mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

abstractions/base: allow read access to /run/uuidd/request

Browse source 
/run/uuidd/request is hardcoded in libuuid from util-linux and uuidd
listens on this socket to provide random and time-based UUIDs in a
secure manner (man 8 uuidd). Some applications (eg, python's uuid)
prefer to use this socket, falling back to getrandom(), /dev/urandom,
etc. Eg:

$ strace -f aa-exec -p test -- \
  python3 -c 'import uuid ; print("%s\n" % str(uuid.uuid1()))'
...
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = -1 EACCES (Permission denied)
getrandom("\x8e\x89\xa5\xe7\x39\x1b", 6, GRND_NONBLOCK) = 6
...

uuidd itself produces random numbers using getrandom() and
/dev/{,u}random (falling back to time-based if not), which are already
allowed in the base abstraction. The uuidd daemon, when available, runs
unprivileged under a dedicated user, so allowing read-only access to
/run/uuidd/request is reasonable.
This commit is contained in:
Jamie Strandboge 2019-12-17 15:56:23 -06:00
parent 098f0a7b5f
commit 45fffc129f
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
profiles/apparmor.d/abstractions/base
View file

@ -23,6 +23,10 @@
/dev/log w, /dev/log w,
/dev/random r, /dev/random r,
/dev/urandom r, /dev/urandom r,
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
# time and getrandom()/{,u}random and, when available, runs under an
# unprivilged, dedicated user).
/run/uuidd/request r,
/etc/locale/** r, /etc/locale/** r,
/etc/locale.alias r, /etc/locale.alias r,
/etc/localtime r, /etc/localtime r,