[apparmor] add profile for lessopen
John Johansen
john.johansen at canonical.com
Mon Dec 22 14:27:04 UTC 2014
On 12/21/2014 08:34 AM, Christian Boltz wrote:
> Hello,
>
> this patch adds a profile for lessopen.sh which handles programms
> automatically executed by less (for example to get a file list out of
> tarballs).
>
> Patch by Marcus Meissner <meissner at suse.com>
>
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=906858
>
So I don't have any objections to the patch besides the comment
below.
I question if it should be in the base profile set but can't
really think of a reason it shouldn't be as with the broad read
permissions, it shouldn't cause breakage unless the exec list
is incomplete.
That said, it begs the question about confining less (harder)
and whether this would be better as a subprofile of it.
>
>
> +Index: apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen.sh
> +===================================================================
> +--- /dev/null
> ++++ apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen.sh
> +@@ -0,0 +1,39 @@
> ++# Last Modified: Fri Nov 28 08:01:09 2014
> ++#include <tunables/global>
> ++
> ++/usr/bin/lessopen.sh {
> ++ #include <abstractions/base>
> ++ #include <abstractions/bash>
> ++ #include <abstractions/consoles>
> ++ #include <abstractions/perl>
> ++
> ++ /** rk,
> ++ /bin/bash ix,
> ++ /bin/rpm rix,
> ++ /bin/tar rix,
> ++ /tmp/less.* rw,
could we move the rw perms to a separate section from the exec perms
> ++ /usr/bin/bzip2 rix,
> ++ /usr/bin/cabextract rix,
> ++ /usr/bin/cat rix,
> ++ /usr/bin/colordiff rix,
> ++ /usr/bin/dvi2tty rix,
> ++ /usr/bin/file rix,
> ++ /usr/bin/grep rix,
> ++ /usr/bin/groff rix,
> ++ /usr/bin/gzip rix,
> ++ /usr/bin/head rix,
> ++ /usr/bin/lynx rix,
> ++ /usr/bin/mktemp rix,
> ++ /usr/bin/nm rix,
> ++ /usr/bin/pdftotext rix,
> ++ /usr/bin/ps2ascii rix,
> ++ /usr/bin/rm rix,
> ++ /usr/bin/seq rix,
> ++ /usr/bin/tar rix,
> ++ /usr/bin/unzip rix,
> ++ /usr/bin/w3m rix,
> ++ /usr/bin/which rix,
> ++ /usr/bin/xz rix,
> ++
> ++ #include <local/usr.bin.lessopen.sh>
I'd like to see a stub file here to go along with the patch
> ++}
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list