Merge Fix access to Fips 140-2 library integrity files

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/595 Acked-by: Seth Arnold <seth.arnold@canonical.com>
2025-03-04 08:24:42 +01:00 · 2020-08-31 17:41:11 +00:00 · 2020-08-31 17:41:11 +00:00 · cc97494528
commit cc97494528
parent 33112c324c ec62254b04
2 changed files with 9 additions and 0 deletions
--- a/profiles/apparmor.d/abstractions/base
+++ b/profiles/apparmor.d/abstractions/base
@ -75,6 +75,11 @@
  /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so*    mr,
  /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so*    mr,

+  # FIPS-140-2 versions of some crypto libraries need to access their
+  # associated integrity verification file, or they will abort.
+  /{usr/,}lib{,32,64}/.lib*.so*.hmac      r,
+  /{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
+
  # /dev/null is pretty harmless and frequently used
  /dev/null                      rw,
  # as is /dev/zero
--- a/tests/regression/apparmor/mkprofile.pl
+++ b/tests/regression/apparmor/mkprofile.pl
@ -101,6 +101,10 @@ sub gen_default_rules() {

  # give every profile access to /dev/urandom (propolice, etc.)
  gen_file("/dev/urandom:r");
+
+  # give every profile access to FIPS hmac files in /lib and /usr/lib
+  gen_file("/{usr/,}lib{,32,64}/.lib*.so*.hmac:r");
+  gen_file("/{usr/,}lib/{,**/}.lib*.so*.hmac:r");
 }

 sub gen_elf_binary($) {