apparmor

mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00

Author	SHA1	Message	Date
John Johansen	82a4e70248	Merge zgrep: deny passwd access Bash will try to read the passwd database to find the shell of a user if $SHELL is not set. This causes zgrep to trigger ``` apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/nsswitch.conf" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/passwd" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ``` if called in a sanitized environment. As the functionality of zgrep is not impacted by a limited Bash environment, add deny rules to avoid the potentially misleading AVC messages. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1361 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-10-29 13:50:06 +00:00
Georg Pfuetzenreuter	48483f2ff8	zgrep: deny passwd access Bash will try to read the passwd database to find the shell of a user if $SHELL is not set. This causes zgrep to trigger ``` apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/nsswitch.conf" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/passwd" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ``` if called in a sanitized environment. As the functionality of zgrep is not impacted by a limited Bash environment, add deny rules to avoid the potentially misleading AVC messages. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2024-10-06 23:18:52 +02:00
Christian Boltz	68d42c3e37	zgrep: allow reading /etc/nsswitch.conf and /etc/passwd Seen on various VMs, my guess is that bash wants to translate a uid to a username. Log events (slightly shortened) apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/nsswitch.conf" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/passwd" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0	2024-10-06 11:05:52 +02:00
John Johansen	f1b4da2f64	policy: update to use 4.0 abi Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-06-30 23:36:12 -07:00
Christian Boltz	df37c299e1	zgrep: allow executing egrep and fgrep egrep and fgrep also need to execute grep and write to /dev/tty in the helper child profile. Fixes: https://progress.opensuse.org/issues/113108	2022-06-28 23:27:10 +02:00
Christian Boltz	c5a51a080f	zgrep profile: also allow zstd openSUSE works on extending zgrep to also support zstd-compressed files. References: http://bugzilla.opensuse.org/show_bug.cgi?id=1198922	2022-04-27 22:15:17 +02:00
Christian Boltz	ad8c5f0be3	zgrep profile: allow executing /usr/bin/expr expr is used for parsing commandline options in zgrep. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1198531	2022-04-16 22:32:01 +02:00
Christian Boltz	4c853dc74d	Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 aka CVE-2022-1271 (file write and code execution via "funny" filenames)	2022-04-12 00:04:22 +02:00

8 commits