The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.
As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.
- change abstractions/postfix-common to allow /etc/postfix/*.db k
- add several permissions to postfix/error, postfix/lmtp and postfix/pipe
- remove superfluous abstractions/kerberosclient from all postfix
profiles - it's included via abstractions/nameservice
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
Merge from trunk commit 3691
Merge from Vincas Dargis, approved by intrigeri
Fix user-write and user-download abstractions for non-latin file names.
Acked-by: Steve Beattie <steve@nxnw.org>
Merge from trunk revision 3690
Merge from Vincas Dargis, approved by intrigeri.
fix traceroute denies in tcp mode
Acked-by: Steve Beattie <steve@nxnw.org>
Description: adjust the multiarch alternation rule in the perl abstraction for
modern Debian and Ubuntu systems which store some modules under the
architecture-specific perl-base directory instead of perl or perl5.
Signed-Off-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
glibc implements this by doing a readdir() and filtering.
We already allowed sysconf(_SC_NPROCESSORS_ONLN), which is
basically a read from /sys/devices/system/cpu/online.
Signed-off-by: Simon McVittie <smcv@collabora.com>
dovecot-lda needs
- the attach_disconnected flags
- read access to /usr/share/dovecot/protocols.d/
- rw for /run/dovecot/auth-userdb
References: https://bugs.launchpad.net/bugs/1650827
Acked-by: Steve Beattie <steve@nxnw.org> for 2.9, 2.10 and trunk.
Some of the /usr/lib/dovecot/* rules already have mrPx permissions,
while others don't.
With a more recent kernel, I noticed that at least auth, config, dict,
lmtp, pop3 and ssl-params need mrPx instead of just Px (confirmed by the
audit.log and actual breakage caused by the missing mr permissions).
The mr additions for anvil, log and managesieve are just a wild guess,
but I would be very surprised if they don't need mr.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Add several permissions to the dovecot profiles that are needed on ubuntu
(surprisingly not on openSUSE, maybe it depends on the dovecot config?)
As discussed some weeks ago, the added permissions use only /run/
instead of /{var/,}run/ (which is hopefully superfluous nowadays).
References: https://bugs.launchpad.net/apparmor/+bug/1512131
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
The local/ include in the sshd profile in extras causes some trouble:
- it breaks "make check" because the parser can't find the local/ file
- it results in a broken profile if someone uses this profile as
starting point, but doesn't notice it needs the local include
Acked-by: Steve Beattie <steve@nxnw.org>
Thanks to Daniel Curtis for working on this!
Acked-by: Seth Arnold <seth.arnold@canonical.com> for whichever branches
it makes sense for
-> trunk (includes 2.11) only - if we want it in 2.10 and 2.9, we'll
also need to backport the usrMerge changes
The dovecot/auth profile needs access to /run/dovecot/anvil-auth-penalty
and /var/spool/postfix/private/auth.
The dovecot/log profile needs the attach_disconnected flag.
Refences: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652131
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
nmbd needs some additional permissions:
- k for /var/cache/samba/lck/* (via abstractions/samba)
- rw for /var/cache/samba/msg/ (the log only mentioned r, but that
directory needs to be created first)
- w for /var/cache/samba/msg/* (the log didn't indicate any read access)
Reported by FLD on IRC, audit log on https://paste.debian.net/902010/
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
The latex based techdoc in the parser/ tree adds a number of build
dependencies for downstreams to create it; it also is the primary
element to make the builds unrepeatable. Creating the techdoc and other
documentation when generating a tarball for distribution avoids all
that.
* Makefile: build documentation as part of the tarball creation. Skip
the libraries/libapparmor directory as it needs to have configure run
before the manpages can be made.
* changehat/mod_apparmor/Makefile, changehat/mod_apparmor/Makefile,
utils/Makefile, profiles/Makefile: create separate docs target,
some of them dummies.
* parser/Makefile: pull the techdoc out of the default build target, add
an extra_docs target to create it.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Merge lp:~intrigeri/apparmor/usrMerge:
intrigeri@boum.org 2016-12-07 Adjust white-space back to "tabular style" and make one merged-/usr related rule look like the others.
intrigeri@boum.org 2016-12-03 abstractions/base: drop 'ix' for ld-*.so and friends.
intrigeri@boum.org 2016-12-03 abstractions/base: revert ix→Pix.
intrigeri@boum.org 2016-12-03 abstractions/base: turn remaining ix rules into Pix.
intrigeri@boum.org 2016-12-03 abstractions/base: turn merged-/usr-enabled ix rules into Pix, to avoid conflicts with other profiles.
intrigeri@boum.org 2016-12-03 abstractions/base: drop obsolete rule, supersede by @{multiarch} a while ago.
intrigeri@boum.org 2016-12-03 Make policy compatible with merged-/usr.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Additionally, I did some whitespace fixes in the dhclient and procmail
profile before commiting the merge.
openSUSE uses "php7" (not just "php") in several paths, so also allow that.
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
This should solve the "overlapping rules with conflicting 'x'
modifiers" problem (introduced with r3594) entirely.
The other options I could think of were:
* ix → Pix, adjust all profiles that do 'ix' accordingly, and leave
alone those that do Pix already; downsides: requires updating quite
a few profiles all around the place, and breaks a mere "file," rule;
* ix → Pix, adjust all profiles that do 'ix' accordingly, and change
the "file," rule semantics to imply Pix; downside: very intrusive,
and likely to break random existing policy in ways that are hard
to predict;
* stick to ix, and adjust all profiles that do anything else with
overlapping rules, to do ix instead; downside: in some cases this means
removing the 'P' modifier, which can cause regressions in how we confine
stuff.
I've looked up in the bzr history to understand why execution rights
would be needed, and… the answer predates the move to bzr.
Looking into the SVN history, if it's even available anywhere, is
a bit too much for me, so I've tested this change and the few
applications I've tried did not complain. Of course, more testing will
be needed.
Having consistent x modifiers in this abstraction is needed
to allow profiles including abstractions/base to apply x rules
overlapping with several of the rules from the base abstraction.
E.g. one may need to have rules applying to /**, for example because
a mere "file," conflicts with the ix→Pix change I did in r3596.
On servers with not too much memory ("only" 16 GB), dovecot logins fail:
Nov 25 21:35:15 server dovecot[28737]: master: Fatal: setrlimit(RLIMIT_DATA, 268435456): Permission denied
Nov 25 21:35:15 server dovecot[28731]: master: Error: service(auth): command startup failed, throttling for 2 secs
Nov 25 21:35:15 server dovecot[28737]: auth: Fatal: master: service(auth): child 25976 returned error 89 (Fatal failure)
audit.log messages are:
... apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" capability=24 capname="sys_resource"
... apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" rlimit=data value=268435456
After allowing capability sys_resource, dovecot can increase the limit
and works again.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
The latest glibc (including nscd) in openSUSE Tumbleweed comes with
glibc-2.3.3-nscd-db-path.diff: Move persistent nscd databases to
/var/lib/nscd
This needs updates (adding /var/lib/nscd/) to abstractions/nameservice
and the nscd profile.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
nmbd, winbindd (and most probably also smbd - but it has a more
permissive profile that already allows this) need rw access to
/var/cache/samba/lck/* on Debian 8.6.
Reported by FLD on IRC.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
A while ago, support for "network unspec" was added. However, nobody
updated the ntpd profile (at least not the profile in upstream bzr)
which was the main reason for adding "unspec".
References: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1546455
(the original bugreport about "unspec")
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1009964
(about the ntpd profile)
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
Newer kernels need m permissions for the binary the profile covers,
so add it before someone hits this problem in the wild ;-)
Also add a note that the mlmmj-recieve profile is probably superfluous
because upstream renamed the misspelled binary.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
This patch updates the mlmmj profiles in the extras directory to the
profiles that are used on lists.opensuse.org now. Besides adding lots
of trailing slashes for directories, several permissions were added.
Also, usr.bin.mlmmj-receive gets added - it seems upstream renamed
mlmmj-recieve to fix a typo.
These profiles were provided by Per Jessen.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1000201
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Besides dnsmasq.leases, dnsmasq.pid needs to be written. Also read
access for some files is needed (currently dnsmasq.raw and
dnsmasq.hosts - using dnsmasq.* makes this more future-proof when
more files get added)
References: https://bugs.launchpad.net/apparmor/+bug/1634199 (again)
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/1403468
