mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

This patch adds a variable definition for the location of /proc in

Browse source 
tunables/proc and modifies all users of /proc to use the variable instead.

I also converted some uses of /proc/*/ to /proc/[0-9]*/ to be a
little more restrictive, as well as removing some references to proc
files that are already covered by abstractions/base (the removals in
abstractions/bash seem justified as all uses of abstractions/bash are
immediately preceded by abstractions/base).
This commit is contained in:
Steve Beattie 2007-05-25 02:09:30 +00:00
parent f442a50a4d
commit 7e6e37953f
53 changed files with 70 additions and 134 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
profiles/apparmor.d/abstractions/audio
View file

@ -34,7 +34,7 @@
/dev/snd/* rw,
/dev/sound/* rw,
/proc/asound/** rw,
@{PROC}/asound/** rw,
/usr/share/alsa/** r,

10
profiles/apparmor.d/abstractions/base
View file

@ -65,12 +65,12 @@
/dev/full rw,
# Sometimes used to determine kernel/user interfaces to use
/proc/sys/kernel/version r,
@{PROC}/sys/kernel/version r,
# Depending on which glibc routine uses this file, base may not be the
# best place -- but many profiles require it, and it is quite harmless.
/proc/sys/kernel/ngroups_max r,
@{PROC}/sys/kernel/ngroups_max r,
# glibc's sysconf(3) routine to determine free memory, etc
/proc/meminfo r,
/proc/stat r,
/proc/cpuinfo r,
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/cpuinfo r,

8
profiles/apparmor.d/abstractions/bash
View file

@ -33,12 +33,8 @@
# bash inspects filesystems at startup
/etc/mtab r,
/proc/sys/kernel/ngroups_max r,
/proc/*/mounts r,
/proc/filesystems r,
# bash wants, not sure why.
/proc/meminfo r,
@{PROC}/[0-9]*/mounts r,
@{PROC}/filesystems r,
# probably readline wants to know terminal capabilities
/usr/share/terminfo/** r,

2
profiles/apparmor.d/program-chunks/postfix-common
View file

@ -17,7 +17,7 @@
/etc/postfix/*.cf r,
/etc/postfix/*.db r,
/proc/net/if_inet6 r,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix/*.so mr,
/usr/lib64/sasl2/* mr,
/usr/lib64/sasl2/ r,

2
profiles/apparmor.d/sbin.klogd
View file

@ -17,7 +17,7 @@
capability sys_admin,
/boot/System.map* r,
/proc/kmsg r,
@{PROC}/kmsg r,
/sbin/klogd rmix,
/var/log/boot.msg rwl,
/var/run/klogd.pid rwl,

1
profiles/apparmor.d/tunables/global
View file

@ -13,3 +13,4 @@
# should be included here
#include <tunables/home>
#include <tunables/proc>

4
profiles/apparmor.d/usr.sbin.identd
View file

@ -21,7 +21,7 @@
/etc/identd.key r,
/etc/identd.pid w,
/usr/sbin/identd rmix,
/proc/net/tcp r,
/proc/net/tcp6 r,
@{PROC}/net/tcp r,
@{PROC}/net/tcp6 r,
/var/run/identd.pid w,
}

5
profiles/apparmor.d/usr.sbin.mdnsd
View file

@ -25,9 +25,8 @@
/usr/sbin/mdnsd rmix,
/proc/net/ r,
/proc/net/unix r,
/proc/sys/kernel/ngroups_max r,
@{PROC}/net/ r,
@{PROC}/net/unix r,
/var/run/mdnsd lw,
/var/run/mdnsd.pid w,
}

12
profiles/apparmor.d/usr.sbin.nscd
View file

@ -21,13 +21,11 @@
capability net_bind_service,
/etc/nscd.conf r,
/proc/meminfo r,
/proc/*/fd/ r,
/proc/*/fd/* r,
/proc/*/maps r,
/proc/*/mounts r,
/proc/filesystems r,
/proc/sys/kernel/ngroups_max r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/fd/* r,
@{PROC}/[0-9]*/maps r,
@{PROC}/[0-9]*/mounts r,
@{PROC}/filesystems r,
/usr/sbin/nscd rmix,
/var/run/.nscd_socket wl,
/var/run/nscd/ r,

2
profiles/apparmor.d/usr.sbin.ntpd
View file

@ -33,7 +33,7 @@
/etc/ntp/drift* rwl,
/etc/ntp/keys r,
/etc/ntp/step-tickers r,
/proc/net/if_inet6 r,
@{PROC}/net/if_inet6 r,
/tmp/ntp* rwl,
/usr/sbin/ntpd rmix,
/var/lib/ntp/etc/ntp.conf.iburst r,

2
profiles/apparmor.d/usr.sbin.traceroute
View file

@ -18,6 +18,6 @@
capability net_raw,
/proc/net/route r,
@{PROC}/net/route r,
/usr/sbin/traceroute rmix,
}

10
profiles/apparmor/profiles/extras/bin.netstat
View file

@ -25,9 +25,9 @@
/bin/netstat rmix,
/etc/networks r,
/proc r,
/proc/[0-9]*/cmdline r,
/proc/[0-9]*/fd r,
/proc/net r,
/proc/net/* r,
@{PROC} r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/fd r,
@{PROC}/net r,
@{PROC}/net/* r,
}

4
profiles/apparmor/profiles/extras/etc.cron.daily.logrotate
View file

@ -40,8 +40,8 @@
/etc/logrotate.d r,
/etc/logrotate.d/* r,
/etc/subdomain.d r,
/proc r,
/proc/[1-9]* r,
@{PROC} r,
@{PROC}/[1-9]* r,
/tmp w,
/tmp/file* wl,
/tmp/logrot* wlr,

1
profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron
View file

@ -21,7 +21,6 @@
/dev/tty wr ,
/etc/cron.daily/slocate.cron r ,
/etc/mtab r ,
/proc/meminfo r ,
/usr/bin/slocate mixr,
/usr/bin/renice mixr,
/** r ,

8
profiles/apparmor/profiles/extras/opt.gnome.bin.evolution-2.4
View file

@ -132,11 +132,9 @@
/opt/mozilla/bin/mozilla.sh Pxr,
/opt/mozilla/lib/** r,
/opt/mozilla/lib/**.so mr,
/proc/*/cmdline r,
/proc/meminfo r,
/proc/net r,
/proc/net/* r,
/proc/stat r,
@{PROC}/*/cmdline r,
@{PROC}/net r,
@{PROC}/net/* r,
/tmp r,
/tmp/* lrw,
/tmp/.ICE-unix/* w,

4
profiles/apparmor/profiles/extras/opt.gnome.bin.gaim
View file

@ -59,9 +59,7 @@
/opt/kde3/bin/kde-config mixr,
/opt/mozilla/lib/lib*so* mr,
/opt/mozilla/lib64/lib*so* mr,
/proc/cpuinfo r,
/proc/stat r,
/proc/*/cmdline r,
@{PROC}/*/cmdline r,
/usr/X11R6/lib/Acrobat*/Resource/Font/* r,
/usr/X11R6/lib/Acrobat*/Resource/Font/PFM/* r,
/usr/X11R6/lib/lib*so* mr,

2
profiles/apparmor/profiles/extras/opt.gnome.lib.evolution-data-server-1.2.evolution-data-server-1.4
View file

@ -37,8 +37,6 @@
/opt/gnome/lib/gnome-vfs** mr,
/opt/gnome/lib/lib*so* mr,
/opt/gnome/share/evolution-data-server-*/** mr,
/proc/meminfo r,
/proc/stat r,
/usr/X11R6/lib/X11/locale/* r,
}

12
profiles/apparmor/profiles/extras/sbin.dhclient
View file

@ -33,12 +33,12 @@
/bin/ps mixr,
/dev/random r,
/etc/dhclient.conf r,
/proc/ r,
/proc/interrupts r,
/proc/net/dev r,
/proc/rtc r,
/proc/self/status r,
/proc/stat r,
@{PROC}/ r,
@{PROC}/interrupts r,
@{PROC}/net/dev r,
@{PROC}/rtc r,
# following rule shouldn't work, self is a symlink
@{PROC}/self/status r,
/sbin/arp rmix,
/usr/bin/dig rmix,
/usr/bin/uptime rmix,

1
profiles/apparmor/profiles/extras/usr.X11R6.bin.xfs
View file

@ -19,7 +19,6 @@
/dev/tty wr,
/etc/X11/fs/config r,
/etc/mtab r,
/proc/meminfo r,
/tmp/.font-unix/fs710[0-9] wl,
/usr/X11R6/bin/xfs rmix,
/usr/X11R6/lib/lib*.so* mr,

1
profiles/apparmor/profiles/extras/usr.bin.man
View file

@ -20,7 +20,6 @@
capability setgid,
capability setuid,
/proc/sys/kernel/ngroups_max r,
/usr/lib/man-db/man Px,
}

7
profiles/apparmor/profiles/extras/usr.bin.opera
View file

@ -37,10 +37,9 @@
/etc/opera6rc rw,
/etc/opera6rc.fixed rw,
/opt r,
/proc/*/stat r,
/proc/net/if_inet6 r,
/proc/stat r,
/proc/sys/vm/heap-stack-gap r,
@{PROC}/[0-9]*/stat r,
@{PROC}/net/if_inet6 r,
@{PROC}/sys/vm/heap-stack-gap r,
@{HOME}/.fonts.cache-* r,
@{HOME}/.fonts r,

11
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox-bin
View file

@ -63,12 +63,11 @@
/opt/kde3/bin/kde-config mixr,
/opt/kde3/share/applications/**.desktop r,
/opt/kde3/share/applications/mimeinfo.cache r,
/proc/*/cmdline r,
/proc/*/maps r,
/proc/*/stat r,
/proc/net/if_inet6 r,
/proc/stat r,
/proc/sys/vm/heap-stack-gap r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/maps r,
@{PROC}/[0-9]*/stat r,
@{PROC}/net/if_inet6 r,
@{PROC}/sys/vm/heap-stack-gap r,
/usr/X11R6/lib/Acrobat*/Browser/intellinux/nppdf.so mr,
/usr/X11R6/lib/Acrobat*/Resource/Font/** r,
/usr/X11R6/lib/lib*so* mr,

1
profiles/apparmor/profiles/extras/usr.lib.man-db.man
View file

@ -33,7 +33,6 @@
/etc/papersize r,
/etc/termcap r,
/opt/gnome/man/** r,
/proc/sys/kernel/ngroups_max r,
/usr/bin/apropos Px,
/usr/bin/cmp rmix,
/usr/bin/groff rmix,

3
profiles/apparmor/profiles/extras/usr.lib.postfix.anvil
View file

@ -25,6 +25,5 @@
/etc/postfix/main.cf r,
/{var/spool/postfix/,}private/anvil rw,
/{var/spool/postfix/,}pid/unix.anvil rw,
/proc/net/if_inet6 r,
/proc/sys/kernel/ngroups_max r,
@{PROC}/net/if_inet6 r,
}

3
profiles/apparmor/profiles/extras/usr.lib.postfix.bounce
View file

@ -43,6 +43,5 @@
/{var/spool/postfix/,}pid/unix.trace rw,
/etc/postfix/main.cf r,
/proc/net/if_inet6 r,
/proc/sys/kernel/ngroups_max r,
@{PROC}/net/if_inet6 r,
}

2
profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup
View file

@ -31,6 +31,4 @@
/{var/spool/postfix/,}pid/unix.cleanup rw,
/etc/{m,fs}tab r,
/etc/postfix/* r,
/proc/sys/kernel/ngroups_max r,
/proc/{stat,cpuinfo} r,
}

3
profiles/apparmor/profiles/extras/usr.lib.postfix.flush
View file

@ -48,7 +48,4 @@
@{HOME}/.forward r,
/proc/stat r,
/proc/sys/kernel/ngroups_max r,
}

1
profiles/apparmor/profiles/extras/usr.lib.postfix.local
View file

@ -33,7 +33,6 @@
/etc/{postfix/,}aliases.db r,
# mailman on SuSE is configed to have its own alias file
/var/lib/mailman/data/aliases.db r,
/proc/{cpuinfo,stat} r,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rw,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]* rw,
/{var/spool/postfix/,}active/[0-9A-F]* rw,

2
profiles/apparmor/profiles/extras/usr.lib.postfix.pickup
View file

@ -19,8 +19,6 @@
/usr/lib/postfix/pickup rmix,
/proc/sys/kernel/ngroups_max r,
/{var/spool/postfix/,}public/cleanup w,
/{var/spool/postfix/,}public/pickup r,
/{var/spool/postfix/,}maildrop r,

3
profiles/apparmor/profiles/extras/usr.lib.postfix.proxymap
View file

@ -22,6 +22,5 @@
/usr/lib/postfix/proxymap rmix,
/etc/postfix/main.cf r,
/proc/net/if_inet6 r,
/proc/sys/kernel/ngroups_max r,
@{PROC}/net/if_inet6 r,
}

1
profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr
View file

@ -18,7 +18,6 @@
#include <program-chunks/postfix-common>
/usr/lib/postfix/qmgr rmix,
/proc/sys/kernel/ngroups_max r,
/{var/spool/postfix/,}active r,
/{var/spool/postfix/,}active/[0-9A-F] r,
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F] rwl,

1
profiles/apparmor/profiles/extras/usr.lib.postfix.scache
View file

@ -19,6 +19,5 @@
/usr/lib/postfix/scache rmix,
/proc/sys/kernel/ngroups_max r,
/var/run/nscd/group r,
}

2
profiles/apparmor/profiles/extras/usr.lib.postfix.showq
View file

@ -52,6 +52,4 @@
/{var/spool/postfix/,}maildrop r,
/{var/spool/postfix/,}maildrop/[0-9A-F]* r,
/{var/spool/postfix/,}pid/unix.showq rw,
/proc/sys/kernel/ngroups_max r,
}

3
profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
View file

@ -38,12 +38,9 @@
/{var/spool/postfix/,}pid/unix.relay rw,
/etc/postfix/{ssl/,}*.pem r,
/etc/postfix/prng_exch rw,
/proc/sys/kernel/ngroups_max r,
/usr/share/ssl/certs/ca-bundle.crt r,
/usr/share/ssl/openssl.cnf r,
/etc/postfix/virtual.db r,
/etc/postfix/sasl_passwd.db r,
/etc/mtab r,
/proc/stat r,
/proc/meminfo r,
}

6
profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
View file

@ -55,9 +55,5 @@
/var/run/sasl2/mux w,
/proc/net/if_inet6 r,
/proc/cpuinfo r,
/proc/stat r,
/proc/sys/kernel/ngroups_max r,
@{PROC}/net/if_inet6 r,
}

1
profiles/apparmor/profiles/extras/usr.lib.postfix.tlsmgr
View file

@ -20,7 +20,6 @@
/usr/lib/postfix/tlsmgr rmix,
/etc/postfix/prng_exch rw,
/proc/sys/kernel/ngroups_max r,
/{var/spool/postfix/,}private/tlsmgr r,
/var/run/__db.smtpd_tls_session_cache.db rw,
/var/run/smtpd_tls_session_cache.db rw,

3
profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite
View file

@ -24,7 +24,4 @@
/etc/postfix/virtual.db r,
/etc/{m,fs}tab r,
/var/spool/postfix/pid/unix.rewrite rw,
/proc/{cpuinfo,stat} r,
/proc/sys/kernel/ngroups_max r,
}

2
profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
View file

@ -40,8 +40,6 @@
/etc/php.d r,
/etc/php.d/** r,
/etc/php.ini r,
/proc/meminfo r,
/proc/sys/kernel/ngroups_max r,
/tmp/auth_ldap_cache.sem wl,
/tmp/session_mm_apache0.sem wl,
/tmp/session_mm_apache2handler0.sem wl,

2
profiles/apparmor/profiles/extras/usr.sbin.lighttpd
View file

@ -27,8 +27,6 @@
capability setgid,
capability setuid,
/proc/sys/kernel/ngroups_max r,
/etc/lighttpd r,
/etc/lighttpd/*.conf r,
/etc/lighttpd/conf.d/*.conf r,

4
profiles/apparmor/profiles/extras/usr.sbin.oidentd
View file

@ -22,8 +22,8 @@
/etc/oidentd.conf r,
/etc/oidentd_masq.conf r,
/proc/net/tcp r,
/proc/net/tcp6 r,
@{PROC}/net/tcp r,
@{PROC}/net/tcp6 r,
# spoofing feature of oidentd
@{HOME}/.ispoof r,

4
profiles/apparmor/profiles/extras/usr.sbin.postalias
View file

@ -26,9 +26,7 @@
/etc/postfix/__db.aliases.db lrw,
/etc/__db.aliases.db rwl,
/usr/sbin/postalias rmix,
/proc/net/if_inet6 r,
/proc/cpuinfo r,
/proc/stat r,
@{PROC}/net/if_inet6 r,
# On SuSE, mailman is configured to use its own alias db
/var/lib/mailman/data/aliases r,
/var/lib/mailman/data/__db.aliases.db rwl,

2
profiles/apparmor/profiles/extras/usr.sbin.postdrop
View file

@ -25,7 +25,7 @@
/etc/postfix r,
/etc/postfix/main.cf r,
/etc/postfix/postfix-script mixr,
/proc/net/if_inet6 r,
@{PROC}/net/if_inet6 r,
/usr/sbin/postdrop rmix,
/var/spool/postfix r,
/var/spool/postfix/maildrop r,

4
profiles/apparmor/profiles/extras/usr.sbin.postmap
View file

@ -21,8 +21,6 @@
/etc/mtab r,
/etc/postfix/* r,
/etc/postfix/*.db rwl,
/proc/cpuinfo r,
/proc/net/if_inet6 r,
/proc/stat r,
@{PROC}/net/if_inet6 r,
/usr/sbin/postmap rmix,
}

7
profiles/apparmor/profiles/extras/usr.sbin.sendmail
View file

@ -44,11 +44,8 @@
/etc/sendmail.cf r,
/etc/sendmail.cw r,
/etc/shells r,
/proc/cpuinfo r,
/proc/loadavg r,
/proc/meminfo r,
/proc/net/if_inet6 r,
/proc/stat r,
@{PROC}/loadavg r,
@{PROC}/net/if_inet6 r,
/root/dead.letter w,
/root/.forward rw,
/usr/kerberos/lib/lib*.so* mr,

3
profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix
View file

@ -25,8 +25,7 @@
/etc/postfix/aliases.db rw,
/etc/postfix/main.cf r,
/etc/postfix/postfix-script Px,
/proc/meminfo r,
/proc/net/if_inet6 r,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix r,
/usr/lib/postfix/master Px,
/usr/lib/postfix/showq Px,

4
profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail
View file

@ -15,8 +15,7 @@
#include <abstractions/base>
#include <abstractions/nameservice>
/proc/loadavg r,
/proc/cpuinfo r,
@{PROC}/loadavg r,
/etc/aliases rw,
/etc/aliases.db rw,
/etc/fstab r,
@ -29,7 +28,6 @@
/etc/sendmail.cf r,
/etc/sendmail.cw r,
/etc/shells r,
/proc/stat r,
/root/.forward rw,
/root/dead.letter w,
/usr/bin/procmail Px,

2
profiles/apparmor/profiles/extras/usr.sbin.smbd
View file

@ -32,7 +32,7 @@
@{HOME}/** rwl,
@{HOMEDIRS} rwl,
/proc/*/mounts r,
@{PROC}/[0-9]*/mounts r,
/tmp rw,
/var/tmp rw,
/var/tmp/** lrw,

1
profiles/apparmor/profiles/extras/usr.sbin.spamd
View file

@ -30,7 +30,6 @@
@{HOME}/.spamassassin/* lrw,
/proc/stat r,
/tmp/spamd-*-init r,
/tmp/spamd-*-init/** lrw,
/usr/bin/perl mix,

5
profiles/apparmor/profiles/extras/usr.sbin.squid
View file

@ -30,11 +30,10 @@
/dev/tty rw,
/etc/mtab r,
/etc/squid/* r,
/proc/*/mounts r,
/proc/mounts r,
@{PROC}/[0-9]*/mounts r,
@{PROC}/mounts r,
/usr/share/squid/** r,
/var/log/squid/access.log w,
/proc/sys/kernel/ngroups_max r,
/var/log/squid/cache.log rw,
/var/log/squid/store.log w,
/var/run/squid.pid lrw,

11
profiles/apparmor/profiles/extras/usr.sbin.sshd
View file

@ -42,8 +42,8 @@
/var/run w,
/var/run/sshd{,.init}.pid wl,
/proc/[0-9]*/fd/ r,
/proc/[0-9]*/loginuid w,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/loginuid w,
# should only be here for use in non-change-hat openssh
# duplicated from EXEC hat
@ -67,8 +67,7 @@
/dev/pts/[0-9]* rw,
/etc/ssh/moduli r,
/proc/sys/kernel/ngroups_max r,
/proc/[0-9]*/mounts r,
@{PROC}/[0-9]*/mounts r,
# duplicated from AUTHENTICATED
/etc/motd r,
@ -134,8 +133,7 @@
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/ssh/moduli r,
/proc/sys/kernel/ngroups_max r,
/proc/[0-9]*/mounts r,
@{PROC}/[0-9]*/mounts r,
# for debugging
# /dev/pts/[0-9]* rw,
@ -160,7 +158,6 @@
/etc/localtime r,
/etc/login.defs r,
/etc/motd r,
/proc/sys/kernel/ngroups_max r,
/tmp/ssh-*/agent.[0-9]* rwl,
/tmp/ssh-*[0-9]*/ w,

4
profiles/apparmor/profiles/extras/usr.sbin.useradd
View file

@ -38,8 +38,8 @@
/etc/skel r,
/etc/skel/** r,
@{HOMEDIRS}** rw,
/proc/*/mounts r,
/proc/filesystems r,
@{PROC}/[0-9]*/mounts r,
@{PROC}/filesystems r,
/usr/lib*/pwdutils/*so* mr,
/usr/sbin/adduser rmix,
/usr/sbin/useradd rmix,

2
profiles/apparmor/profiles/extras/usr.sbin.userdel
View file

@ -38,7 +38,7 @@
/etc/shadow* rwl,
/etc/pwdutils/logging r,
@{HOMEDIRS}** rwl,
/proc/*/mounts r,
@{PROC}/[0-9]*/mounts r,
/usr/bin/crontab rmix,
/usr/lib*/pwdutils/*.so.* mr,
/usr/sbin/userdel rmix,

1
profiles/apparmor/profiles/extras/usr.sbin.vsftpd
View file

@ -24,7 +24,6 @@
/etc/shells r,
/etc/vsftpd.* r,
/etc/vsftpd/* r,
/proc/meminfo r,
/usr/sbin/vsftpd rmix,
/var/log/vsftpd.log w,
/var/log/xferlog w,