apparmor/profiles/apparmor.d/zgrep

# ------------------------------------------------------------------
#
#    Copyright (C) 2022 Christian Boltz
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/4.0>,

include <tunables/global>

profile zgrep /usr/bin/{x,}zgrep {
  include <abstractions/base>
  include <abstractions/bash>

  /dev/tty rw,
  @{etc_ro}/nsswitch.conf  r,
  /etc/passwd r,
  /usr/bin/{ba,da,}sh ix,
  /usr/bin/bzip2 Cx -> helper,
  /usr/bin/cat ix,
  /usr/bin/egrep Cx -> helper,
  /usr/bin/expr ix,
  /usr/bin/fgrep Cx -> helper,
  /usr/bin/grep Cx -> helper,
  /usr/bin/gzip Cx -> helper,
  /usr/bin/mktemp ix,
  /usr/bin/rm ix,
  /usr/bin/sed Cx -> sed,
  /usr/bin/xz Cx -> helper,
  /usr/bin/xzgrep r,
  /usr/bin/zgrep Cx -> helper,
  /usr/bin/zstd Cx -> helper,
  owner /tmp/zgrep* rw,
  /usr/bin/zgrep r,

  deny /etc/nsswitch.conf r,
  deny /etc/passwd r,

  include if exists <local/zgrep>

  profile helper {
    include <abstractions/base>

    capability dac_override,
    capability dac_read_search,

    /dev/tty w,

    /usr/bin/{ba,da,}sh ix,
    /usr/bin/bzip2 mr,
    /usr/bin/grep mrix,
    /usr/bin/gzip mr,
    /usr/bin/xz mr,
    /usr/bin/zstd mr,
    /{,**} r,

  }

  profile sed {
    include <abstractions/base>

    /dev/tty rw,
    /usr/bin/{ba,da,}sh ix,
    /usr/bin/sed mr,

  }
}
Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 aka CVE-2022-1271 (file write and code execution via "funny" filenames) 2022-04-10 15:03:08 +02:00			`# ------------------------------------------------------------------`
			`#`
			`# Copyright (C) 2022 Christian Boltz`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#`
			`# ------------------------------------------------------------------`

policy: update to use 4.0 abi Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-06-30 23:36:12 -07:00			`abi <abi/4.0>,`
Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 aka CVE-2022-1271 (file write and code execution via "funny" filenames) 2022-04-10 15:03:08 +02:00
			`include <tunables/global>`

			`profile zgrep /usr/bin/{x,}zgrep {`
			`include <abstractions/base>`
			`include <abstractions/bash>`

			`/dev/tty rw,`
zgrep: allow reading /etc/nsswitch.conf and /etc/passwd Seen on various VMs, my guess is that bash wants to translate a uid to a username. Log events (slightly shortened) apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/nsswitch.conf" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/passwd" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2024-10-06 11:05:52 +02:00			`@{etc_ro}/nsswitch.conf r,`
			`/etc/passwd r,`
Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 aka CVE-2022-1271 (file write and code execution via "funny" filenames) 2022-04-10 15:03:08 +02:00			`/usr/bin/{ba,da,}sh ix,`
			`/usr/bin/bzip2 Cx -> helper,`
			`/usr/bin/cat ix,`
zgrep: allow executing egrep and fgrep egrep and fgrep also need to execute grep and write to /dev/tty in the helper child profile. Fixes: https://progress.opensuse.org/issues/113108 2022-06-28 23:20:10 +02:00			`/usr/bin/egrep Cx -> helper,`
zgrep profile: allow executing /usr/bin/expr expr is used for parsing commandline options in zgrep. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1198531 2022-04-16 22:29:04 +02:00			`/usr/bin/expr ix,`
zgrep: allow executing egrep and fgrep egrep and fgrep also need to execute grep and write to /dev/tty in the helper child profile. Fixes: https://progress.opensuse.org/issues/113108 2022-06-28 23:20:10 +02:00			`/usr/bin/fgrep Cx -> helper,`
Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 aka CVE-2022-1271 (file write and code execution via "funny" filenames) 2022-04-10 15:03:08 +02:00			`/usr/bin/grep Cx -> helper,`
			`/usr/bin/gzip Cx -> helper,`
			`/usr/bin/mktemp ix,`
			`/usr/bin/rm ix,`
			`/usr/bin/sed Cx -> sed,`
			`/usr/bin/xz Cx -> helper,`
			`/usr/bin/xzgrep r,`
			`/usr/bin/zgrep Cx -> helper,`
zgrep profile: also allow zstd openSUSE works on extending zgrep to also support zstd-compressed files. References: http://bugzilla.opensuse.org/show_bug.cgi?id=1198922 2022-04-27 22:15:17 +02:00			`/usr/bin/zstd Cx -> helper,`
Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 aka CVE-2022-1271 (file write and code execution via "funny" filenames) 2022-04-10 15:03:08 +02:00			`owner /tmp/zgrep* rw,`
			`/usr/bin/zgrep r,`

zgrep: deny passwd access Bash will try to read the passwd database to find the shell of a user if $SHELL is not set. This causes zgrep to trigger ``` apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/nsswitch.conf" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/passwd" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ``` if called in a sanitized environment. As the functionality of zgrep is not impacted by a limited Bash environment, add deny rules to avoid the potentially misleading AVC messages. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net> 2024-10-06 23:10:39 +02:00			`deny /etc/nsswitch.conf r,`
			`deny /etc/passwd r,`

Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 aka CVE-2022-1271 (file write and code execution via "funny" filenames) 2022-04-10 15:03:08 +02:00			`include if exists <local/zgrep>`

			`profile helper {`
			`include <abstractions/base>`

			`capability dac_override,`
			`capability dac_read_search,`

zgrep: allow executing egrep and fgrep egrep and fgrep also need to execute grep and write to /dev/tty in the helper child profile. Fixes: https://progress.opensuse.org/issues/113108 2022-06-28 23:20:10 +02:00			`/dev/tty w,`

Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 aka CVE-2022-1271 (file write and code execution via "funny" filenames) 2022-04-10 15:03:08 +02:00			`/usr/bin/{ba,da,}sh ix,`
			`/usr/bin/bzip2 mr,`
zgrep: allow executing egrep and fgrep egrep and fgrep also need to execute grep and write to /dev/tty in the helper child profile. Fixes: https://progress.opensuse.org/issues/113108 2022-06-28 23:20:10 +02:00			`/usr/bin/grep mrix,`
Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 aka CVE-2022-1271 (file write and code execution via "funny" filenames) 2022-04-10 15:03:08 +02:00			`/usr/bin/gzip mr,`
			`/usr/bin/xz mr,`
zgrep profile: also allow zstd openSUSE works on extending zgrep to also support zstd-compressed files. References: http://bugzilla.opensuse.org/show_bug.cgi?id=1198922 2022-04-27 22:15:17 +02:00			`/usr/bin/zstd mr,`
Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 aka CVE-2022-1271 (file write and code execution via "funny" filenames) 2022-04-10 15:03:08 +02:00			`/{,**} r,`

			`}`

			`profile sed {`
			`include <abstractions/base>`

			`/dev/tty rw,`
			`/usr/bin/{ba,da,}sh ix,`
			`/usr/bin/sed mr,`

			`}`
			`}`