From e5a72e8efba50e7b2de701d94aec91454bb74ed5 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 21 Oct 2018 13:25:36 +0200 Subject: [PATCH 1/2] revert "profiles: support void-specific binary names for openntpd, traceroute, and ping" This reverts the following commit which changes the profile names - something we should avoid on an old branch. commit ae3e230b053e0521f54ea1590326dae895b7642c Author: Cameron Nemo Date: Tue Sep 11 09:54:33 2018 -0700 profiles: support void-specific binary names for openntpd, traceroute, and ping (cherry picked from commit 6e28a94acefd5d3e001d35c53ecf999a6c3a16fd) Signed-off-by: John Johansen --- profiles/apparmor.d/bin.ping | 4 ++-- profiles/apparmor.d/usr.sbin.ntpd | 4 ++-- profiles/apparmor.d/usr.sbin.traceroute | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/profiles/apparmor.d/bin.ping b/profiles/apparmor.d/bin.ping index e3d0e0362..87180f51d 100644 --- a/profiles/apparmor.d/bin.ping +++ b/profiles/apparmor.d/bin.ping @@ -10,7 +10,7 @@ # ------------------------------------------------------------------ #include -profile ping /{usr/,}bin/{,iputils-}ping { +profile ping /{usr/,}bin/ping { #include #include #include @@ -20,7 +20,7 @@ profile ping /{usr/,}bin/{,iputils-}ping { network inet raw, network inet6 raw, - /{,usr/}bin/{,iputils-}ping mixr, + /{,usr/}bin/ping mixr, /etc/modules.conf r, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/usr.sbin.ntpd b/profiles/apparmor.d/usr.sbin.ntpd index 3830ed75e..5f7f7e350 100644 --- a/profiles/apparmor.d/usr.sbin.ntpd +++ b/profiles/apparmor.d/usr.sbin.ntpd @@ -11,7 +11,7 @@ #include #include -/usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) { +/usr/{bin,sbin}/ntpd flags=(attach_disconnected) { #include #include #include @@ -40,7 +40,7 @@ /tmp/ntp* rwl, /{usr/,usr/local/,}{s,}bin/ r, - /usr/{bin,sbin}/{,open}ntpd rmix, + /usr/{bin,sbin}/ntpd rmix, /var/db/ r, /var/db/ntpd.drift rwl, /var/lib/ntp/drift rwl, diff --git a/profiles/apparmor.d/usr.sbin.traceroute b/profiles/apparmor.d/usr.sbin.traceroute index 2c08027f4..25b32e621 100644 --- a/profiles/apparmor.d/usr.sbin.traceroute +++ b/profiles/apparmor.d/usr.sbin.traceroute @@ -10,7 +10,7 @@ # ------------------------------------------------------------------ #include -profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} { +/usr/{{bin,sbin}/traceroute,bin/traceroute.db} { #include #include #include @@ -21,7 +21,8 @@ profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/tracerou network inet raw, network inet6 raw, - /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} mrix, + /usr/{bin,sbin}/traceroute mrix, + /usr/bin/traceroute.db mrix, @{PROC}/net/route r, @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r, From 002fda87184621644af7295d33b0c35b13aa37ce Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 21 Oct 2018 13:32:07 +0200 Subject: [PATCH 2/2] Revert "profiles: support distributions which merge sbin into bin" This changed the profile names and needs adjustments to "signal peer=..." rules, which is something we should avoid in an old branch. The reverted commit is commit 0ce15469ec338ee5116c3c794b5c46896b3ee5f6 Author: Cameron Nemo Date: Wed Jul 25 14:07:35 2018 -0700 profiles: support distributions which merge sbin into bin Closes #8 (cherry picked from commit 9ab45d811e38ab5363ee6c8f79ee44f8a34c6be5) Signed-off-by: John Johansen --- .../apparmor.d/abstractions/apache2-common | 4 ++-- .../apparmor.d/abstractions/dovecot-common | 2 +- .../apparmor.d/abstractions/ubuntu-helpers | 4 +++- profiles/apparmor.d/sbin.klogd | 6 +++--- profiles/apparmor.d/sbin.syslog-ng | 4 ++-- profiles/apparmor.d/sbin.syslogd | 4 ++-- .../apparmor.d/usr.lib.dovecot.dovecot-lda | 18 +++++++++--------- profiles/apparmor.d/usr.sbin.apache2 | 2 +- profiles/apparmor.d/usr.sbin.avahi-daemon | 4 ++-- profiles/apparmor.d/usr.sbin.dnsmasq | 8 ++++---- profiles/apparmor.d/usr.sbin.dovecot | 4 ++-- profiles/apparmor.d/usr.sbin.identd | 4 ++-- profiles/apparmor.d/usr.sbin.mdnsd | 4 ++-- profiles/apparmor.d/usr.sbin.nmbd | 4 ++-- profiles/apparmor.d/usr.sbin.nscd | 4 ++-- profiles/apparmor.d/usr.sbin.ntpd | 4 ++-- profiles/apparmor.d/usr.sbin.smbd | 6 +++--- profiles/apparmor.d/usr.sbin.smbldap-useradd | 6 +++--- profiles/apparmor.d/usr.sbin.traceroute | 4 ++-- profiles/apparmor.d/usr.sbin.winbindd | 4 ++-- 20 files changed, 51 insertions(+), 49 deletions(-) diff --git a/profiles/apparmor.d/abstractions/apache2-common b/profiles/apparmor.d/abstractions/apache2-common index 0c29c5bab..3088c0362 100644 --- a/profiles/apparmor.d/abstractions/apache2-common +++ b/profiles/apparmor.d/abstractions/apache2-common @@ -7,9 +7,9 @@ # Allow unconfined processes to send us signals by default signal (receive) peer=unconfined, # Allow apache to send us signals by default - signal (receive) peer=/usr/{bin,sbin}/apache2, + signal (receive) peer=/usr/sbin/apache2, # Allow other hats to signal by default - signal peer=/usr/{bin,sbin}/apache2//*, + signal peer=/usr/sbin/apache2//*, # Allow us to signal ourselves signal peer=@{profile_name}, diff --git a/profiles/apparmor.d/abstractions/dovecot-common b/profiles/apparmor.d/abstractions/dovecot-common index 08dc3311f..327cc567d 100644 --- a/profiles/apparmor.d/abstractions/dovecot-common +++ b/profiles/apparmor.d/abstractions/dovecot-common @@ -14,6 +14,6 @@ deny capability block_suspend, # dovecot's master can send us signals - signal receive peer=/usr/{bin,sbin}/dovecot, + signal receive peer=/usr/sbin/dovecot, /{var/,}run/dovecot/config rw, diff --git a/profiles/apparmor.d/abstractions/ubuntu-helpers b/profiles/apparmor.d/abstractions/ubuntu-helpers index 3f0803f0b..62d284be2 100644 --- a/profiles/apparmor.d/abstractions/ubuntu-helpers +++ b/profiles/apparmor.d/abstractions/ubuntu-helpers @@ -46,7 +46,9 @@ profile sanitized_helper { # Allow exec of anything, but under this profile. Allow transition # to other profiles if they exist. - /{usr/,usr/local/,}{bin,sbin}/* Pixr, + /{usr/,}bin/* Pixr, + /{usr/,}sbin/* Pixr, + /usr/local/bin/* Pixr, # Allow exec of libexec applications in /usr/lib* and /usr/local/lib* /usr/{,local/}lib*/{,**/}* Pixr, diff --git a/profiles/apparmor.d/sbin.klogd b/profiles/apparmor.d/sbin.klogd index f2ab87ca2..f59db7a8b 100644 --- a/profiles/apparmor.d/sbin.klogd +++ b/profiles/apparmor.d/sbin.klogd @@ -11,7 +11,7 @@ #include -profile klogd /{usr/,}{bin,sbin}/klogd { +profile klogd /{usr/,}sbin/klogd { #include capability sys_admin, # for backward compatibility with kernel <= 2.6.37 @@ -21,10 +21,10 @@ profile klogd /{usr/,}{bin,sbin}/klogd { /boot/System.map* r, @{PROC}/kmsg r, - @{PROC}/kallsyms r, + @{PROC}/kallsyms r, /dev/tty rw, - /{usr/,}{bin,sbin}/klogd rmix, + /{usr/,}sbin/klogd rmix, /var/log/boot.msg rwl, /{,var/}run/klogd.pid krwl, /{,var/}run/klogd/klogd.pid krwl, diff --git a/profiles/apparmor.d/sbin.syslog-ng b/profiles/apparmor.d/sbin.syslog-ng index b179b3e6c..240aacc61 100644 --- a/profiles/apparmor.d/sbin.syslog-ng +++ b/profiles/apparmor.d/sbin.syslog-ng @@ -15,7 +15,7 @@ #define this to be where syslog-ng is chrooted @{CHROOT_BASE}="" -profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng { +profile syslog-ng /{usr/,}sbin/syslog-ng { #include #include #include @@ -46,7 +46,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng { @{PROC}/kmsg r, /etc/hosts.deny r, /etc/hosts.allow r, - /{usr/,}{bin,sbin}/syslog-ng mr, + /{usr/,}sbin/syslog-ng mr, /sys/devices/system/cpu/online r, /usr/share/syslog-ng/** r, /var/lib/syslog-ng/syslog-ng-?????.qf rw, diff --git a/profiles/apparmor.d/sbin.syslogd b/profiles/apparmor.d/sbin.syslogd index d8f65d65f..56af397bb 100644 --- a/profiles/apparmor.d/sbin.syslogd +++ b/profiles/apparmor.d/sbin.syslogd @@ -11,7 +11,7 @@ #include -profile syslogd /{usr/,}{bin,sbin}/syslogd { +profile syslogd /{usr/,}sbin/syslogd { #include #include #include @@ -32,7 +32,7 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd { /dev/tty* w, /dev/xconsole rw, /etc/syslog.conf r, - /{usr/,}{bin,sbin}/syslogd rmix, + /{usr/,}sbin/syslogd rmix, /var/log/** rw, /{,var/}run/syslogd.pid krwl, /{,var/}run/utmp rw, diff --git a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda index d601d503c..2041d5bc7 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda +++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda @@ -29,14 +29,14 @@ /run/dovecot/auth-userdb rw, /usr/bin/doveconf mrix, /usr/lib/dovecot/dovecot-lda mrix, - /usr/{bin,sbin}/sendmail Cx, + /usr/sbin/sendmail Cx, /usr/share/dovecot/protocols.d/ r, # Site-specific additions and overrides. See local/README for details. #include - profile /usr/{bin,sbin}/sendmail flags=(attach_disconnected) { + profile /usr/sbin/sendmail flags=(attach_disconnected) { # this profile is based on the usr.sbin.sendmail profile in extras # and should support both postfix' and sendmail's sendmail binary @@ -69,13 +69,13 @@ /usr/lib/postfix/master Px, /usr/lib/postfix/showq Px, /usr/lib/postfix/smtpd Px, - /usr/{bin,sbin}/postalias Px, - /usr/{bin,sbin}/postdrop Px, - /usr/{bin,sbin}/postfix Px, - /usr/{bin,sbin}/postqueue Px, - /usr/{bin,sbin}/sendmail mrix, - /usr/{bin,sbin}/sendmail.postfix mrix, - /usr/{bin,sbin}/sendmail.sendmail mrix, + /usr/sbin/postalias Px, + /usr/sbin/postdrop Px, + /usr/sbin/postfix Px, + /usr/sbin/postqueue Px, + /usr/sbin/sendmail mrix, + /usr/sbin/sendmail.postfix mrix, + /usr/sbin/sendmail.sendmail mrix, /{var/,}run/sendmail.pid rwl, /{var/,}run/sm-client.pid rwl, /{var/,}run/utmp rw, diff --git a/profiles/apparmor.d/usr.sbin.apache2 b/profiles/apparmor.d/usr.sbin.apache2 index e82733cd7..25a147f28 100644 --- a/profiles/apparmor.d/usr.sbin.apache2 +++ b/profiles/apparmor.d/usr.sbin.apache2 @@ -1,7 +1,7 @@ # Author: Marc Deslauriers #include -/usr/{bin,sbin}/apache2 flags=(attach_disconnected) { +/usr/sbin/apache2 { # This profile is completely permissive. # It is designed to target specific applications using mod_apparmor, diff --git a/profiles/apparmor.d/usr.sbin.avahi-daemon b/profiles/apparmor.d/usr.sbin.avahi-daemon index 3d1b1b8d6..fa0fb3c94 100644 --- a/profiles/apparmor.d/usr.sbin.avahi-daemon +++ b/profiles/apparmor.d/usr.sbin.avahi-daemon @@ -1,5 +1,5 @@ #include -/usr/{bin,sbin}/avahi-daemon { +/usr/sbin/avahi-daemon { #include #include #include @@ -20,7 +20,7 @@ /etc/avahi/services/ r, /etc/avahi/services/*.service r, @{PROC}/@{pid}/fd/ r, - /usr/{bin,sbin}/avahi-daemon mr, + /usr/sbin/avahi-daemon mr, /usr/share/avahi/introspection/*.introspect r, /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r, /{,var/}run/avahi-daemon/ w, diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq index d0fae9df2..1ac8366bf 100644 --- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -12,7 +12,7 @@ @{TFTP_DIR}=/var/tftp /srv/tftpboot #include -profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { +/usr/sbin/dnsmasq flags=(attach_disconnected) { #include #include #include @@ -26,8 +26,8 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { network inet raw, network inet6 raw, - signal (receive) peer=/usr/{bin,sbin}/libvirtd, - ptrace (readby) peer=/usr/{bin,sbin}/libvirtd, + signal (receive) peer=/usr/sbin/libvirtd, + ptrace (readby) peer=/usr/sbin/libvirtd, owner /dev/tty rw, @@ -42,7 +42,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { /etc/NetworkManager/dnsmasq-shared.d/ r, /etc/NetworkManager/dnsmasq-shared.d/* r, - /usr/{bin,sbin}/dnsmasq mr, + /usr/sbin/dnsmasq mr, /var/log/*dnsmasq.log w, diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot index 4b0fd04f6..e3a85fa02 100644 --- a/profiles/apparmor.d/usr.sbin.dovecot +++ b/profiles/apparmor.d/usr.sbin.dovecot @@ -12,7 +12,7 @@ #include -/usr/{bin,sbin}/dovecot flags=(attach_disconnected) { +/usr/sbin/dovecot flags=(attach_disconnected) { #include #include #include @@ -55,7 +55,7 @@ /usr/lib/dovecot/ssl-build-param rix, /usr/lib/dovecot/ssl-params mrPx, /usr/lib/dovecot/stats Px, - /usr/{bin,sbin}/dovecot mrix, + /usr/sbin/dovecot mrix, /usr/share/dovecot/protocols.d/ r, /usr/share/dovecot/protocols.d/** r, /var/lib/dovecot/ w, diff --git a/profiles/apparmor.d/usr.sbin.identd b/profiles/apparmor.d/usr.sbin.identd index b19a21ba0..baca3012a 100644 --- a/profiles/apparmor.d/usr.sbin.identd +++ b/profiles/apparmor.d/usr.sbin.identd @@ -11,7 +11,7 @@ #include -/usr/{bin,sbin}/identd { +/usr/sbin/identd { #include #include capability net_bind_service, @@ -20,7 +20,7 @@ /etc/identd.conf r, /etc/identd.key r, /etc/identd.pid w, - /usr/{bin,sbin}/identd rmix, + /usr/sbin/identd rmix, @{PROC}/net/tcp r, @{PROC}/net/tcp6 r, /{,var/}run/identd.pid w, diff --git a/profiles/apparmor.d/usr.sbin.mdnsd b/profiles/apparmor.d/usr.sbin.mdnsd index 4bf275e45..e470808b4 100644 --- a/profiles/apparmor.d/usr.sbin.mdnsd +++ b/profiles/apparmor.d/usr.sbin.mdnsd @@ -11,7 +11,7 @@ #include -/usr/{bin,sbin}/mdnsd { +/usr/sbin/mdnsd { #include #include #include @@ -24,7 +24,7 @@ network netlink dgram, - /usr/{bin,sbin}/mdnsd rmix, + /usr/sbin/mdnsd rmix, @{PROC}/net/ r, @{PROC}/net/unix r, diff --git a/profiles/apparmor.d/usr.sbin.nmbd b/profiles/apparmor.d/usr.sbin.nmbd index d45a6c88a..1c1a3921a 100644 --- a/profiles/apparmor.d/usr.sbin.nmbd +++ b/profiles/apparmor.d/usr.sbin.nmbd @@ -1,6 +1,6 @@ #include -/usr/{bin,sbin}/nmbd { +/usr/sbin/nmbd { #include #include #include @@ -9,7 +9,7 @@ @{PROC}/sys/kernel/core_pattern r, - /usr/{bin,sbin}/nmbd mr, + /usr/sbin/nmbd mr, /var/cache/samba/gencache.tdb rwk, /var/cache/samba/gencache_notrans.tdb rwk, diff --git a/profiles/apparmor.d/usr.sbin.nscd b/profiles/apparmor.d/usr.sbin.nscd index c8dfd19f6..46d3e2b36 100644 --- a/profiles/apparmor.d/usr.sbin.nscd +++ b/profiles/apparmor.d/usr.sbin.nscd @@ -10,7 +10,7 @@ # ------------------------------------------------------------------ #include -/usr/{bin,sbin}/nscd { +/usr/sbin/nscd { #include #include #include @@ -23,7 +23,7 @@ /etc/netgroup r, /etc/nscd.conf r, - /usr/{bin,sbin}/nscd rmix, + /usr/sbin/nscd rmix, /{,var/}run/.nscd_socket wl, /{,var/}run/nscd/ rw, /{,var/}run/nscd/db* rwl, diff --git a/profiles/apparmor.d/usr.sbin.ntpd b/profiles/apparmor.d/usr.sbin.ntpd index 5f7f7e350..bca926ffa 100644 --- a/profiles/apparmor.d/usr.sbin.ntpd +++ b/profiles/apparmor.d/usr.sbin.ntpd @@ -11,7 +11,7 @@ #include #include -/usr/{bin,sbin}/ntpd flags=(attach_disconnected) { +/usr/sbin/ntpd flags=(attach_disconnected) { #include #include #include @@ -40,7 +40,7 @@ /tmp/ntp* rwl, /{usr/,usr/local/,}{s,}bin/ r, - /usr/{bin,sbin}/ntpd rmix, + /usr/sbin/ntpd rmix, /var/db/ r, /var/db/ntpd.drift rwl, /var/lib/ntp/drift rwl, diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd index dd4858453..16484b80d 100644 --- a/profiles/apparmor.d/usr.sbin.smbd +++ b/profiles/apparmor.d/usr.sbin.smbd @@ -1,6 +1,6 @@ #include -/usr/{bin,sbin}/smbd { +/usr/sbin/smbd { #include #include #include @@ -37,8 +37,8 @@ /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr, /usr/lib/@{multiarch}/samba/**/ r, /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr, - /usr/{bin,sbin}/smbd mr, - /usr/{bin,sbin}/smbldap-useradd Px, + /usr/sbin/smbd mr, + /usr/sbin/smbldap-useradd Px, /var/cache/samba/** rwk, /var/{cache,lib}/samba/printing/printers.tdb mrw, /var/lib/samba/** rwk, diff --git a/profiles/apparmor.d/usr.sbin.smbldap-useradd b/profiles/apparmor.d/usr.sbin.smbldap-useradd index 7b37bdde3..a2eb1c17f 100644 --- a/profiles/apparmor.d/usr.sbin.smbldap-useradd +++ b/profiles/apparmor.d/usr.sbin.smbldap-useradd @@ -1,7 +1,7 @@ # Last Modified: Tue Jan 3 00:17:40 2012 #include -/usr/{bin,sbin}/smbldap-useradd { +/usr/sbin/smbldap-useradd { #include #include #include @@ -13,8 +13,8 @@ /etc/shadow r, /etc/smbldap-tools/smbldap.conf r, /etc/smbldap-tools/smbldap_bind.conf r, - /usr/{bin,sbin}/smbldap-useradd r, - /usr/{bin,sbin}/smbldap_tools.pm r, + /usr/sbin/smbldap-useradd r, + /usr/sbin/smbldap_tools.pm r, /var/log/samba/log.smbd w, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/usr.sbin.traceroute b/profiles/apparmor.d/usr.sbin.traceroute index 25b32e621..ac58aa2fe 100644 --- a/profiles/apparmor.d/usr.sbin.traceroute +++ b/profiles/apparmor.d/usr.sbin.traceroute @@ -10,7 +10,7 @@ # ------------------------------------------------------------------ #include -/usr/{{bin,sbin}/traceroute,bin/traceroute.db} { +/usr/{sbin/traceroute,bin/traceroute.db} { #include #include #include @@ -21,7 +21,7 @@ network inet raw, network inet6 raw, - /usr/{bin,sbin}/traceroute mrix, + /usr/sbin/traceroute mrix, /usr/bin/traceroute.db mrix, @{PROC}/net/route r, @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r, diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd index f80aeee6c..afe54253f 100644 --- a/profiles/apparmor.d/usr.sbin.winbindd +++ b/profiles/apparmor.d/usr.sbin.winbindd @@ -1,6 +1,6 @@ #include -/usr/{bin,sbin}/winbindd { +/usr/sbin/winbindd { #include #include #include @@ -24,7 +24,7 @@ /usr/lib*/samba/idmap/*.so mr, /usr/lib*/samba/nss_info/*.so mr, /usr/lib*/samba/pdb/*.so mr, - /usr/{bin,sbin}/winbindd mr, + /usr/sbin/winbindd mr, /var/cache/krb5rcache/* rw, /var/cache/samba/*.tdb rwk, /var/log/samba/log.winbindd rw,