mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-07 01:41:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/profiles/apparmor.d/abstractions/nameservice

119 lines
3.7 KiB
Text
Raw Normal View History

Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
# ------------------------------------------------------------------
#
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
# Copyright (C) 2002-2009 Novell/SUSE
Author: Jamie Strandboge <jamie@canonical.com>, Steve Langasek <steve.langasek@linaro.org>, Steve Beattie <sbeattie@ubuntu.com> Description: add multiarch support to abstractions Bug-Ubuntu: https://bugs.launchpad.net/bugs/736870 This patch add multiarch support for common shared library locations, as well as a tunables file and directory to ease adding addiotional multiarch paths. Bug: https://launchpad.net/bugs/736870
2011-03-23 12:24:11 -07:00
# Copyright (C) 2009-2011 Canonical Ltd.
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
policy: tag policy with the AppArmor 3.0 abi Tag profiles and abstractions with abi information. Tagging abstractions is not strictly necessary but allows the parser to detect when their is a mismatch and that policy will need an update for abi. We do not currently tag the tunables because variable declarations are not currently affected by abi. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
2020-05-05 00:08:39 -07:00
abi <abi/3.0>,
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
# Many programs wish to perform nameservice-like operations, such as
# looking up users by name or id, groups by name or id, hosts by name
# or IP, etc. These operations may be performed through files, dns,
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
Convert abstractions from /{usr/,}etc/ to @{etc_ro} The authentication, base and nameservice abstraction used /{usr/,}etc/ in several rules. Switch that to the more readable (and tunable) @{etc_ro} variable.
2020-07-23 20:42:42 +02:00
@{etc_ro}/group r,
@{etc_ro}/host.conf r,
@{etc_ro}/hosts r,
@{etc_ro}/nsswitch.conf r,
@{etc_ro}/gai.conf r,
@{etc_ro}/passwd r,
@{etc_ro}/protocols r,
Launchpad bug #132468: Nameservice abstraction should also include /var/run/resolvconf/resolv.conf: The Nameservice abstraction configuration file (/etc/apparmor.d/abstractions/nameservice) permits reads access to (amongst other paths) /etc/resolv.conf. However, on systems using resolvconf, this is a symbolic link to /etc/resolvconf/run/resolv.conf -- where /etc/resolvconf/run itself is a symlink to /var/run/resolvconf.
2007-08-14 14:50:09 +00:00
Allow reading /etc/netconfig in abstractions/nameservice /etc/netconfig is required by the tirpc library which nscd and several other programs use. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244 Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
2017-10-20 22:53:09 +02:00
# libtirpc (used for NIS/YP login) needs this
Convert abstractions from /{usr/,}etc/ to @{etc_ro} The authentication, base and nameservice abstraction used /{usr/,}etc/ in several rules. Switch that to the more readable (and tunable) @{etc_ro} variable.
2020-07-23 20:42:42 +02:00
@{etc_ro}/netconfig r,
Allow reading /etc/netconfig in abstractions/nameservice /etc/netconfig is required by the tirpc library which nscd and several other programs use. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244 Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
2017-10-20 22:53:09 +02:00
Allow /var/lib/extrausers/group and /var/lib/extrausers/passwd 'read' in order to work with libnss-extrausers Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-08-21 07:27:07 -05:00
# When using libnss-extrausers, the passwd and group files are merged from
# an alternate path
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
Description: Allow using sssd for group and password lookups Author: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Steve Beattie <steve@nxnw.org> This was originally patch 0018-lp1056391.patch in the Ubuntu apparmor packaging; Steve noticed the now-redundant line for /var/lib/sss/mc/passwd so I removed that at the same time.
2014-02-13 17:15:03 -08:00
# When using sssd, the passwd and group files are stored in an alternate path
# and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r,
Samba profile updates for ActiveDirectory / Kerberos The Samba package used by the INVIS server (based on openSUSE) needs some additional Samba permissions for the added ActiveDirectory / Kerberos support. As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions to abstractions/nameservice instead of only to the smbd profile because it's probably needed by more than just Samba if someone uses sss. Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.
2017-08-29 13:31:20 +02:00
/var/lib/sss/mc/initgroups r,
Description: Allow using sssd for group and password lookups Author: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Steve Beattie <steve@nxnw.org> This was originally patch 0018-lp1056391.patch in the Ubuntu apparmor packaging; Steve noticed the now-redundant line for /var/lib/sss/mc/passwd so I removed that at the same time.
2014-02-13 17:15:03 -08:00
/var/lib/sss/mc/passwd r,
/var/lib/sss/pipes/nss rw,
Convert abstractions from /{usr/,}etc/ to @{etc_ro} The authentication, base and nameservice abstraction used /{usr/,}etc/ in several rules. Switch that to the more readable (and tunable) @{etc_ro} variable.
2020-07-23 20:42:42 +02:00
@{etc_ro}/resolv.conf r,
From: Simon McVittie <simon.mcvittie@collabora.co.uk> Date: Tue, 21 Jun 2016 18:18:45 +0100 Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf Follow the same logic we already did for NetworkManager, resolvconf and systemd-resolved. The wonderful thing about standards is that there are so many to choose from. Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
2016-06-22 15:15:49 -07:00
# On systems where /etc/resolv.conf is managed programmatically, it is
Use "run" variable in profiles Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-13 11:02:49 +02:00
# a symlink to @{run}/(whatever program is managing it)/resolv.conf.
@{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
Convert abstractions from /{usr/,}etc/ to @{etc_ro} The authentication, base and nameservice abstraction used /{usr/,}etc/ in several rules. Switch that to the more readable (and tunable) @{etc_ro} variable.
2020-07-23 20:42:42 +02:00
@{etc_ro}/resolvconf/run/resolv.conf r,
Use "run" variable in profiles Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-13 11:02:49 +02:00
@{run}/systemd/resolve/stub-resolv.conf r,
Launchpad bug #132468: Nameservice abstraction should also include /var/run/resolvconf/resolv.conf: The Nameservice abstraction configuration file (/etc/apparmor.d/abstractions/nameservice) permits reads access to (amongst other paths) /etc/resolv.conf. However, on systems using resolvconf, this is a symbolic link to /etc/resolvconf/run/resolv.conf -- where /etc/resolvconf/run itself is a symlink to /var/run/resolvconf.
2007-08-14 14:50:09 +00:00
Convert abstractions from /{usr/,}etc/ to @{etc_ro} The authentication, base and nameservice abstraction used /{usr/,}etc/ in several rules. Switch that to the more readable (and tunable) @{etc_ro} variable.
2020-07-23 20:42:42 +02:00
@{etc_ro}/samba/lmhosts r,
@{etc_ro}/services r,
- various patches and cleanups from kees@ubuntu.com
2008-06-11 20:19:36 +00:00
# db backend
/var/lib/misc/*.db r,
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
# The Name Service Cache Daemon can cache lookups, sometimes leading
# to vast speed increases when working with network-based lookups.
Use "run" variable in profiles Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-13 11:02:49 +02:00
@{run}/.nscd_socket rw,
@{run}/nscd/socket rw,
Allow /var/lib/nscd in abstractions/nameservice and nscd profile The latest glibc (including nscd) in openSUSE Tumbleweed comes with glibc-2.3.3-nscd-db-path.diff: Move persistent nscd databases to /var/lib/nscd This needs updates (adding /var/lib/nscd/) to abstractions/nameservice and the nscd profile. Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
2016-11-18 20:17:43 +01:00
/{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
# nscd renames and unlinks files in it's operation that clients will
# have open
Use "run" variable in profiles Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-13 11:02:49 +02:00
@{run}/nscd/db* rmix,
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
# The nss libraries are sometimes used in addition to PAM; make sure
# they are available
Make policy compatible with merged-/usr.
2016-12-03 10:59:01 +01:00
/{usr/,}lib{,32,64}/libnss_*.so* mr,
/{usr/,}lib/@{multiarch}/libnss_*.so* mr,
Convert abstractions from /{usr/,}etc/ to @{etc_ro} The authentication, base and nameservice abstraction used /{usr/,}etc/ in several rules. Switch that to the more readable (and tunable) @{etc_ro} variable.
2020-07-23 20:42:42 +02:00
@{etc_ro}/default/nss r,
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
- various patches and cleanups from kees@ubuntu.com
2008-06-11 20:19:36 +00:00
# avahi-daemon is used for mdns4 resolution
Use "run" variable in profiles Signed-off-by: nl6720 <nl6720@gmail.com>
2020-02-13 11:02:49 +02:00
@{run}/avahi-daemon/socket rw,
- various patches and cleanups from kees@ubuntu.com
2008-06-11 20:19:36 +00:00
abstractions/nameservice: support systems that use libnl-3-200 via libnss-gw-name. Patch initially proposed by Simon McVittie <smcv@debian.org>. Closes: Debian#810888
2016-02-10 11:19:04 +01:00
# libnl-3-200 via libnss-gw-name
@{PROC}/@{pid}/net/psched r,
Convert abstractions from /{usr/,}etc/ to @{etc_ro} The authentication, base and nameservice abstraction used /{usr/,}etc/ in several rules. Switch that to the more readable (and tunable) @{etc_ro} variable.
2020-07-23 20:42:42 +02:00
@{etc_ro}/libnl-*/classid r,
abstractions/nameservice: support systems that use libnl-3-200 via libnss-gw-name. Patch initially proposed by Simon McVittie <smcv@debian.org>. Closes: Debian#810888
2016-02-10 11:19:04 +01:00
Bug 167798 - misc profile modifications from darix -- mlmmj, lighttpd, oidentd profiles in extras/, new postfix helpers in complain mode (enabled), split apart nameservice a little (non destructively), add new abstractions for python, ruby, and php5, add web-data and svn-repositories data-centric abstractions
2006-05-02 00:25:47 +00:00
# nis
Change `#include` to `include` in abstractions and tunables
2020-06-09 23:28:41 +02:00
include <abstractions/nis>
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
split off abstractions/ldapclient from abstractions/nameservice Original openSUSE changelog entry: Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de - Splitted ldap related things from nameservice into separate profile and added some missing paths (bnc#662761)
2011-11-01 17:08:37 +01:00
# ldap
Change `#include` to `include` in abstractions and tunables
2020-06-09 23:28:41 +02:00
include <abstractions/ldapclient>
split off abstractions/ldapclient from abstractions/nameservice Original openSUSE changelog entry: Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de - Splitted ldap related things from nameservice into separate profile and added some missing paths (bnc#662761)
2011-11-01 17:08:37 +01:00
Bug 167798 - misc profile modifications from darix -- mlmmj, lighttpd, oidentd profiles in extras/, new postfix helpers in complain mode (enabled), split apart nameservice a little (non destructively), add new abstractions for python, ruby, and php5, add web-data and svn-repositories data-centric abstractions
2006-05-02 00:25:47 +00:00
# winbind
Change `#include` to `include` in abstractions and tunables
2020-06-09 23:28:41 +02:00
include <abstractions/winbind>
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
# likewise
Change `#include` to `include` in abstractions and tunables
2020-06-09 23:28:41 +02:00
include <abstractions/likewise>
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
# mdnsd
Change `#include` to `include` in abstractions and tunables
2020-06-09 23:28:41 +02:00
include <abstractions/mdns>
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
Bug 288960 - nscd with nss_ldap and sasl/gss bind to ldap server failed
2007-08-23 23:22:06 +00:00
# kerberos
Change `#include` to `include` in abstractions and tunables
2020-06-09 23:28:41 +02:00
include <abstractions/kerberosclient>
pull in Ubuntu updates to profiles/apparmor.d
2009-11-04 14:25:42 -06:00
allow accessing the libnss-systemd VarLink sockets and DBus APIs https://systemd.io/USER_GROUP_API/ describes the libnss-systemd VarLink socket APIs: " When a client wants to look up a user or group record, it contacts all sockets bound in this directory in parallel, and enqueues the same query to each. The first positive reply is then returned to the application, or if all fail the last seen error is returned instead. (Alternatively a special Varlink service is available, io.systemd.Multiplexer which acts as frontend and will do the parallel queries on behalf of the client, drastically simplifying client development.) " This updates the nameservice abstraction to allow read/write on well-known systemd VarLink named sockets. In addition, allow lookups for systemd-exec's DynamicUsers via D-Bus References: - https://systemd.io/USER_GROUP_API/ - https://systemd.io/USER_RECORD/ - https://www.freedesktop.org/software/systemd/man/nss-systemd.html - https://www.freedesktop.org/software/systemd/man/systemd.exec.html - https://launchpad.net/bugs/1796911 - https://launchpad.net/bugs/1869024 Modified by John Johansen by: - moving rules nss-systemd include - replacing /proc/ with @{proc}/ - moving and merging commit 16f9f688 rules into nss-systemd include PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/480 PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/474 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com>
2020-04-06 16:09:50 -05:00
#libnss-systemd
Change `#include` to `include` in abstractions and tunables
2020-06-09 23:28:41 +02:00
include <abstractions/nss-systemd>
allow accessing the libnss-systemd VarLink sockets and DBus APIs https://systemd.io/USER_GROUP_API/ describes the libnss-systemd VarLink socket APIs: " When a client wants to look up a user or group record, it contacts all sockets bound in this directory in parallel, and enqueues the same query to each. The first positive reply is then returned to the application, or if all fail the last seen error is returned instead. (Alternatively a special Varlink service is available, io.systemd.Multiplexer which acts as frontend and will do the parallel queries on behalf of the client, drastically simplifying client development.) " This updates the nameservice abstraction to allow read/write on well-known systemd VarLink named sockets. In addition, allow lookups for systemd-exec's DynamicUsers via D-Bus References: - https://systemd.io/USER_GROUP_API/ - https://systemd.io/USER_RECORD/ - https://www.freedesktop.org/software/systemd/man/nss-systemd.html - https://www.freedesktop.org/software/systemd/man/systemd.exec.html - https://launchpad.net/bugs/1796911 - https://launchpad.net/bugs/1869024 Modified by John Johansen by: - moving rules nss-systemd include - replacing /proc/ with @{proc}/ - moving and merging commit 16f9f688 rules into nss-systemd include PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/480 PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/474 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com>
2020-04-06 16:09:50 -05:00
# Also allow lookups for systemd-exec's DynamicUsers via D-Bus
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
dbus send
bus=system
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager"
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
peer=(name="org.freedesktop.systemd1"),
Updates for cups, add inet|inet6 dgram|stream to nameservice abstraction
2007-08-17 21:46:56 +00:00
# TCP/UDP network access
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
abstraction updates for abstract, anonymous and netlink - the base abstraction for common abstract and anonymous rules (comments included per rule) - dbus-session-strict to add a rule for connecting to the dbus session abstract socket. I used 'peer=(label=unconfined)' here, but I could probably lose the explicit label if people preferred that - X to add a rule for connecting to the X abstract socket. Same as for dbus-session-strict - nameservice to add a rule for connecting to a netlink raw. This change could possibly be excluded, but applications using networking (at least on Ubuntu) all seem to need it. Excluding it would mean systems using nscd would need to add this and ones not using it would have a noisy denial Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 14:21:31 -05:00
# TODO: adjust when support finer-grained netlink rules
# Netlink raw needed for nscd
network netlink raw,
network interface enumeration
2010-06-04 17:44:59 -07:00
# interface details
Subject: profiles - use @{pid} tunable This patch adds the kernelvars tunable to the global set that is usually included by default in apparmor policies. It then converts the rules that are intended to match /proc/pid to use this tunable. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-By: Seth Arnold <seth.arnold@canonical.com>
2013-01-02 15:34:38 -08:00
@{PROC}/@{pid}/net/route r,
Add support for local additions to abstractions Local policy may want to extend or override abstractions, so add support for including local updates to them. Acked-by: Christian Boltz <apparmor@cboltz.de> Acked-by: intrigeri <intrigeri@boum.org> Signed-off-by: John Johansen <john.johansen@canonical.com>
2019-01-24 03:03:11 -08:00
# Include additions to the abstraction
abstractions: remove '#' from 'include if exists' This matches what we use in the profiles for local abstractions. Also adjust the check in the Makefile to expect the variant without '#'.
2020-05-30 19:46:08 +02:00
include if exists <abstractions/nameservice.d>
Reference in a new issue Copy permalink