apparmor/profiles/apparmor.d/abstractions/ubuntu-helpers

# Lenient profile that is intended to be used when 'Ux' is desired but
# does not provide enough environment sanitizing. This effectively is an
# open profile that blacklists certain known dangerous files and also
# does not allow any capabilities. For example, it will not allow 'm' on files
# owned be the user invoking the program. While this provides some additional
# protection, please use with care as applications running under this profile
# are effectively running without any AppArmor protection. Use this profile
# only if the process absolutely must be run (effectively) unconfined.
#
# Usage:
# Because this abstraction defines the sanitized_helper profile, it must only
# be #included once. Therefore this abstraction should typically not be
# included in other abstractions so as to avoid parser errors regarding
# multiple definitions.
#
# Limitations:
# 1. This does not work for root owned processes, because of the way we use
#    owner matching in the sanitized helper. We could do a better job with
#    this to support root, but it would make the policy harder to understand
#    and going unconfined as root is not desirable any way.
#
# 2. For this sanitized_helper to work, the program running in the sanitized
#    environment must open symlinks directly in order for AppArmor to mediate
#    it. This is confirmed to work with:
#     - compiled code which can load shared libraries
#     - python imports
#    It is known not to work with:
#     - perl includes
# 3. Sanitizing ruby and java
#
# Use at your own risk. This profile was developed as an interim workaround for
# LP: #851986 until AppArmor utilizes proper environment filtering.

profile sanitized_helper {
  #include <abstractions/base>

  # Allow all networking
  network inet,

  # Allow exec of anything, but under this profile. Allow transition
  # to other profiles if they exist.
  /bin/* Pix,
  /sbin/* Pix,
  /usr/bin/* Pix,
  /usr/sbin/* Pix,

  # Allow exec of libexec applications in /usr/lib*
  /usr/lib*/{,**/}* Pix,

  # Full access
  / r,
  /** rwkl,
  /{,usr/}lib{,32,64}/{,**/}*.so{,.*} m,

  # Dangerous files
  audit deny owner /**/* m,              # compiled libraries
  audit deny owner /**/*.py* r,          # python imports
}
add profiles/apparmor.d/abstractions/ubuntu-helpers: Lenient profile that is intended to be used when 'Ux' is desired but does not provide enough environment sanitizing. This effectively is an open profile that blacklists certain known dangerous files and also does not allow any capabilities. For example, it will not allow 'm' on files owned be the user invoking the program. While this provides some additional protection, please use with care as applications running under this profile are effectively running without any AppArmor protection. Use this profile only if the process absolutely must be run (effectively) unconfined. Limitations: 1. This does not work for root owned processes, because of the way we use owner matching in the sanitized helper. We could do a better job with this to support root, but it would make the policy harder to understand and going unconfined as root is not desirable any way. 2. For this sanitized_helper to work, the program running in the sanitized environment must open symlinks directly in order for AppArmor to mediate it. This is confirmed to work with: - compiled code which can load shared libraries - python imports It is known not to work with: - perl includes 3. Going forward it might be useful to try sanitizing ruby and java Use at your own risk. This profile was developed as an interim workaround for LP: #851986 until AppArmor implements proper environment filtering. 2012-01-10 18:36:14 +01:00			`# Lenient profile that is intended to be used when 'Ux' is desired but`
			`# does not provide enough environment sanitizing. This effectively is an`
			`# open profile that blacklists certain known dangerous files and also`
			`# does not allow any capabilities. For example, it will not allow 'm' on files`
			`# owned be the user invoking the program. While this provides some additional`
			`# protection, please use with care as applications running under this profile`
			`# are effectively running without any AppArmor protection. Use this profile`
			`# only if the process absolutely must be run (effectively) unconfined.`
			`#`
add note to ubuntu-helpers regarding needing to only include it once 2012-01-11 08:50:47 +01:00			`# Usage:`
			`# Because this abstraction defines the sanitized_helper profile, it must only`
			`# be #included once. Therefore this abstraction should typically not be`
			`# included in other abstractions so as to avoid parser errors regarding`
			`# multiple definitions.`
			`#`
add profiles/apparmor.d/abstractions/ubuntu-helpers: Lenient profile that is intended to be used when 'Ux' is desired but does not provide enough environment sanitizing. This effectively is an open profile that blacklists certain known dangerous files and also does not allow any capabilities. For example, it will not allow 'm' on files owned be the user invoking the program. While this provides some additional protection, please use with care as applications running under this profile are effectively running without any AppArmor protection. Use this profile only if the process absolutely must be run (effectively) unconfined. Limitations: 1. This does not work for root owned processes, because of the way we use owner matching in the sanitized helper. We could do a better job with this to support root, but it would make the policy harder to understand and going unconfined as root is not desirable any way. 2. For this sanitized_helper to work, the program running in the sanitized environment must open symlinks directly in order for AppArmor to mediate it. This is confirmed to work with: - compiled code which can load shared libraries - python imports It is known not to work with: - perl includes 3. Going forward it might be useful to try sanitizing ruby and java Use at your own risk. This profile was developed as an interim workaround for LP: #851986 until AppArmor implements proper environment filtering. 2012-01-10 18:36:14 +01:00			`# Limitations:`
			`# 1. This does not work for root owned processes, because of the way we use`
			`# owner matching in the sanitized helper. We could do a better job with`
			`# this to support root, but it would make the policy harder to understand`
			`# and going unconfined as root is not desirable any way.`
			`#`
			`# 2. For this sanitized_helper to work, the program running in the sanitized`
			`# environment must open symlinks directly in order for AppArmor to mediate`
			`# it. This is confirmed to work with:`
			`# - compiled code which can load shared libraries`
			`# - python imports`
			`# It is known not to work with:`
			`# - perl includes`
			`# 3. Sanitizing ruby and java`
			`#`
			`# Use at your own risk. This profile was developed as an interim workaround for`
			`# LP: #851986 until AppArmor utilizes proper environment filtering.`

			`profile sanitized_helper {`
			`#include <abstractions/base>`

			`# Allow all networking`
			`network inet,`

			`# Allow exec of anything, but under this profile. Allow transition`
			`# to other profiles if they exist.`
			`/bin/* Pix,`
			`/sbin/* Pix,`
			`/usr/bin/* Pix,`
			`/usr/sbin/* Pix,`

			`# Allow exec of libexec applications in /usr/lib*`
			`/usr/lib/{,/} Pix,`

			`# Full access`
			`/ r,`
			`/** rwkl,`
ubuntu-helpers: account for lib32 and lib64 2012-01-10 19:57:58 +01:00			`/{,usr/}lib{,32,64}/{,*/}.so{,.*} m,`
add profiles/apparmor.d/abstractions/ubuntu-helpers: Lenient profile that is intended to be used when 'Ux' is desired but does not provide enough environment sanitizing. This effectively is an open profile that blacklists certain known dangerous files and also does not allow any capabilities. For example, it will not allow 'm' on files owned be the user invoking the program. While this provides some additional protection, please use with care as applications running under this profile are effectively running without any AppArmor protection. Use this profile only if the process absolutely must be run (effectively) unconfined. Limitations: 1. This does not work for root owned processes, because of the way we use owner matching in the sanitized helper. We could do a better job with this to support root, but it would make the policy harder to understand and going unconfined as root is not desirable any way. 2. For this sanitized_helper to work, the program running in the sanitized environment must open symlinks directly in order for AppArmor to mediate it. This is confirmed to work with: - compiled code which can load shared libraries - python imports It is known not to work with: - perl includes 3. Going forward it might be useful to try sanitizing ruby and java Use at your own risk. This profile was developed as an interim workaround for LP: #851986 until AppArmor implements proper environment filtering. 2012-01-10 18:36:14 +01:00
			`# Dangerous files`
			`audit deny owner /*/ m, # compiled libraries`
			`audit deny owner /*/.py* r, # python imports`
fix missing '}' in ubuntu-helpers 2012-01-11 08:48:07 +01:00			`}`