
> 
> ---
>  profiles/apparmor.d/abstractions/X                   |    3 +++
>  profiles/apparmor.d/abstractions/base                |   12 ++++++++++++
>  profiles/apparmor.d/abstractions/dbus-session-strict |    4 ++++
>  3 files changed, 19 insertions(+)
> 
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/base
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/base
> @@ -122,6 +122,18 @@
>    # Checking for PID existence is quite common so add it by default for now
>    signal (receive, send) set=("exists"),
>  
> +  # Allow us to create and use abstract and anonymous sockets
> +  unix peer=(label=@{profile_name}),
> +
> +  # Allow unconfined processes to us via unix sockets
> +  unix (receive) peer=(label=unconfined),
> +
> +  # Allow us to create abstract and anonymous sockets
> +  unix (create),
> +
> +  # Allow us to getattr and shutdown for anonymous sockets
> +  unix (getattr, shutdown) peer=(addr=none),
> +
>    # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
>    # filesystems generally. This does not appreciably decrease security with
>    # Ubuntu profiles because the user is expected to have access to files owned
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/dbus-session-strict
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/dbus-session-strict
> @@ -13,6 +13,10 @@
>    /etc/machine-id r,
>    /var/lib/dbus/machine-id r,
>  
> +  unix (connect, receive, send)
> +       type=stream
> +       peer=(label=unconfined,addr="@/tmp/dbus-*"),
> +
>    dbus send
>         bus=session
>         path=/org/freedesktop/DBus
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/X
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/X
> @@ -22,6 +22,9 @@
>  
>    # the unix socket to use to connect to the display
>    /tmp/.X11-unix/*           w,
> +  unix (connect, receive, send)
> +       type=stream
> +       peer=(label=unconfined,addr="@/tmp/.X11-unix/X[0-9]*"),
>  
>    /usr/include/X11/               r,
>    /usr/include/X11/**             r,
> Index: apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice
> ===================================================================
> --- apparmor-2.8.96~2541.orig/profiles/apparmor.d/abstractions/nameservice
> +++ apparmor-2.8.96~2541/profiles/apparmor.d/abstractions/nameservice
> @@ -87,5 +87,8 @@
>    network inet  dgram,
>    network inet6 dgram,
>  
> +  # Netlink raw needed for nscd
> +  network netlink raw,
> +
>    # interface details
>    @{PROC}/@{pid}/net/route r,




> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140827/44ac6eae/attachment.pgp>

More information about the AppArmor mailing list