mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
4285 commits 23 branches 109 tags 32 MiB
Commit graph

696 commits

Author SHA1 Message Date
Christian Boltz
85f8cace12 Merge branch 'cboltz-ntpd' into 'master' 
allow access to ntp clockstats

See merge request apparmor/apparmor!54
 2018-01-23 23:02:16 +00:00
Rene Engelhard
8fc3dcb312 abstractions/gnupg: allow pubring.kbx 2018-01-20 23:54:08 +01:00
John Johansen
62dbd29656 Merge branch 'dovecot-lda-protocols' into 'master' 
Allow dovecot-lda to read anything under /usr/share/dovecot/protocols.d/

See merge request apparmor/apparmor!57

Acked-by: John Johansen <john.johansen@canonical.com>
 2018-01-20 08:18:07 +00:00
intrigeri
1b51dac4c9 Allow dovecot-lda to read anything under /usr/share/dovecot/protocols.d/. 
On current Debian sid it needs to read
/usr/share/dovecot/protocols.d/imapd.protocol, which is not surprising given it
already needed read access to /usr/share/dovecot/protocols.d/.
 2018-01-20 06:25:25 +00:00
Christian Boltz
1541175c36
dovecot/lmtp: allow dac_read_search 
Fixes https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887591
 2018-01-18 18:15:43 +01:00
Christian Boltz
1b58f226ce
allow access to ntp clockstats 
References: http://bugzilla.opensuse.org/show_bug.cgi?id=1076247
 2018-01-16 21:15:41 +01:00
John Johansen
e55583ff27 profile: fix syslog-ng startup for some configurations 
buglink: https://bugs.launchpad.net/bugs/1739909

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2017-12-24 00:13:58 -08:00
John Johansen
a3693f56f3 Merge branch 'cboltz-netstat' into 'master' 
netstat: allow capability sys_ptrace,

See merge request apparmor/apparmor!46
 2017-12-22 20:50:11 +00:00
Christian Boltz
81ca52d948
netstat: allow capability sys_ptrace, 
Denying it means netstat -p (actually tested with -tulpen) can't find
out the program name.

sys_ptrace is "only" needed for tracing processes that run under a
different uid.

Also add  ptrace (read),  for systems that support ptrace rules.
 2017-12-22 21:43:54 +01:00
John Johansen
f8b208ee80 Merge branch 'cboltz-dovecot' into 'master' 
Update /usr/lib/dovecot/* profiles

See merge request apparmor/apparmor!42

Acked-by: John Johansen <john.johansen@canonical.com>
 2017-12-22 19:20:07 +00:00
John Johansen
bcfb735b9a Merge branch 'cboltz-xauth' into 'master' 
abstractions/X: add another location for .Xauthority

See merge request apparmor/apparmor!39

Acked-by: John Johansen <john.johansen@canonical.com>
 2017-12-22 19:00:36 +00:00
Christian Boltz
06928db1ce
Update /usr/lib/dovecot/* profiles 
- dict needs abstractions/openssl (seen with dovecot 2.2.31 since
  using openssl 1.1)
- imap needs to write tempfiles (seen with dovecot 2.2.31)
- managesieve-login needs access to the login-master-notify socket
  (seen with dovecot 2.2.33)
- pop3-login needs access to the anvil socket (reported by pfak on
  IRC some months ago)
 2017-12-18 17:00:35 +01:00
Christian Boltz
6713f9d94a Merge branch 'fix-pulse-config' into 'master' 
Fix local pulseaudio config file access

See merge request apparmor/apparmor!38


Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..trunk
 2017-12-17 16:19:42 +00:00
Christian Boltz
bb96e38a90
abstractions/X: add another location for .Xauthority 
With the latest sddm, .Xauthority is now located at
  @{HOME}/.local/share/sddm/.Xauthority
 2017-12-17 15:38:26 +01:00
Vincas Dargis
f73627cbb5 Fix local pulseaudio config file access 
Add rules to allow reading .conf files from $HOME/.config/pulse
and $HOME/.config/pulse/client.conf.d directories.
 2017-12-17 15:56:21 +02:00
Vincas Dargis
9f24650ef9 Fix signal sending for usr.sbin.dovecot 
Add signal rules to allow dovecot master daemon to send signals
to various child daemons (for reloading/restarting).
 2017-12-15 18:17:48 +02:00
John Johansen
a5e5185e15 Merge branch 'cboltz-useradd' into 'master' 
useradd profile: allow audit_write and running pam_tally2

See merge request apparmor/apparmor!24

Acked-by: John Johansen <john.johansen@canonical.com>
 2017-12-12 22:38:24 +00:00
Vincas Dargis
7546413b43 Update abstraction for new Thunderbird executable path 
* Add -bin suffix to reach new Thunderbird executable.
 2017-12-07 16:41:10 +00:00
Jamie Strandboge
c4a5e1d554 abstractions/fonts: also allow owner read on ~/.local/share/fonts 
The fonts abstraction had owner rules for ~/.fonts, but the current
standard location[1][2] in XDG_DATA_HOME was missing.

[1]https://cgit.freedesktop.org/fontconfig/commit/?id=8c255fb1
[2]https://lists.freedesktop.org/archives/fontconfig/2014-July/005270.html
 2017-12-05 15:49:55 -06:00
Christian Boltz
13b1c7a5f6
useradd profile: allow audit_write and running pam_tally2 
Both seen on openSUSE Leap 42.2
 2017-12-04 11:06:09 +01:00
Steve Beattie
ca983811fb dovecot: allow capability dac_read_search 
Merge branch 'cboltz-dovecot-caps' into 'master'

See merge request 
https://gitlab.com/apparmor/apparmor/merge_requests/16
 2017-12-01 20:40:29 +00:00
Steve Beattie
2aabf0c0f0 Update Java abstraction for version 8 and 9 
Merge branch 'update-java' into 'master'

I have discovered denies on Debian Sid by Thunderbird being unable to load IcedTead plugin upon profile creation (can be reproduced by deleteing/moving `$HOME/.thunderbird` directory).

Additionally, profile was tested with (modified) `usr.lib.firefox.firefox` and made it run some random IcedTea applet successfully [0].

There are still denies for `/usr/bin/logger`, but I left this for later patches.

Please note that path to Java 9 binary is different that to previous versions.

Relevant DENIED messages:

```
type=AVC msg=audit(1511099962.556:810): apparmor="DENIED" operation="file_mmap" profile="thunderbird" name="/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so" pid=5186 comm="thunderbird" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
type=SYSCALL msg=audit(1511099962.556:810): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=296bc8 a2=5 a3=802 items=0 ppid=1541 pid=5186 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="thunderbird" exe="/usr/lib/thunderbird/thunderbird" key=(null)
type=PROCTITLE msg=audit(1511099962.556:810): proctitle="/usr/lib/thunderbird/thunderbird"
```

```
type=AVC msg=audit(1511100105.471:1018): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-debug-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100105.471:1018): arch=c000003e syscall=2 success=no exit=-13 a0=7f3638000cb0 a1=0 a2=1b6 a3=7f36ae502620 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100105.471:1018): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

```
type=AVC msg=audit(1511100105.471:1019): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100105.471:1019): arch=c000003e syscall=2 success=no exit=-13 a0=7f36a822bdc0 a1=0 a2=1b6 a3=10002ae08 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100105.471:1019): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

```
type=AVC msg=audit(1511100221.153:1132): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-JY8Sat/6405-icedteanp-appletviewer-to-plugin" pid=6414 comm="java" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100221.153:1132): arch=c000003e syscall=2 success=no exit=-13 a0=7f20e025e280 a1=241 a2=1b6 a3=10002ae08 items=0 ppid=6405 pid=6414 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100221.153:1132): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

[0] https://centra.tecnico.ulisboa.pt/~amaro/Spline3D.html

See merge request https://gitlab.com/apparmor/apparmor/merge_requests/13/
 2017-11-29 23:41:42 +00:00
Christian Boltz
4ef505a6e7
dovecot: allow capability dac_read_search 
This is needed for /var/spool/postfix/private/ (postfix:root 700)

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c9
 2017-11-28 18:47:26 +01:00
Christian Boltz
6f6b3c57fb
allow dac_read_search and dac_override for dovecot/auth 
This is needed for:
- /var/spool/postfix/private/ (postfix:root 700) -> dac_read_search
- /run/dovecot/auth-worker (dovecot:root 600) -> dac_override

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1069470
 2017-11-26 16:38:06 +01:00
Vincas Dargis
d662c2be72 Update Java abstraction for version 8 and up 
* Alter paths to allow Java version 8 and up.
* Add file rules to fix IcedTea browser plugin.
* Refactor to keep path consistensy against parent and child profile,
reduce repetitive rules.
 2017-11-25 16:04:24 +02:00
Vincas Dargis
9658471d38 Allow to read pulseaudio config subdirectories 
Fixes denied "/etc/pulse/client.conf.d/00-disable-autospawn.conf" read on Debian Sid
 2017-11-18 14:20:07 +00:00
intrigeri
2b02d7df83 ubuntu-browsers, ubuntu-helpers: add support for Google Chrome unstable (LP: #1730536). 2017-11-12 13:39:54 +00:00
intrigeri
92752f56da ubuntu-browsers, ubuntu-helpers: add support for Google Chrome beta 
Bug-Debian: https://bugs.debian.org/880923
 2017-11-05 18:55:23 +00:00
Steve Beattie
c4a4e5bb82 profiles: add attach_disconnected flags to example apache profile 
Without it, seeing rejections like:

  apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/apache2" name="" pid=13777 comm="apache2" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

Acked-by: Steve Beattie <steve@nxnw.org>

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875892
 2017-10-27 10:59:33 -07:00
Steve Beattie
d2f7f21b04 profiles: update wireshark profile for modern releases 
Acked-by: Steve Beattie <steve@nxnw.org>
 2017-10-26 16:58:26 -07:00
Steve Beattie
f737cc3444 profiles: allow OpenAL HRTF support in audio abstraction 
The files are "head-related transfer function" data sets, used by
OpenAL for better spatialization of sounds when headphones are detected.

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874665
 2017-10-26 10:18:58 -07:00
Steve Beattie
ad94da321b profiles: tunables/global - accept seven digit pids 
On 64bit systems, /proc/sys/kernel/pid_max can be set to PID_MAX_LIMIT,
(2^22), which results in seven digit pids. Adjust the @{PID} variable in
tunables/global to accept this.

Acked-by: intrigeri <intrigeri@boum.org>
Acked-by: Steve Beattie <steve@nxnw.org>
 2017-10-25 23:17:33 -07:00
Christian Boltz
1d896e014c Allow reading /etc/netconfig in abstractions/nameservice 
/etc/netconfig is required by the tirpc library which nscd and several
other programs use.

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244


Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
 2017-10-20 22:53:09 +02:00
Vincas Dargis
630cb2a981 Allow seven digit pid 2017-09-30 15:28:15 +03:00
Christian Boltz
dd852138d6 Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles 
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.11, 2.10 and 2.9.
 2017-09-28 17:47:20 +02:00
intrigeri
c79dd88edb apache2: use attach_disconnected 
Otherwise we fail with:

   apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/apache2" name="" pid=13777 comm="apache2" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

Patch by Guido Günther <agx@sigxcpu.org>.
 2017-09-20 16:45:09 +02:00
Jamie Strandboge
59660c4650 Description: allow access to stub resolver configuration 
Signed-Off-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
 2017-09-15 15:47:26 -05:00
Christian Boltz
26a12fd9ac abstractions/freedesktop.org: support /usr/local/applications; support subdirs of applications folder 
Merge request by Cameron Norman 2015-06-07
https://code.launchpad.net/~cameronnemo/apparmor/abstraction-fdo-applications-fixups/+merge/261336

Acked-by: Christian Boltz <apparmor@cboltz.de> for trunk, 2.11, 2.10 and 2.9
 2017-09-10 12:27:23 +02:00
intrigeri
b64edfc92b abstractions/audio: allow read-only access to OpenAL's "head-related transfer function" data sets. 
These files are used by OpenAL for better spatialization of sounds
when headphones are detected.

Bug and patch by Simon McVittie <smcv@debian.org>:
https://bugs.debian.org/874665
 2017-09-10 09:09:10 +02:00
Christian Boltz
84cd523d8c Samba profile updates for ActiveDirectory / Kerberos 
The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.

As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.


Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.
 2017-08-29 13:31:20 +02:00
Seth Arnold
d53a4f80bf artiom suggested a man fix for postgresql's manpages 
Signed-off-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
 2017-08-22 11:27:31 -07:00
Christian Boltz
9480a83ddf update some Postfix profiles 
- change abstractions/postfix-common to allow /etc/postfix/*.db k
- add several permissions to postfix/error, postfix/lmtp and postfix/pipe
- remove superfluous abstractions/kerberosclient from all postfix
  profiles - it's included via abstractions/nameservice


Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
 2017-08-22 12:43:18 +02:00
Steve Beattie
237fc59ba8 user abstractions: fix for non-latin file/directory names 
Merge from Vincas Dargis, approved by intrigeri
Fix user-write and user-download abstractions for non-latin file names.

Acked-by: Steve Beattie <steve@nxnw.org>
 2017-08-09 12:46:04 -07:00
Steve Beattie
cfe2854740 traceroute profile: support TCP SYN for probes, quite net_admin request 
Merge from Vincas Dargis, approved by intrigeri.
fix traceroute denies in tcp mode

Acked-by: Steve Beattie <steve@nxnw.org>
 2017-08-09 08:57:36 -07:00
Jamie Strandboge
77c2e27e6c abstractions/ubuntu-browsers: support Debian's Firefox non-ESR path. 
The updated rule covers the old-style /usr/lib/firefox/firefox.sh
wrapper and the current /usr/lib/firefox{,-esr}/firefox{,-esr} paths.

It is a tiny bit wide but let's lean on the side of compatibility with
whatever similar paths are used in the future. It doesn't grant access
to anything we don't want on a current Debian sid system.
 2017-08-08 07:53:22 -05:00
intrigeri
cc5a23d4c1 ubuntu-browsers, ubuntu-helpers: support Debian's Chromium paths. 2017-08-07 17:03:05 -04:00
intrigeri
ff66ca9039 abstractions/ubuntu-browsers: support Debian's Firefox non-ESR path. 
The updated rule covers the old-style /usr/lib/firefox/firefox.sh
wrapper and the current /usr/lib/firefox{,-esr}/firefox{,-esr} paths.

It is a tiny bit wide but let's lean on the side of compatibility with
whatever similar paths are used in the future. It doesn't grant access
to anything we don't want on a current Debian sid system.
 2017-08-07 15:31:19 -04:00
Steve Beattie
0e6a9c54f2 abstractions/gnome: allow reading GLib schemas. 
Merge from intrigeri based on original work by Cameron Norman.

Acked-by: Steve Beattie <steve@nxnw.org>
 2017-08-07 10:37:50 -07:00
Steve Beattie
c519a1a9c1 wayland abstraction: allow wayland-cursor-shared-* 
Merge from intrigeri.

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870807
Acked-by: Steve Beattie <steve@nxnw.org>
 2017-08-07 10:26:13 -07:00
Christian Boltz
c086d280b9 update netstat profile 
- allow reading @{PROC}/@{pid}/net/netstat and @{PROC}/@{pid}/net/snmp
- drop owner conditional - /proc/*/net/* is always owned by root, and
  the owner conditional means breaking netstat for non-root users
- drop "@{PROC}/@{pids}/fd r," - /proc/*/fd is a directory, so this rule
  would never apply


Acked-by: Steve Beattie <steve@nxnw.org>


Addition by Steve Beattie:
- also allow @{PROC}/@{pid}/net/udplite and  @{PROC}/@{pid}/net/udplit6


Acked-by: Christian Boltz <apparmor@cboltz.de>
 2017-08-07 18:05:09 +02:00