From e0434f22a46c5cd93a2beebea9c3123958fe44f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Sep 2021 21:57:07 +0100 Subject: [PATCH] Modernise the man profile. --- apparmor.d/profiles-m-r/man | 94 ++++++++++++++++++++++ apparmor.d/profiles-s-z/usr.bin.man | 116 ---------------------------- debian/apparmor.d.hide | 4 + 3 files changed, 98 insertions(+), 116 deletions(-) create mode 100644 apparmor.d/profiles-m-r/man delete mode 100644 apparmor.d/profiles-s-z/usr.bin.man create mode 100644 debian/apparmor.d.hide diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man new file mode 100644 index 00000000..aca9bc61 --- /dev/null +++ b/apparmor.d/profiles-m-r/man @@ -0,0 +1,94 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/man +profile man @{exec_path} { + include + + signal peer=man//man_groff, + signal peer=man//man_filter, + + @{exec_path} mr, + + # Use a special profile when man calls anything groff-related. We only include + # the programs that actually parse input data in a non-trivial way, not + # wrappers such as groff and nroff, since they would need a broader profile. + /{usr/,}bin/eqn rCx -> man_groff, + /{usr/,}bin/grap rCx -> man_groff, + /{usr/,}bin/pic rCx -> man_groff, + /{usr/,}bin/preconv rCx -> man_groff, + /{usr/,}bin/refer rCx -> man_groff, + /{usr/,}bin/tbl rCx -> man_groff, + /{usr/,}bin/troff rCx -> man_groff, + /{usr/,}bin/vgrind rCx -> man_groff, + + # Use a special profile when man calls decompressors and other simple filters. + /{usr/,}bin/bzip2 rCx -> man_filter, + /{usr/,}bin/gzip rCx -> man_filter, + /{usr/,}bin/col rCx -> man_filter, + /{usr/,}bin/compress rCx -> man_filter, + /{usr/,}bin/iconv rCx -> man_filter, + /{usr/,}bin/lzip.lzip rCx -> man_filter, + /{usr/,}bin/tr rCx -> man_filter, + /{usr/,}bin/xz rCx -> man_filter, + + profile man_groff { + include + include + + signal peer=man, + + /{usr/,}bin/eqn rm, + /{usr/,}bin/grap rm, + /{usr/,}bin/pic rm, + /{usr/,}bin/preconv rm, + /{usr/,}bin/refer rm, + /{usr/,}bin/tbl rm, + /{usr/,}bin/troff rm, + /{usr/,}bin/vgrind rm, + + /{usr/,}lib/groff/site-tmac/** r, + /usr/share/groff/** r, + + /etc/groff/** r, + /etc/papersize r, + + /tmp/groff* rw, + owner /tmp/* rw, + } + + profile man_filter { + include + include + + signal peer=man, + + /{usr/,}bin/bzip2 rm, + /{usr/,}bin/gzip rm, + /{usr/,}bin/col rm, + /{usr/,}bin/compress rm, + /{usr/,}bin/iconv rm, + /{usr/,}bin/lzip.lzip rm, + /{usr/,}bin/tr rm, + /{usr/,}bin/xz rm, + + # Manual pages can be more or less anywhere, especially with "man -l", and + # there's no harm in allowing wide read access here since the worst it can + # do is feed data to the invoking man process. + /usr/** r, + owner @{HOME}/@{XDG_DATA_HOME}/** r, + owner @{HOME}/@{XDG_PROJECTS_DIR}/** r, + owner @{user_cache_dirs}/** r, + owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r, + owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r, + + /var/cache/man/** w, + } + + include if exists +} diff --git a/apparmor.d/profiles-s-z/usr.bin.man b/apparmor.d/profiles-s-z/usr.bin.man deleted file mode 100644 index 0eb54fdb..00000000 --- a/apparmor.d/profiles-s-z/usr.bin.man +++ /dev/null @@ -1,116 +0,0 @@ -# vim:syntax=apparmor - -include - -/usr/bin/man { - include - - # Use a special profile when man calls anything groff-related. We only - # include the programs that actually parse input data in a non-trivial - # way, not wrappers such as groff and nroff, since the latter would need a - # broader profile. - /usr/bin/eqn rmCx -> &man_groff, - /usr/bin/grap rmCx -> &man_groff, - /usr/bin/pic rmCx -> &man_groff, - /usr/bin/preconv rmCx -> &man_groff, - /usr/bin/refer rmCx -> &man_groff, - /usr/bin/tbl rmCx -> &man_groff, - /usr/bin/troff rmCx -> &man_groff, - /usr/bin/vgrind rmCx -> &man_groff, - - # Similarly, use a special profile when man calls decompressors and other - # simple filters. - /{,usr/}bin/bzip2 rmCx -> &man_filter, - /{,usr/}bin/gzip rmCx -> &man_filter, - /usr/bin/col rmCx -> &man_filter, - /usr/bin/compress rmCx -> &man_filter, - /usr/bin/iconv rmCx -> &man_filter, - /usr/bin/lzip.lzip rmCx -> &man_filter, - /usr/bin/tr rmCx -> &man_filter, - /usr/bin/xz rmCx -> &man_filter, - - # Allow basically anything in terms of file system access, subject to DAC. - # The purpose of this profile isn't to confine man itself (that might be - # nice in the future, but is tricky since it's quite configurable), but to - # confine the processes it calls that parse untrusted data. - /** mrixwlk, - unix, - - capability setuid, - capability setgid, - - # Ordinary permission checks sometimes involve checking whether the - # process has this capability, which can produce audit log messages. - # Silence them. - deny capability dac_override, - deny capability dac_read_search, - - signal peer=@{profile_name}, - signal peer=/usr/bin/man//&man_groff, - signal peer=/usr/bin/man//&man_filter, - - include if exists -} - -profile man_groff { - include - # Recent kernels revalidate open FDs, and there are often some still - # open on TTYs. This is temporary until man learns to close irrelevant - # open FDs before execve. - include - # man always runs its groff pipeline with the input file open on stdin, - # so we can skip . - - /usr/bin/eqn rm, - /usr/bin/grap rm, - /usr/bin/pic rm, - /usr/bin/preconv rm, - /usr/bin/refer rm, - /usr/bin/tbl rm, - /usr/bin/troff rm, - /usr/bin/vgrind rm, - - /etc/groff/** r, - /etc/papersize r, - /usr/lib/groff/site-tmac/** r, - /usr/share/groff/** r, - - /tmp/groff* rw, - - signal peer=/usr/bin/man, - # @{profile_name} doesn't seem to work here. - signal peer=/usr/bin/man//&man_groff, - - # file_inherit - owner /tmp/* rw, - -} - -profile man_filter { - include - # Recent kernels revalidate open FDs, and there are often some still - # open on TTYs. This is temporary until man learns to close irrelevant - # open FDs before execve. - include - - /{,usr/}bin/bzip2 rm, - /{,usr/}bin/gzip rm, - /usr/bin/col rm, - /usr/bin/compress rm, - /usr/bin/iconv rm, - /usr/bin/lzip.lzip rm, - /usr/bin/tr rm, - /usr/bin/xz rm, - - # Manual pages can be more or less anywhere, especially with "man -l", and - # there's no harm in allowing wide read access here since the worst it can - # do is feed data to the invoking man process. - /** r, - - # Allow writing cat pages. - /var/cache/man/** w, - - signal peer=/usr/bin/man, - # @{profile_name} doesn't seem to work here. - signal peer=/usr/bin/man//&man_filter, -} diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide new file mode 100644 index 00000000..0825db14 --- /dev/null +++ b/debian/apparmor.d.hide @@ -0,0 +1,4 @@ +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +/etc/apparmor.d/usr.bin.man