diff --git a/libraries/libapparmor/configure.in b/libraries/libapparmor/configure.in index 32434fbca..5d8d81a2e 100644 --- a/libraries/libapparmor/configure.in +++ b/libraries/libapparmor/configure.in @@ -10,6 +10,7 @@ AM_INIT_AUTOMAKE(libapparmor1, apparmor_version) AM_PROG_LEX AC_PROG_YACC AC_PROG_SED +PKG_PROG_PKG_CONFIG AC_PATH_PROG([SWIG], [swig]) diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am index 5ebb1e680..5723b73f4 100644 --- a/libraries/libapparmor/src/Makefile.am +++ b/libraries/libapparmor/src/Makefile.am @@ -22,6 +22,7 @@ AA_LIB_CURRENT = 1 AA_LIB_REVISION = 2 AA_LIB_AGE = 0 +SUFFIXES = .pc.in .pc BUILT_SOURCES = grammar.h scanner.h af_protos.h AM_LFLAGS = -v @@ -52,9 +53,18 @@ libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA libimmunix_la_SOURCES = kernel_interface.c libimmunix_warning.c libimmunix_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -Wl,--version-script=$(top_srcdir)/src/libapparmor.map -Wl,-soname=libimmunix.so.1 +pkgconfigdir = $(libdir)/pkgconfig +pkgconfig_DATA = libapparmor.pc + +CLEANFILES = libapparmor.pc + +%.pc: %.pc.in $(top_builddir)/config.status + $(AM_V_GEN)cd "$(top_builddir)" && \ + $(SHELL) ./config.status --file="src/$@" + tst_aalogmisc_SOURCES = tst_aalogmisc.c tst_aalogmisc_LDADD = .libs/libapparmor.a check_PROGRAMS = tst_aalogmisc TESTS = $(check_PROGRAMS) -EXTRA_DIST = grammar.y scanner.l libapparmor.map +EXTRA_DIST = grammar.y scanner.l libapparmor.map libapparmor.pc diff --git a/libraries/libapparmor/src/libapparmor.pc.in b/libraries/libapparmor/src/libapparmor.pc.in new file mode 100644 index 000000000..6d2288572 --- /dev/null +++ b/libraries/libapparmor/src/libapparmor.pc.in @@ -0,0 +1,10 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: libapparmor +Description: AppArmor library for for utility functions +Version: @VERSION@ +Cflags: -I${includedir} +Libs: -L${libdir} -lapparmor diff --git a/parser/apparmor_parser.pod b/parser/apparmor_parser.pod index 0e24544be..ff8150845 100644 --- a/parser/apparmor_parser.pod +++ b/parser/apparmor_parser.pod @@ -28,22 +28,99 @@ apparmor_parser - loads AppArmor profiles into the kernel =head1 SYNOPSIS -B +BcommandE [profile]...> + +BcommandE> B =head1 DESCRIPTION -B is used to import new apparmor.d(5) profiles -into the Linux kernel. The profiles restrict the operations available -to processes by executable name. +B is used as a general tool to compile, and manage AppArmor +policy, including loading new apparmor.d(5) profiles into the Linux kernel. + +AppArmor profiles restrict the operations available to processes. The profiles are loaded into the Linux kernel by the B -program, which takes its input from standard input. The input supplied to -B should be in the format described in apparmor.d(5). +program, which by default takes its input from standard input. The input +supplied to B should be in the format described in +apparmor.d(5). -=head1 OPTIONS +=head1 COMMANDS + +The command set is broken into four subcategories. + +=over 4 + +=item unprivileged commands + +Commands that don't require any privilege and don't operate on profiles. + +=item unprivileged profile commands + +Commands that operate on a profile either specified on the command line or +read from stdin if no profile was specified. + +=item privileged commands + +Commands that require the MAC_ADMIN capability within the affected AppArmor +namespace to load policy into the kernel or filesystem write permissions to +update the affected privileged files (cache etc). + +=item privileged profile commands + +Commands that require privilege and operate on profiles. + +=back + +=head1 Unprivileged commands + +=over 4 + +=item -V, --version + +Print the version number and exit. + +=item -h, --help + +Give a quick reference guide. + +=back + +=head1 Unprivileged profile commands + +=over 4 + +=item -N, --names + +Produce a list of policies from a given set of profiles (implies -K). + +=item -p, --preprocess + +Apply preprocessing to the input profile(s) by flattening includes into +the output profile and dump to stdout. + +=item -S, --stdout + +Writes a binary (cached) profile to stdout (implies -K and -T). + +=item -o file, --ofile file + +Writes a binary (cached) profile to the specified file (implies -K and -T) + +=back + +=head1 Privileged commands + +=over 4 + +=item --purge-cache + +Unconditionally clear out cached profiles. + +=back + +=head1 Privileged profile commands =over 4 @@ -67,25 +144,22 @@ Note that it still requires a complete AppArmor definition as described in apparmor.d(5) even though the contents of the definition aren't used. -=item -C, --Complain +=back -For the profile to load in complain mode. +=head1 OPTIONS + +=over 4 =item -B, --binary -Load a binary (cached) profile, as produced with the -S option. +Treat the profile files specified on the command line (or stdin if none +specified) as binary cache files, produced with the -S or -o options, +and load to the kernel as specified by -a, -r, and -R (implies -K +and -T). -=item -N, --names +=item -C, --Complain -Produce a list of policies from a given set of profiles (implies -K). - -=item -S, --stdout - -Writes a binary (cached) profile to stdout (implies -K and -T). - -=item -o file, --ofile file - -Writes a binary (cached) profile to the specified file (implies -K and -T) +Force the profile to load in complain mode. =item -b n, --base n @@ -138,6 +212,11 @@ by default. In cases where abstractions have been changed, and the parser is running with "--replace", it may make sense to also use "--skip-read-cache" with the "--write-cache" option. +=item --skip-bad-cache + +Skip updating the cache if it contains cached profiles in a bad or +inconsistent state + =item -L, --cache-loc Set the location of the cache directory. If not specified the cache location @@ -149,6 +228,9 @@ Perform all actions except the actual loading of a profile into the kernel. This is useful for testing profile generation, caching, etc, without making changes to the running kernel profiles. +This also removes the need for privilege to execute the commands that +manage policy in the kernel + =item -q, --quiet Do not report on the profiles as they are loaded, and not show warnings. @@ -157,15 +239,6 @@ Do not report on the profiles as they are loaded, and not show warnings. Report on the profiles as they are loaded, and show warnings. -=item -V, --version - -Print the version number and exit. - -=item -p, --preprocess - -Dump the input profile to stdout out applying preprocessing flattening -includes into the output profile. - =item -d, --debug Given once, only checks the profiles to ensure syntactic correctness. @@ -198,10 +271,6 @@ of time to complete. Use --help=optimize to see a full list of which optimization flags are supported. -=item -h, --help - -Give a quick reference guide. - =back =head1 CONFIG FILE diff --git a/parser/parser_main.c b/parser/parser_main.c index 474dc0a25..d719fe0d8 100644 --- a/parser/parser_main.c +++ b/parser/parser_main.c @@ -456,8 +456,10 @@ static int process_arg(int c, char *optarg) skip_cache = 1; break; case 'N': + count++; names_only = 1; skip_cache = 1; + kernel_load = 0; break; case 'S': count++; diff --git a/parser/parser_misc.c b/parser/parser_misc.c index 9d2fc4bfe..5f211b945 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -184,7 +184,13 @@ struct network_tuple { /* used by af_name.h to auto generate table entries for "name", AF_NAME * pair */ -#define AA_GEN_NET_ENT(name, AF) {name, AF, "stream", SOCK_STREAM, "", 0xffffff}, {name, AF, "dgram", SOCK_DGRAM, "", 0xffffff}, {name, AF, "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, {name, AF, "rdm", SOCK_RDM, "", 0xffffff}, {name, AF, "raw", SOCK_RAW, "", 0xffffff}, {name, AF, "packet", SOCK_PACKET, "", 0xffffff}, +#define AA_GEN_NET_ENT(name, AF) \ + {name, AF, "stream", SOCK_STREAM, "", 0xffffff}, \ + {name, AF, "dgram", SOCK_DGRAM, "", 0xffffff}, \ + {name, AF, "seqpacket", SOCK_SEQPACKET, "", 0xffffff}, \ + {name, AF, "rdm", SOCK_RDM, "", 0xffffff}, \ + {name, AF, "raw", SOCK_RAW, "", 0xffffff}, \ + {name, AF, "packet", SOCK_PACKET, "", 0xffffff}, /*FIXME: missing {name, AF, "dccp", SOCK_DCCP, "", 0xfffffff}, */ static struct network_tuple network_mappings[] = { @@ -936,6 +942,99 @@ void debug_capabilities(struct codomain *cod) __debug_capabilities(cod->quiet_caps, "Quiet Caps"); } +const char *sock_types[] = { + [0] = "none", + [SOCK_STREAM] = "stream", + [SOCK_DGRAM] = "dgram", + [SOCK_RAW] = "raw", + [SOCK_RDM] = "rdm", + [SOCK_SEQPACKET] = "seqpacket", + [SOCK_PACKET] = "packet", + /* + * See comment above + [SOCK_DCCP] = "dccp", + */ +}; +#define ALL_TYPES 0x43e + +#undef AA_GEN_NET_ENT +#define AA_GEN_NET_ENT(name, AF) [AF] = name, + +static const char *network_families[] = { +#include "af_names.h" +}; + +void __debug_network(unsigned int *array, const char *name) +{ + unsigned int count = sizeof(sock_types)/sizeof(sock_types[0]); + unsigned int mask = ~((1 << count) -1); + unsigned int i, j; + int none = 1; + size_t af_max = get_af_max(); + + for (i = AF_UNSPEC; i < af_max; i++) + if (array[i]) { + none = 0; + break; + } + + if (none) + return; + + printf("%s: ", name); + + /* This can only be set by an unqualified network rule */ + if (array[AF_UNSPEC]) { + printf("\n"); + return; + } + + for (i = 0; i < af_max; i++) { + if (array[i]) { + const char *fam = network_families[i]; + if (fam) + printf("%s ", fam); + else + printf("#%u ", i); + + /* All types/protocols */ + if (array[i] == 0xffffffff || array[i] == ALL_TYPES) + continue; + + printf("{ "); + + for (j = 0; j < count; j++) { + const char *type; + if (array[i] & (1 << j)) { + type = sock_types[j]; + if (type) + printf("%s ", type); + else + printf("#%u ", j); + } + } + if (array[i] & mask) + printf("#%x ", array[i] & mask); + + printf("} "); + } + } + printf("\n"); +} + +void debug_network(struct codomain *cod) +{ + if (cod->network_allowed) + __debug_network(cod->network_allowed, "Network"); + if (cod->audit_network) + __debug_network(cod->audit_network, "Audit Net"); + if (cod->deny_network) + __debug_network(cod->deny_network, "Deny Net"); + if (cod->quiet_network) + __debug_network(cod->quiet_network, "Quiet Net"); + +} + void debug_cod_list(struct codomain *cod) { if (cod->namespace) @@ -953,6 +1052,8 @@ void debug_cod_list(struct codomain *cod) debug_capabilities(cod); + debug_network(cod); + if (cod->entries) debug_cod_entries(cod->entries); diff --git a/parser/tst/caching.sh b/parser/tst/caching.sh index 76520123e..4def9acb6 100755 --- a/parser/tst/caching.sh +++ b/parser/tst/caching.sh @@ -22,15 +22,17 @@ cp caching.profile $basedir/$profile # Detect and slow down cache test when filesystem can't represent nanosecond delays. timeout=0.1 -touch $basedir/test1 -sleep $timeout -touch $basedir/test2 -TIMES=$(stat $basedir/test1 $basedir/test2 -c %z | cut -d" " -f2 | cut -d. -f2 | sort -u | wc -l) -if [ $TIMES -ne 2 ]; then +_count=10 +for ((i = 0; i < ${_count} ; i++)) ; do + touch $basedir/test${i} + sleep $timeout +done +TIMES=$(stat $basedir/test* -c %z | cut -d" " -f2 | cut -d: -f3 | sort -u | wc -l) +if [ $TIMES -ne ${_count} ]; then echo "WARNING: $basedir lacks nanosecond timestamp resolution, falling back to slower test" timeout=1 fi -rm -f $basedir/test1 $basedir/test2 +rm -f $basedir/test* echo -n "Profiles are not cached by default: " ../apparmor_parser $ARGS -q -r $basedir/$profile @@ -122,7 +124,7 @@ echo -n "monkey" > $basedir/cache/.features echo -n "monkey" > $basedir/cache/$profile echo -n "monkey" > $basedir/cache/monkey echo -n "Cache purge remove profiles unconditionally: " -../apparmor_parser $ARGS -v --purge-cache -r $basedir/$profile || { echo "Cache clear setup FAIL"; exit 1; } +../apparmor_parser $ARGS -v --purge-cache -r $basedir/$profile || { echo "Cache purge setup FAIL"; exit 1; } [ -f $basedir/cache/.features ] && { echo "FAIL"; exit 1; } [ -f $basedir/cache/$profile ] && { echo "FAIL"; exit 1; } [ -f $basedir/cache/monkey ] && { echo "FAIL"; exit 1; } diff --git a/parser/tst/simple.pl b/parser/tst/simple.pl index b6bb0d096..d2de93243 100755 --- a/parser/tst/simple.pl +++ b/parser/tst/simple.pl @@ -68,6 +68,16 @@ sub test_profile { my $result = 0; my $child; + $child = open(PARSER, "|-"); + if ($child == 0) { + # child + open(STDOUT, ">/dev/null") or die "Failed to redirect STDOUT"; + open(STDERR, ">/dev/null") or die "Failed to redirect STDERR"; + exec("$config{'parser'}", "-S", "-I", "$config{'includedir'}") or die "Bail out! couldn't open parser"; + # noreturn + } + + # parent eval { local $SIG{ALRM} = sub { $result = 1; @@ -77,19 +87,9 @@ sub test_profile { alarm $config{'timeout'}; - $child = open(PARSER, "|-"); - if ($child == 0) { - # child - open(STDOUT, ">/dev/null") or die "Failed to redirect STDOUT"; - open(STDERR, ">/dev/null") or die "Failed to redirect STDERR"; - exec("$config{'parser'}", "-S", "-I", "$config{'includedir'}") or die "Bail out! couldn't open parser"; - # noreturn - } - - # parent open(PROFILE, $profile) or die "Bail out! couldn't open profile $profile"; while () { - if (/^#=DESCRIPTION\s*(.*)/) { + if (/^#=DESCRIPTION\s*(.*)/i) { $description = $1; } elsif (/^#=EXRESULT\s*(\w+)/) { if ($1 eq "PASS") { diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X index f8fd98448..50b28b9c4 100644 --- a/profiles/apparmor.d/abstractions/X +++ b/profiles/apparmor.d/abstractions/X @@ -39,6 +39,9 @@ /etc/drirc r, owner @{HOME}/.drirc r, + # Xcompose + owner @{HOME}/.XCompose r, + # mouse themes /etc/X11/cursors/ r, /etc/X11/cursors/** r, diff --git a/profiles/apparmor.d/abstractions/fonts b/profiles/apparmor.d/abstractions/fonts index 4b02e39f3..2d39e85b6 100644 --- a/profiles/apparmor.d/abstractions/fonts +++ b/profiles/apparmor.d/abstractions/fonts @@ -37,8 +37,8 @@ @{HOME}/.fonts/ r, @{HOME}/.fonts/** r, @{HOME}/.fonts.cache-2 mr, - @{HOME}/.fontconfig/ r, - @{HOME}/.fontconfig/** mrl, + @{HOME}/.{,cache/}fontconfig/ r, + @{HOME}/.{,cache/}fontconfig/** mrl, @{HOME}/.fonts.conf.d/ r, @{HOME}/.fonts.conf.d/** r, diff --git a/profiles/apparmor.d/abstractions/gnome b/profiles/apparmor.d/abstractions/gnome index 995d9c13b..e2b13f707 100644 --- a/profiles/apparmor.d/abstractions/gnome +++ b/profiles/apparmor.d/abstractions/gnome @@ -83,3 +83,6 @@ # mime-types /etc/gnome/defaults.list r, /usr/share/gnome/applications/mimeinfo.cache r, + + # poppler CMap tables + /usr/share/poppler/cMap/** r, diff --git a/profiles/apparmor.d/abstractions/nvidia b/profiles/apparmor.d/abstractions/nvidia index 7e56a74bc..ab9e660a2 100644 --- a/profiles/apparmor.d/abstractions/nvidia +++ b/profiles/apparmor.d/abstractions/nvidia @@ -4,9 +4,12 @@ # configuration queries capability ipc_lock, + # libvdpau config file for nvidia workarounds + /etc/vdpau_wrapper.cfg r, + # device files /dev/nvidia0 rw, /dev/nvidiactl rw, - /proc/interrupts r, - /proc/sys/vm/max_map_count r, + @{PROC}/interrupts r, + @{PROC}/sys/vm/max_map_count r, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java index 01ef581ca..e050d49d6 100644 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java @@ -4,9 +4,11 @@ owner @{HOME}/.java/deployment/deployment.properties k, /etc/java-*/ r, /etc/java-*/** r, - /usr/lib/jvm/java-6-openjdk*/jre/lib/*/IcedTeaPlugin.so mr, + /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/*/IcedTeaPlugin.so mr, /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk, /usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk, + /usr/lib/jvm/java-7-openjdk/jre/bin/java cx -> browser_openjdk, + /usr/lib/jvm/java-7-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk, /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java, /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java, /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java, @@ -44,8 +46,8 @@ /var/lib/dbus/machine-id r, /usr/bin/env ix, - /usr/lib/jvm/java-6-openjdk*/jre/bin/java ix, - /usr/lib/jvm/java-6-openjdk*/jre/lib/i386/client/classes.jsa m, + /usr/lib/jvm/java-{6,7}-openjdk*/jre/bin/java ix, + /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m, # Why would java need this? deny /usr/bin/gconftool-2 x, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia index faae75945..1c1c5ee1e 100644 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia @@ -50,10 +50,8 @@ /opt/google/talkplugin/GoogleTalkPlugin ixr, owner @{HOME}/.config/google-googletalkplugin/** rw, - # If we allow the above, nvidia based systems will also need these - /dev/nvidactl rw, - /dev/nvidia0 rw, - @{PROC}/interrupts r, + # If we allow the above, nvidia based systems will also need this + #include # Virus scanners /usr/bin/clamscan Cx -> sanitized_helper, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration index ba8da7a18..80e0ab392 100644 --- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration @@ -29,3 +29,6 @@ # Exo-aware applications /usr/bin/exo-open ixr, + /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, + /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, + /etc/xdg/xfce4/helpers.rc r, diff --git a/profiles/apparmor.d/abstractions/ubuntu-helpers b/profiles/apparmor.d/abstractions/ubuntu-helpers index ca9ef58e7..42bd431bb 100644 --- a/profiles/apparmor.d/abstractions/ubuntu-helpers +++ b/profiles/apparmor.d/abstractions/ubuntu-helpers @@ -43,10 +43,11 @@ profile sanitized_helper { /bin/* Pixr, /sbin/* Pixr, /usr/bin/* Pixr, + /usr/local/bin/* Pixr, /usr/sbin/* Pixr, - # Allow exec of libexec applications in /usr/lib* - /usr/lib*/{,**/}* Pixr, + # Allow exec of libexec applications in /usr/lib* and /usr/local/lib* + /usr/{,local/}lib*/{,**/}* Pixr, # Allow exec of software-center scripts. We may need to allow wider # permissions for /usr/share, but for now just do this. (LP: #972367) @@ -65,7 +66,7 @@ profile sanitized_helper { # Full access / r, /** rwkl, - /{,usr/}lib{,32,64}/{,**/}*.so{,.*} m, + /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m, # Dangerous files audit deny owner /**/* m, # compiled libraries diff --git a/profiles/apparmor.d/bin.ping b/profiles/apparmor.d/bin.ping index e2ed20914..4752b4784 100644 --- a/profiles/apparmor.d/bin.ping +++ b/profiles/apparmor.d/bin.ping @@ -10,7 +10,7 @@ # ------------------------------------------------------------------ #include -/bin/ping { +/{usr/,}bin/ping { #include #include #include diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq index a11eb18a8..1f958acf2 100644 --- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -53,6 +53,7 @@ # NetworkManager integration /{,var/}run/nm-dns-dnsmasq.conf r, + /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w, # Site-specific additions and overrides. See local/README for details. #include diff --git a/profiles/apparmor/profiles/extras/README b/profiles/apparmor/profiles/extras/README index 73f43911a..78ea28fb9 100644 --- a/profiles/apparmor/profiles/extras/README +++ b/profiles/apparmor/profiles/extras/README @@ -39,7 +39,7 @@ working as you expect. Feedback on these unsupported profiles is welcomed; any contributions for this directory should be clearly licensed -- we recommend using the GPL. Please mail suggestions or -modifications to the apparmor-general@forge.novell.com mail list: -http://forge.novell.com/mailman/listinfo/apparmor-general +modifications to the apparmor@lists.ubuntu.com mail list: +https://lists.ubuntu.com/mailman/listinfo/apparmor Thanks diff --git a/profiles/apparmor/profiles/extras/usr.bin.skype b/profiles/apparmor/profiles/extras/usr.bin.skype index bfb50ecc9..a4acfc96b 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.skype +++ b/profiles/apparmor/profiles/extras/usr.bin.skype @@ -1,40 +1,80 @@ -# Last Modified: Mon Oct 26 13:29:13 2009 -# REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53 -# Additional profiling based on work by Андрей Калинин, LP: #226624 +# Additional profiling based on work by: +# - Андрей Калинин, LP: #226624 +# - Jamie Strandboge and Ivan Frederiks, LP: #933440 #include /usr/bin/skype flags=(complain) { #include #include + #include #include #include + #include + #include #include #include #include + #include #include #include - # are these needed? - /proc/*/cmdline r, + @{PROC}/sys/kernel/{ostype,osrelease} r, + @{PROC}/[0-9]*/net/arp r, + owner @{PROC}/[0-9]*/auxv r, + owner @{PROC}/[0-9]*/cmdline r, + owner @{PROC}/[0-9]*/fd/ r, + owner @{PROC}/[0-9]*/task/ r, + owner @{PROC}/[0-9]*/task/[0-9]*/stat r, + + /sys/devices/**/power_supply/**/online r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r, + + /dev/ r, + owner /{dev,run}/shm/pulse-shm* m, + /dev/snd/* m, /dev/video* mrw, + /var/cache/libx11/compose/* r, # should this be in a separate KDE abstraction? - @{HOME}/.kde/share/config/kioslaverc r, + owner @{HOME}/.kde{,4}/share/config/kioslaverc r, /usr/bin/skype mr, + /etc/xdg/sni-qt.conf rk, + /etc/xdg/Trolltech.conf rk, /usr/share/skype/** kr, + /usr/share/skype/**/*.qm mr, /usr/share/skype/sounds/*.wav kr, + /usr/lib/@{multiarch}/pango/** mr, - @{HOME}/.Skype/ rw, - @{HOME}/.Skype/** krw, - @{HOME}/.config/* kr, + # For opening links in the browser (still requires explicit access to execute + # the browser) + /usr/bin/xdg-open ixr, - @{HOME}/.mozilla/ r, - @{HOME}/.mozilla/*/ r, - @{HOME}/.mozilla/*/*/ r, - @{HOME}/.mozilla/*/*/bookmarkbackups/ r, - @{HOME}/.mozilla/*/*/chrome/ r, - @{HOME}/.mozilla/*/*/extensions/ r, - @{HOME}/.mozilla/*/*/prefs.js r, + owner @{HOME}/.Skype/ rw, + owner @{HOME}/.Skype/** krw, + owner @{HOME}/.config/ r, + owner @{HOME}/.config/*/ r, + owner @{HOME}/.config/Skype/Skype.conf rw, + owner @{HOME}/.config/Trolltech.conf kr, + + # Skype traverses the .mozilla directory and needs access to prefs.js + owner @{HOME}/.mozilla/ r, + owner @{HOME}/.mozilla/**/ r, + owner @{HOME}/.mozilla/*/*/prefs.js r, + + # Skype also looks around in these directories + /{,usr/,usr/local/}lib/ r, + + # Recent skype builds have an executable stack, so it tries to mmap certain + # files. Let's deny them for now. + deny /etc/passwd m, + deny /etc/group m, + deny /usr/share/fonts/** m, + + # Silence a few non-needed writes + deny /var/cache/fontconfig/ w, + deny owner @{HOME}/.fontconfig/ w, + deny owner @{HOME}/.fontconfig/*.cache-*.TMP* w, } diff --git a/tests/regression/apparmor/clone.c b/tests/regression/apparmor/clone.c index 73f8fa82b..ee3644e9e 100644 --- a/tests/regression/apparmor/clone.c +++ b/tests/regression/apparmor/clone.c @@ -23,6 +23,8 @@ #include #include +#define STACK_SIZE 0x8000 + struct option long_options[] = { {"newns", 0, 0, 'n'}, /* create a new namespace */ @@ -59,7 +61,7 @@ int main(int argc, char *argv[]) int waitstatus; int c; char buf[BUFSIZ]; - int stack_size = PAGE_SIZE << 4; + int stack_size = STACK_SIZE; void *child_stack = malloc(stack_size); int clone_flags = SIGCHLD;