mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'use-sys' into 'master'

Browse source 
Use @{sys} tunable in profiles and abstractions

Commit aa065287 made @{sys} tunable available by default.

Update profiles and abstractions to actually use @{sys} tunable for better confinement in the future (when @{sys} becomes kernel var).

Closes LP#1728551

PR: https://gitlab.com/apparmor/apparmor/merge_requests/262
Acked-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2018-11-09 01:45:18 +00:00
commit e657ca67d7
14 changed files with 49 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
profiles/apparmor.d/abstractions/base
View file

@ -90,8 +90,8 @@
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/cpuinfo r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/online r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r,

3
profiles/apparmor.d/abstractions/dri-enumerate
View file

@ -4,6 +4,5 @@
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
# libdrm).
# TODO: use @{sys} after it's moved into tunables/kernelvars (LP: #1728551)
/sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,

2
profiles/apparmor.d/abstractions/nvidia
View file

@ -19,7 +19,7 @@
@{PROC}/driver/nvidia/params r,
@{PROC}/modules r,
/sys/devices/system/memory/block_size_bytes r,
@{sys}/devices/system/memory/block_size_bytes r,
owner @{HOME}/.nv/ w,
owner @{HOME}/.nv/GLCache/ rw,

6
profiles/apparmor.d/abstractions/opencl-common
View file

@ -4,7 +4,7 @@
# System files
/etc/OpenCL/** r,
/sys/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
/sys/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
/sys/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
@{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
@{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so

2
profiles/apparmor.d/abstractions/opencl-intel
View file

@ -12,6 +12,6 @@
# System files
/dev/dri/card[0-9]* rw, # beignet/libcl.so
/sys/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
/usr/lib/@{multiarch}/beignet/** r,

4
profiles/apparmor.d/abstractions/opencl-nvidia
View file

@ -16,8 +16,8 @@
# libnvidia-opencl.so rules:
/dev/nvidia-uvm rw,
/dev/nvidia-uvm-tools rw,
/sys/devices/pci[0-9]*/**/config r,
/sys/devices/system/memory/block_size_bytes r,
@{sys}/devices/pci[0-9]*/**/config r,
@{sys}/devices/system/memory/block_size_bytes r,
/usr/share/nvidia/** r,
@{PROC}/devices r,
@{PROC}/sys/vm/mmap_min_addr r,

32
profiles/apparmor.d/abstractions/opencl-pocl
View file

@ -11,22 +11,22 @@
# System files
/ r, # libpocl.so -> libhwloc.so
/sys/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
/sys/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
/sys/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
/sys/devices/pci[0-9]*/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
/sys/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
/sys/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
/sys/devices/pci[0-9]*/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
/sys/devices/system/cpu/ r, # libpocl.so -> libnuma.so
/sys/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
/sys/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
/sys/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
/sys/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
/sys/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
/sys/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
/sys/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
/sys/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
@{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
@{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
@{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
@{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
@{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
@{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
@{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
@{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
@{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
@{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
/usr/share/pocl/** r,
/{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so

8
profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
View file

@ -41,8 +41,8 @@
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/filesystems r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/** r,
/usr/share/** r,
/var/lib/dbus/machine-id r,
@ -88,8 +88,8 @@
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/filesystems r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/** r,
/usr/share/** r,
/var/lib/dbus/machine-id r,

4
profiles/apparmor.d/abstractions/video
View file

@ -2,5 +2,5 @@
# video device access
# System devices
/sys/class/video4linux r,
/sys/class/video4linux/** r,
@{sys}/class/video4linux r,
@{sys}/class/video4linux/** r,

2
profiles/apparmor.d/abstractions/vulkan
View file

@ -5,7 +5,7 @@
/dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
/etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
# for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
/sys/devices/pci[0-9]*/*/drm/ r,
@{sys}/devices/pci[0-9]*/*/drm/ r,
/usr/share/vulkan/icd.d/{,*.json} r,
/usr/share/vulkan/{explicit,implicit}_layer.d/{,*.json} r,

14
profiles/apparmor.d/apache2.d/phpsysinfo
View file

@ -20,13 +20,13 @@
/etc/phpsysinfo/config.php r,
/etc/udev/udev.conf r,
@{PROC}/** r,
/sys/bus/ r,
/sys/bus/pci/devices/ r,
/sys/bus/pci/slots/ r,
/sys/bus/pci/slots/** r,
/sys/bus/usb/devices/ r,
/sys/class/ r,
/sys/devices/** r,
@{sys}/bus/ r,
@{sys}/bus/pci/devices/ r,
@{sys}/bus/pci/slots/ r,
@{sys}/bus/pci/slots/** r,
@{sys}/bus/usb/devices/ r,
@{sys}/class/ r,
@{sys}/devices/** r,
/usr/bin/ r,
/usr/bin/apt-cache ixr,
/usr/bin/dpkg-query ixr,

10
profiles/apparmor.d/nvidia_modprobe
View file

@ -24,8 +24,8 @@ profile nvidia_modprobe {
/dev/nvidia-uvm w,
/dev/nvidia-uvm-tools w,
/sys/bus/pci/devices/ r,
/sys/devices/pci[0-9]*/**/config r,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/pci[0-9]*/**/config r,
@{PROC}/devices r,
@{PROC}/modules r,
@{PROC}/sys/kernel/modprobe r,
@ -51,9 +51,9 @@ profile nvidia_modprobe {
/etc/modprobe.d/{,*.conf} r,
/etc/nvidia/current/*.conf r,
/sys/module/ipmi_devintf/initstate r,
/sys/module/ipmi_msghandler/initstate r,
/sys/module/nvidia/initstate r,
@{sys}/module/ipmi_devintf/initstate r,
@{sys}/module/ipmi_msghandler/initstate r,
@{sys}/module/nvidia/initstate r,
@{PROC}/cmdline r,
}

2
profiles/apparmor.d/sbin.syslog-ng
View file

@ -47,7 +47,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
/etc/hosts.deny r,
/etc/hosts.allow r,
/{usr/,}{bin,sbin}/syslog-ng mr,
/sys/devices/system/cpu/online r,
@{sys}/devices/system/cpu/online r,
/usr/share/syslog-ng/** r,
/var/lib/syslog-ng/syslog-ng-?????.qf rw,
# chrooted applications

6
profiles/apparmor.d/usr.sbin.dnsmasq
View file

@ -107,9 +107,9 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
owner @{PROC}/@{pid}/net/psched r,
owner @{PROC}/@{pid}/status r,
/sys/devices/system/cpu/ r,
/sys/devices/system/node/ r,
/sys/devices/system/node/*/meminfo r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/*/meminfo r,
# libvirt lease and status files for dnsmasq
/var/lib/libvirt/dnsmasq/*.leases rw,