mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-23 11:28:13 +01:00
Modernise the man profile.
This commit is contained in:
parent
adabcd6b94
commit
e0434f22a4
3 changed files with 98 additions and 116 deletions
94
apparmor.d/profiles-m-r/man
Normal file
94
apparmor.d/profiles-m-r/man
Normal file
|
@ -0,0 +1,94 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/man
|
||||
profile man @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
signal peer=man//man_groff,
|
||||
signal peer=man//man_filter,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
# Use a special profile when man calls anything groff-related. We only include
|
||||
# the programs that actually parse input data in a non-trivial way, not
|
||||
# wrappers such as groff and nroff, since they would need a broader profile.
|
||||
/{usr/,}bin/eqn rCx -> man_groff,
|
||||
/{usr/,}bin/grap rCx -> man_groff,
|
||||
/{usr/,}bin/pic rCx -> man_groff,
|
||||
/{usr/,}bin/preconv rCx -> man_groff,
|
||||
/{usr/,}bin/refer rCx -> man_groff,
|
||||
/{usr/,}bin/tbl rCx -> man_groff,
|
||||
/{usr/,}bin/troff rCx -> man_groff,
|
||||
/{usr/,}bin/vgrind rCx -> man_groff,
|
||||
|
||||
# Use a special profile when man calls decompressors and other simple filters.
|
||||
/{usr/,}bin/bzip2 rCx -> man_filter,
|
||||
/{usr/,}bin/gzip rCx -> man_filter,
|
||||
/{usr/,}bin/col rCx -> man_filter,
|
||||
/{usr/,}bin/compress rCx -> man_filter,
|
||||
/{usr/,}bin/iconv rCx -> man_filter,
|
||||
/{usr/,}bin/lzip.lzip rCx -> man_filter,
|
||||
/{usr/,}bin/tr rCx -> man_filter,
|
||||
/{usr/,}bin/xz rCx -> man_filter,
|
||||
|
||||
profile man_groff {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
signal peer=man,
|
||||
|
||||
/{usr/,}bin/eqn rm,
|
||||
/{usr/,}bin/grap rm,
|
||||
/{usr/,}bin/pic rm,
|
||||
/{usr/,}bin/preconv rm,
|
||||
/{usr/,}bin/refer rm,
|
||||
/{usr/,}bin/tbl rm,
|
||||
/{usr/,}bin/troff rm,
|
||||
/{usr/,}bin/vgrind rm,
|
||||
|
||||
/{usr/,}lib/groff/site-tmac/** r,
|
||||
/usr/share/groff/** r,
|
||||
|
||||
/etc/groff/** r,
|
||||
/etc/papersize r,
|
||||
|
||||
/tmp/groff* rw,
|
||||
owner /tmp/* rw,
|
||||
}
|
||||
|
||||
profile man_filter {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
signal peer=man,
|
||||
|
||||
/{usr/,}bin/bzip2 rm,
|
||||
/{usr/,}bin/gzip rm,
|
||||
/{usr/,}bin/col rm,
|
||||
/{usr/,}bin/compress rm,
|
||||
/{usr/,}bin/iconv rm,
|
||||
/{usr/,}bin/lzip.lzip rm,
|
||||
/{usr/,}bin/tr rm,
|
||||
/{usr/,}bin/xz rm,
|
||||
|
||||
# Manual pages can be more or less anywhere, especially with "man -l", and
|
||||
# there's no harm in allowing wide read access here since the worst it can
|
||||
# do is feed data to the invoking man process.
|
||||
/usr/** r,
|
||||
owner @{HOME}/@{XDG_DATA_HOME}/** r,
|
||||
owner @{HOME}/@{XDG_PROJECTS_DIR}/** r,
|
||||
owner @{user_cache_dirs}/** r,
|
||||
owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r,
|
||||
owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r,
|
||||
|
||||
/var/cache/man/** w,
|
||||
}
|
||||
|
||||
include if exists <local/man>
|
||||
}
|
|
@ -1,116 +0,0 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
/usr/bin/man {
|
||||
include <abstractions/base>
|
||||
|
||||
# Use a special profile when man calls anything groff-related. We only
|
||||
# include the programs that actually parse input data in a non-trivial
|
||||
# way, not wrappers such as groff and nroff, since the latter would need a
|
||||
# broader profile.
|
||||
/usr/bin/eqn rmCx -> &man_groff,
|
||||
/usr/bin/grap rmCx -> &man_groff,
|
||||
/usr/bin/pic rmCx -> &man_groff,
|
||||
/usr/bin/preconv rmCx -> &man_groff,
|
||||
/usr/bin/refer rmCx -> &man_groff,
|
||||
/usr/bin/tbl rmCx -> &man_groff,
|
||||
/usr/bin/troff rmCx -> &man_groff,
|
||||
/usr/bin/vgrind rmCx -> &man_groff,
|
||||
|
||||
# Similarly, use a special profile when man calls decompressors and other
|
||||
# simple filters.
|
||||
/{,usr/}bin/bzip2 rmCx -> &man_filter,
|
||||
/{,usr/}bin/gzip rmCx -> &man_filter,
|
||||
/usr/bin/col rmCx -> &man_filter,
|
||||
/usr/bin/compress rmCx -> &man_filter,
|
||||
/usr/bin/iconv rmCx -> &man_filter,
|
||||
/usr/bin/lzip.lzip rmCx -> &man_filter,
|
||||
/usr/bin/tr rmCx -> &man_filter,
|
||||
/usr/bin/xz rmCx -> &man_filter,
|
||||
|
||||
# Allow basically anything in terms of file system access, subject to DAC.
|
||||
# The purpose of this profile isn't to confine man itself (that might be
|
||||
# nice in the future, but is tricky since it's quite configurable), but to
|
||||
# confine the processes it calls that parse untrusted data.
|
||||
/** mrixwlk,
|
||||
unix,
|
||||
|
||||
capability setuid,
|
||||
capability setgid,
|
||||
|
||||
# Ordinary permission checks sometimes involve checking whether the
|
||||
# process has this capability, which can produce audit log messages.
|
||||
# Silence them.
|
||||
deny capability dac_override,
|
||||
deny capability dac_read_search,
|
||||
|
||||
signal peer=@{profile_name},
|
||||
signal peer=/usr/bin/man//&man_groff,
|
||||
signal peer=/usr/bin/man//&man_filter,
|
||||
|
||||
include if exists <local/usr.bin.man>
|
||||
}
|
||||
|
||||
profile man_groff {
|
||||
include <abstractions/base>
|
||||
# Recent kernels revalidate open FDs, and there are often some still
|
||||
# open on TTYs. This is temporary until man learns to close irrelevant
|
||||
# open FDs before execve.
|
||||
include <abstractions/consoles>
|
||||
# man always runs its groff pipeline with the input file open on stdin,
|
||||
# so we can skip <abstractions/user-manpages>.
|
||||
|
||||
/usr/bin/eqn rm,
|
||||
/usr/bin/grap rm,
|
||||
/usr/bin/pic rm,
|
||||
/usr/bin/preconv rm,
|
||||
/usr/bin/refer rm,
|
||||
/usr/bin/tbl rm,
|
||||
/usr/bin/troff rm,
|
||||
/usr/bin/vgrind rm,
|
||||
|
||||
/etc/groff/** r,
|
||||
/etc/papersize r,
|
||||
/usr/lib/groff/site-tmac/** r,
|
||||
/usr/share/groff/** r,
|
||||
|
||||
/tmp/groff* rw,
|
||||
|
||||
signal peer=/usr/bin/man,
|
||||
# @{profile_name} doesn't seem to work here.
|
||||
signal peer=/usr/bin/man//&man_groff,
|
||||
|
||||
# file_inherit
|
||||
owner /tmp/* rw,
|
||||
|
||||
}
|
||||
|
||||
profile man_filter {
|
||||
include <abstractions/base>
|
||||
# Recent kernels revalidate open FDs, and there are often some still
|
||||
# open on TTYs. This is temporary until man learns to close irrelevant
|
||||
# open FDs before execve.
|
||||
include <abstractions/consoles>
|
||||
|
||||
/{,usr/}bin/bzip2 rm,
|
||||
/{,usr/}bin/gzip rm,
|
||||
/usr/bin/col rm,
|
||||
/usr/bin/compress rm,
|
||||
/usr/bin/iconv rm,
|
||||
/usr/bin/lzip.lzip rm,
|
||||
/usr/bin/tr rm,
|
||||
/usr/bin/xz rm,
|
||||
|
||||
# Manual pages can be more or less anywhere, especially with "man -l", and
|
||||
# there's no harm in allowing wide read access here since the worst it can
|
||||
# do is feed data to the invoking man process.
|
||||
/** r,
|
||||
|
||||
# Allow writing cat pages.
|
||||
/var/cache/man/** w,
|
||||
|
||||
signal peer=/usr/bin/man,
|
||||
# @{profile_name} doesn't seem to work here.
|
||||
signal peer=/usr/bin/man//&man_filter,
|
||||
}
|
4
debian/apparmor.d.hide
vendored
Normal file
4
debian/apparmor.d.hide
vendored
Normal file
|
@ -0,0 +1,4 @@
|
|||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
/etc/apparmor.d/usr.bin.man
|
Loading…
Reference in a new issue