- the base abstraction for common abstract and anonymous rules (comments
included per rule)
- dbus-session-strict to add a rule for connecting to the dbus session
abstract
socket. I used 'peer=(label=unconfined)' here, but I could probably lose the
explicit label if people preferred that
- X to add a rule for connecting to the X abstract socket. Same as for
dbus-session-strict
- nameservice to add a rule for connecting to a netlink raw. This change could
possibly be excluded, but applications using networking (at least on Ubuntu)
all seem to need it. Excluding it would mean systems using nscd would need to
add this and ones not using it would have a noisy denial
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
openSUSE now compiles samba --with-cachedir=/var/lib/samba (instead of
the default /var/cache/samba). This patch updates the smbd profile to
match this change.
Acked by: Seth Arnold <seth.arnold@canonical.com>
user/password files (everybody will use a different filename for the
user/password list - and when you allow reading the password list,
allowing to read the config doesn't add any harm ;-)
References: https://bugzilla.novell.com/show_bug.cgi?id=874094
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Some updates for the dovecot profiles, based on a patch from
Christian Wittmer <chris@computersalat.de> (he sent it as SR for the
openSUSE package, which uses a slightly older version of the dovecot
profiles)
Fix problems with dovecot and managesieve:
* usr.lib.dovecot.managesieve-login: network inet6 stream
* usr.lib.dovecot.managesieve:
+#include <tunables/dovecot>
/usr/lib/dovecot/managesieve {
+ capability setgid, # covered by abstractions/dovecot-common, therefore not part of this patch
+ capability setuid,
+ network inet stream,
+ network inet6 stream,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
* add #include <abstractions/wutmp> to usr.lib.dovecot.auth
apparmor="DENIED" operation="open" parent=18310 \
profile="/usr/lib/dovecot/auth" name="/var/run/utmp" pid=20939 \
comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://launchpad.net/bugs/1322778
When configured with "clustering = yes", Samba needs to be able to
connect to the local ctdbd daemon socket, and directly manipulate .tdb
database files managed by ctdb.
Signed-off-by: David Disseldorp <ddiss@suse.de>
This commit adds a dovecot-common abstraction, as well as adjusting
the profiles for dovecot's helper binaries to make use of it. The
important addition is the ability for the dovecot master process to
send signals to the helpers.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Move postfix-common from program-chunks/ to abstractions/; remove
program-chunks directory since postfix-common was the last resident of
that directory (and had been since 2007), and adjust the includes of all
the profiles that include postfix-common.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- Allow reciprocal ptrace readby to everyone (requires peer unconfined or to
ptrace read to us)
- same for ptrace tracedby
- allow us to ptrace read ourselves
- receive all signals from unconfined
- allow us to signal ourselves
- allow sending and receiving "exists" (for pid existence)
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Update the apache2 profile so that the parent apache process can kill
worker processes inside of hats. Update the example comments and the
DEFAULT_URI and HANDLING_UNTRUSTED_INPUT hats to include the
apache2-common abstraction to allow them to receive signals from the
parent process.
Author: Kees Cook <kees@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/apparmor/+bug/1322764
Update the apache2-common abstraction so that the parent apache process
can kill worker processes inside of hats, as well as handle the updated
mod_apparmor behavior that invokes aa_change_hatv() and then checks
which hat it ended up in via aa_getconn() (which reads from
{PROC}/@{pid}/attr/current).
Author: Kees Cook <kees@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/apparmor/+bug/1322764
Ubuntu 14.04's chromium-browser has changed paths in a way that prevents
evince from opening clicked links in chromium-browser windows.
This patch adds a new path for the chrome-sandbox executable to the
sanitized_helper profile, so chromium will get its own tailored profile if
necessary.
The reporter who said this patch helped included some further DENIED lines
for signals that indicates this is probably not sufficient but did make
the links work as expected.
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1282314
Signed-off-by: Seth Arnold <seth.arnold@canonical.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
- allow rw access to /var/cache/krb5rcache/*
- treat passdb.tdb.tmp as passdb.tdb
Patch from Lars Müller <lmuelle@suse.com>
References: https://bugzilla.novell.com/show_bug.cgi?id=870607
Acked-by: Steve Beattie <steve@nxnw.org>
\s is a new feature of GNU grep 2.6 (released on 2010-03-23) and
it does not work in older versions. By using [[:space:]] instead,
AppArmor can compile on systems with older versions of grep.
Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk>
Acked-by: Steve Beattie <steve@nxnw.org>
and its derivatives
Bug-Ubuntu: https://launchpad.net/bugs/1285653
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This is an updated version of the previous dnsmasq profile patch, again
from develop7 [at] develop7.info
Acked-by: John Johansen <john.johansen@canonical.com>
- some *.dat files live in a different directory nowadays (at least in
openSUSE)
- the openSUSE smb.conf includes the (autogenerated) dhcp.conf, so this
file also needs to be readable.
References: https://bugzilla.novell.com/show_bug.cgi?id=863226
Acked-by: Seth Arnold <seth.arnold@canonical.com>
the suggestion to use @{XDG_DOWNLOAD_DIR} in abstractions/user-download as
well as the existing entries.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
The xdg-user-dirs specification[1] allows for translatable and movable common
directories. While this may be beneficial for users who for example want to have
~/Pictures translated into their own language, this flexibility provides
challenges for AppArmor. Untranslated xdg user directories are typically (see
~/.config/user-dirs.dirs):
XDG_DESKTOP_DIR="$HOME/Desktop"
XDG_DOWNLOAD_DIR="$HOME/Downloads"
XDG_TEMPLATES_DIR="$HOME/Templates"
XDG_PUBLICSHARE_DIR="$HOME/Public"
XDG_DOCUMENTS_DIR="$HOME/Documents"
XDG_MUSIC_DIR="$HOME/Music"
XDG_PICTURES_DIR="$HOME/Pictures"
XDG_VIDEOS_DIR="$HOME/Videos"
On an Ubuntu system with the fr_CA locale installed, these become:
XDG_DESKTOP_DIR="$HOME/Desktop"
XDG_DOWNLOAD_DIR="$HOME/Téléchargements"
XDG_TEMPLATES_DIR="$HOME/Templates"
XDG_PUBLICSHARE_DIR="$HOME/Public"
XDG_DOCUMENTS_DIR="$HOME/Documents"
XDG_MUSIC_DIR="$HOME/Musique"
XDG_PICTURES_DIR="$HOME/Images"
XDG_VIDEOS_DIR="$HOME/Vidéos"
While the kernel and AppArmor parser handle these translations fine, the
profiles do not.
As an upstream, we can vastly improve the situation by simply creating the
xdg-user-dirs tunable using the default 'C' xdg-user-dirs values:
$ cat /etc/apparmor.d/tunables/xdg-user-dirs
@{XDG_DESKTOP_DIR}=Desktop
@{XDG_DOWNLOAD_DIR}=Downloads
@{XDG_TEMPLATES_DIR}=Templates
@{XDG_PUBLICSHARE_DIR}=Public
@{XDG_DOCUMENTS_DIR}=Documents
@{XDG_MUSIC_DIR}=Music
@{XDG_PICTURES_DIR}=Pictures
@{XDG_VIDEOS_DIR}=Videos
# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
# to the various XDG directories
#include <tunables/xdg-user-dirs.d>
and then create the /etc/apparmor.d/tunables/xdg-user-dirs.d directory. With
that alone, we can start using rules like this in policy:
owner @{HOME}/@{XDG_MUSIC_DIR}/** r,
and users/admins can adjust /etc/apparmor.d/tunables/xdg-user-dirs or drop files
into /etc/apparmor.d/tunables/xdg-user-dirs.d, providing a welcome convenience.
This of course doesn't solve everything. Because users can modify their
~/.config/user-dirs.dirs file at will and have it point anywhere, so we can't
examine those files and do anything automatic there (when we have user policy we
can revisit this). This patch handles translations well though since use of
translations for these directories happens outside of the user's control. Users
who modify ~/.config/user-dirs.dirs can update policy like they need to now (ie,
this patch doesn't change anything for them).
[0] https://lists.ubuntu.com/archives/apparmor/2013-August/004183.html
[1] http://freedesktop.org/wiki/Software/xdg-user-dirs/
This patch adds basic support for XDG user dirs:
1. Update profiles/apparmor.d/tunables/global to include xdg-user-dirs.
2. Create the xdg-user-dirs tunable using the default 'C' xdg-user-dirs values
and includes tunables/xdg-user-dirs.d
3. Add profiles/apparmor.d/tunables/xdg-user-dirs.d/site.local with commented
out examples on how to use the directory.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Christian Boltz <apparmor@cboltz.de>
Thai-specific functions like word-breaking, input and output methods and basic
character and string support. This is: https://launchpad.net/bugs/1278702
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Description: Allow applications run under sanitized_helper to connect to DBus
This was originally 0076_sanitized_helper_dbus_access.patch in the Ubuntu
apparmor packaging.
jdstrand: +1 (this is in the Ubuntu namespace, so feel free to commit)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1056418
From: Steve Beattie <steve.beattie@canonical.com>
Came from 0021-webapps_abstraction.patch in the Ubuntu apparmor packaging.
jdstrand: +1 (this is in the Ubuntu namespace, so feel free to commit)
Grant access to specific files in the /var/run/user/UID/pulse/ directory to
remove access to potentially dangerous and non-essential files such as the
debug (cli) socket provided by the module-cli-protocol-unix module.
Author: Tyler Hicks <tyhicks@canonical.com>
Bug-Ubuntu: https://launchpad.net/bugs/1211380
Acked-by: Steve Beattie <steve@nxnw.org>
Description: allow mmap of fglrx dri libraries
Bug-Ubuntu: https://launchpad.net/bugs/1200392
Acked-by: Steve Beattie <steve@nxnw.org>
Came from 0038-lp1200392.patch.
Description: update mod_apparmor man page for Apache 2.4 and add new
apparmor.d/usr.sbin.apache2 profile (based on the prefork profile)
Acked-by: Steve Beattie <steve@nxnw.org>
Differs from original 0036-libapache2-mod-apparmor-profile-2.4.patch
ubuntu patch -- I've deleted the "delete the apache 2.2 profile" part of
the patch. So apache 2.2's profile is also still supported.
Author: Micah Gersten <micah@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Modified by Seth Arnold; nvidia nvpau_wrapper.cfg permission was hoisted
up into an nvidia abstraction.
Author: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This was originally patch 0018-lp1056391.patch in the Ubuntu apparmor
packaging; Steve noticed the now-redundant line for /var/lib/sss/mc/passwd
so I removed that at the same time.
After testing the dovecot profiles on a new server, I noticed
/usr/lib/dovecot/dict and /usrlib/dovecot/lmtp need more nameservice-
related permissions.
Therefore include abstractions/nameservice instead of adding more and
more files.
Acked-by: John Johansen (on IRC)
abstractions/mysql.
This binary/profile seems to be the only one that needs to do this, so
add it to this profile (instead of abstractions/mysql) to avoid superfluous
permissions for other programs with abstractions/mysql
Acked-by: John Johansen <john.johansen@canonical.com>
after testing the dovecot profiles on a new server, I noticed
/usr/sbin/dovecot needs some more permissions:
- mysql access
- execution permissions for /usr/lib/dovecot/dict and lmtp
- write access to some postfix sockets, used to
- provide SMTP Auth via dovecot
- deliver mails to dovecot via LMTP
- and read access to /proc/filesystems
Acked-by: John Johansen <john.johansen@canonical.com>
