Lenient profile that is intended to be used when 'Ux' is desired but
does not provide enough environment sanitizing. This effectively is an
open profile that blacklists certain known dangerous files and also
does not allow any capabilities. For example, it will not allow 'm' on files
owned be the user invoking the program. While this provides some additional
protection, please use with care as applications running under this profile
are effectively running without any AppArmor protection. Use this profile
only if the process absolutely must be run (effectively) unconfined.
Limitations:
1. This does not work for root owned processes, because of the way we use
owner matching in the sanitized helper. We could do a better job with
this to support root, but it would make the policy harder to understand
and going unconfined as root is not desirable any way.
2. For this sanitized_helper to work, the program running in the sanitized
environment must open symlinks directly in order for AppArmor to mediate
it. This is confirmed to work with:
- compiled code which can load shared libraries
- python imports
It is known not to work with:
- perl includes
3. Going forward it might be useful to try sanitizing ruby and java
Use at your own risk. This profile was developed as an interim workaround for
LP: #851986 until AppArmor implements proper environment filtering.
From the README in the toplevel source:
"[P11-KIT] Provides a way to load and enumerate PKCS#11 modules. Provides a
standard configuration setup for installing PKCS#11 modules in such a way that
they're discoverable."
File locatations are described in [1]. There is a global configuration file in
/etc/pkcs11/pkcs11.conf. Per module configuration happens in
/etc/pkcs11/<module name>. There is also user configuration in ~/.pkcs11, but
IMO this should not be allowed in the abstraction. Example configuration can be
seen in the upstream documentation[2].
This will likely need to be refined as more applications use p11-kit.
[1]http://p11-glue.freedesktop.org/doc/p11-kit/config-locations.html
[2]http://p11-glue.freedesktop.org/doc/p11-kit/config-example.html
Acked-by: Jamie Strandboge <jamie@canonical.com>
in python abstraction. This script is used by apport aware python applications
Bug-Ubuntu: https://launchpad.net/bugs/860856
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
and systems where /var/run moved to /run. Also allows read of
/etc/default/locale.
Bug-Ubuntu: https://launchpad.net/bugs/817956
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
abstractions/apache2-common. Additionally, add read permissions
for /**/.htaccess and /dev/urandom to apache2-common.
The patch is based on a profile abstraction from darix. I made some
things more strict (compared to darix' profile), and OTOH added some
things that are needed on my servers.
*** BACKWARDS-INCOMPATIBLE CHANGES ***
^HANDLING_UNTRUSTED_INPUT
- don't allow /.htaccess (.htaccess files in subdirectories are still allowed)
- don't allow *.htaccess files (the old /**.htaccess rule was too generous)
Original openSUSE changelog entry:
Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de
- Splitted ldap related things from nameservice into separate
profile and added some missing paths (bnc#662761)
- fix permissions for additional-log-sockets.conf (the comma in {var/,}
was at the wrong place, which broke the /var/run/ case)
- add read permissions for /sys/devices/system/cpu/online
(that was even new for Peter, but I trust him not to post faked
audit.log lines ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
Subject: apparmor-profiles: Add samba config files
References: bnc#679182 bnc#666450
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
- updated to match trunk
- added changed path to nmbd profile (/var/cache/samba has moved to
/var/lib/samba on (at least) openSUSE 11.4), bnc#679182#c8
For backward compability, it also allows /var/spool/samba.
- Note: The smbd profile already contains both locations.
by Christian Boltz <apparmor@cboltz.de>
updated according to the comments from Steve Beattie
by Christian Boltz <apparmor@cboltz.de>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- allow /var/spool/mail, not only the /var/mail symlink
- allow @{HOME}/Mail/
- allow capability fsetid, read access to /etc/lsb-release and
SuSE-release and k for /var/{lib,run}/dovecot in usr.bin.dovecot
References:
- dovecot: Added support for /var/spool/mail (bnc#691072)
- Updated dovecot profile (bnc#681267).
Patch taken from openSUSE:11.4:Update:Test, file apparmor-profiles-dovecot
updated to match trunk by Christian Boltz <apparmor@cboltz.de>
Change compared to the patch posted to the ML:
- link rule instead of adding l permissions for /var/lib/dovecot and
/var/run/dovecot (as proposed by John Johansen)
Acked-By: John Johansen <john.johansen@canonical.com> on IRC
to switch to a non-root user. unscd is installed as /usr/sbin/nscd
at least at openSUSE.
Original changelog entry from unscd package:
Mon Sep 7 17:30:36 CEST 2009 - pbaudis[at]suse.cz
- Provide the /etc/apparmor.d/usr.sbin.nscd file and make it allow
for change to the nobody user [bnc#535467]
Currently the nscd package from glibc and the unscd package both contain
a usr.sbin.nscd profile which needs to maintained/updated manually.
With this patch, the profile could be moved back to the
apparmor-profiles package.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
