mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-07 01:41:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
4234 commits 23 branches 109 tags 32 MiB
Commit graph

521 commits

Author SHA1 Message Date
John Johansen
bcfb735b9a Merge branch 'cboltz-xauth' into 'master' 
abstractions/X: add another location for .Xauthority

See merge request apparmor/apparmor!39

Acked-by: John Johansen <john.johansen@canonical.com>
 2017-12-22 19:00:36 +00:00
Christian Boltz
6713f9d94a Merge branch 'fix-pulse-config' into 'master' 
Fix local pulseaudio config file access

See merge request apparmor/apparmor!38


Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..trunk
 2017-12-17 16:19:42 +00:00
Christian Boltz
bb96e38a90
abstractions/X: add another location for .Xauthority 
With the latest sddm, .Xauthority is now located at
  @{HOME}/.local/share/sddm/.Xauthority
 2017-12-17 15:38:26 +01:00
Vincas Dargis
f73627cbb5 Fix local pulseaudio config file access 
Add rules to allow reading .conf files from $HOME/.config/pulse
and $HOME/.config/pulse/client.conf.d directories.
 2017-12-17 15:56:21 +02:00
Vincas Dargis
9f24650ef9 Fix signal sending for usr.sbin.dovecot 
Add signal rules to allow dovecot master daemon to send signals
to various child daemons (for reloading/restarting).
 2017-12-15 18:17:48 +02:00
Vincas Dargis
7546413b43 Update abstraction for new Thunderbird executable path 
* Add -bin suffix to reach new Thunderbird executable.
 2017-12-07 16:41:10 +00:00
Jamie Strandboge
c4a5e1d554 abstractions/fonts: also allow owner read on ~/.local/share/fonts 
The fonts abstraction had owner rules for ~/.fonts, but the current
standard location[1][2] in XDG_DATA_HOME was missing.

[1]https://cgit.freedesktop.org/fontconfig/commit/?id=8c255fb1
[2]https://lists.freedesktop.org/archives/fontconfig/2014-July/005270.html
 2017-12-05 15:49:55 -06:00
Steve Beattie
ca983811fb dovecot: allow capability dac_read_search 
Merge branch 'cboltz-dovecot-caps' into 'master'

See merge request 
https://gitlab.com/apparmor/apparmor/merge_requests/16
 2017-12-01 20:40:29 +00:00
Steve Beattie
2aabf0c0f0 Update Java abstraction for version 8 and 9 
Merge branch 'update-java' into 'master'

I have discovered denies on Debian Sid by Thunderbird being unable to load IcedTead plugin upon profile creation (can be reproduced by deleteing/moving `$HOME/.thunderbird` directory).

Additionally, profile was tested with (modified) `usr.lib.firefox.firefox` and made it run some random IcedTea applet successfully [0].

There are still denies for `/usr/bin/logger`, but I left this for later patches.

Please note that path to Java 9 binary is different that to previous versions.

Relevant DENIED messages:

```
type=AVC msg=audit(1511099962.556:810): apparmor="DENIED" operation="file_mmap" profile="thunderbird" name="/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so" pid=5186 comm="thunderbird" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
type=SYSCALL msg=audit(1511099962.556:810): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=296bc8 a2=5 a3=802 items=0 ppid=1541 pid=5186 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="thunderbird" exe="/usr/lib/thunderbird/thunderbird" key=(null)
type=PROCTITLE msg=audit(1511099962.556:810): proctitle="/usr/lib/thunderbird/thunderbird"
```

```
type=AVC msg=audit(1511100105.471:1018): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-debug-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100105.471:1018): arch=c000003e syscall=2 success=no exit=-13 a0=7f3638000cb0 a1=0 a2=1b6 a3=7f36ae502620 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100105.471:1018): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

```
type=AVC msg=audit(1511100105.471:1019): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100105.471:1019): arch=c000003e syscall=2 success=no exit=-13 a0=7f36a822bdc0 a1=0 a2=1b6 a3=10002ae08 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100105.471:1019): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

```
type=AVC msg=audit(1511100221.153:1132): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-JY8Sat/6405-icedteanp-appletviewer-to-plugin" pid=6414 comm="java" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100221.153:1132): arch=c000003e syscall=2 success=no exit=-13 a0=7f20e025e280 a1=241 a2=1b6 a3=10002ae08 items=0 ppid=6405 pid=6414 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100221.153:1132): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

[0] https://centra.tecnico.ulisboa.pt/~amaro/Spline3D.html

See merge request https://gitlab.com/apparmor/apparmor/merge_requests/13/
 2017-11-29 23:41:42 +00:00
Christian Boltz
4ef505a6e7
dovecot: allow capability dac_read_search 
This is needed for /var/spool/postfix/private/ (postfix:root 700)

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1069470#c9
 2017-11-28 18:47:26 +01:00
Christian Boltz
6f6b3c57fb
allow dac_read_search and dac_override for dovecot/auth 
This is needed for:
- /var/spool/postfix/private/ (postfix:root 700) -> dac_read_search
- /run/dovecot/auth-worker (dovecot:root 600) -> dac_override

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1069470
 2017-11-26 16:38:06 +01:00
Vincas Dargis
d662c2be72 Update Java abstraction for version 8 and up 
* Alter paths to allow Java version 8 and up.
* Add file rules to fix IcedTea browser plugin.
* Refactor to keep path consistensy against parent and child profile,
reduce repetitive rules.
 2017-11-25 16:04:24 +02:00
Vincas Dargis
9658471d38 Allow to read pulseaudio config subdirectories 
Fixes denied "/etc/pulse/client.conf.d/00-disable-autospawn.conf" read on Debian Sid
 2017-11-18 14:20:07 +00:00
intrigeri
2b02d7df83 ubuntu-browsers, ubuntu-helpers: add support for Google Chrome unstable (LP: #1730536). 2017-11-12 13:39:54 +00:00
intrigeri
92752f56da ubuntu-browsers, ubuntu-helpers: add support for Google Chrome beta 
Bug-Debian: https://bugs.debian.org/880923
 2017-11-05 18:55:23 +00:00
Steve Beattie
c4a4e5bb82 profiles: add attach_disconnected flags to example apache profile 
Without it, seeing rejections like:

  apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/apache2" name="" pid=13777 comm="apache2" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

Acked-by: Steve Beattie <steve@nxnw.org>

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875892
 2017-10-27 10:59:33 -07:00
Steve Beattie
f737cc3444 profiles: allow OpenAL HRTF support in audio abstraction 
The files are "head-related transfer function" data sets, used by
OpenAL for better spatialization of sounds when headphones are detected.

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874665
 2017-10-26 10:18:58 -07:00
Steve Beattie
ad94da321b profiles: tunables/global - accept seven digit pids 
On 64bit systems, /proc/sys/kernel/pid_max can be set to PID_MAX_LIMIT,
(2^22), which results in seven digit pids. Adjust the @{PID} variable in
tunables/global to accept this.

Acked-by: intrigeri <intrigeri@boum.org>
Acked-by: Steve Beattie <steve@nxnw.org>
 2017-10-25 23:17:33 -07:00
Christian Boltz
1d896e014c Allow reading /etc/netconfig in abstractions/nameservice 
/etc/netconfig is required by the tirpc library which nscd and several
other programs use.

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244


Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
 2017-10-20 22:53:09 +02:00
Vincas Dargis
630cb2a981 Allow seven digit pid 2017-09-30 15:28:15 +03:00
Christian Boltz
dd852138d6 Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles 
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.11, 2.10 and 2.9.
 2017-09-28 17:47:20 +02:00
intrigeri
c79dd88edb apache2: use attach_disconnected 
Otherwise we fail with:

   apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/apache2" name="" pid=13777 comm="apache2" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

Patch by Guido Günther <agx@sigxcpu.org>.
 2017-09-20 16:45:09 +02:00
Jamie Strandboge
59660c4650 Description: allow access to stub resolver configuration 
Signed-Off-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
 2017-09-15 15:47:26 -05:00
Christian Boltz
26a12fd9ac abstractions/freedesktop.org: support /usr/local/applications; support subdirs of applications folder 
Merge request by Cameron Norman 2015-06-07
https://code.launchpad.net/~cameronnemo/apparmor/abstraction-fdo-applications-fixups/+merge/261336

Acked-by: Christian Boltz <apparmor@cboltz.de> for trunk, 2.11, 2.10 and 2.9
 2017-09-10 12:27:23 +02:00
intrigeri
b64edfc92b abstractions/audio: allow read-only access to OpenAL's "head-related transfer function" data sets. 
These files are used by OpenAL for better spatialization of sounds
when headphones are detected.

Bug and patch by Simon McVittie <smcv@debian.org>:
https://bugs.debian.org/874665
 2017-09-10 09:09:10 +02:00
Christian Boltz
84cd523d8c Samba profile updates for ActiveDirectory / Kerberos 
The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.

As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.


Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.
 2017-08-29 13:31:20 +02:00
Christian Boltz
9480a83ddf update some Postfix profiles 
- change abstractions/postfix-common to allow /etc/postfix/*.db k
- add several permissions to postfix/error, postfix/lmtp and postfix/pipe
- remove superfluous abstractions/kerberosclient from all postfix
  profiles - it's included via abstractions/nameservice


Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
 2017-08-22 12:43:18 +02:00
Steve Beattie
237fc59ba8 user abstractions: fix for non-latin file/directory names 
Merge from Vincas Dargis, approved by intrigeri
Fix user-write and user-download abstractions for non-latin file names.

Acked-by: Steve Beattie <steve@nxnw.org>
 2017-08-09 12:46:04 -07:00
Steve Beattie
cfe2854740 traceroute profile: support TCP SYN for probes, quite net_admin request 
Merge from Vincas Dargis, approved by intrigeri.
fix traceroute denies in tcp mode

Acked-by: Steve Beattie <steve@nxnw.org>
 2017-08-09 08:57:36 -07:00
Jamie Strandboge
77c2e27e6c abstractions/ubuntu-browsers: support Debian's Firefox non-ESR path. 
The updated rule covers the old-style /usr/lib/firefox/firefox.sh
wrapper and the current /usr/lib/firefox{,-esr}/firefox{,-esr} paths.

It is a tiny bit wide but let's lean on the side of compatibility with
whatever similar paths are used in the future. It doesn't grant access
to anything we don't want on a current Debian sid system.
 2017-08-08 07:53:22 -05:00
intrigeri
cc5a23d4c1 ubuntu-browsers, ubuntu-helpers: support Debian's Chromium paths. 2017-08-07 17:03:05 -04:00
intrigeri
ff66ca9039 abstractions/ubuntu-browsers: support Debian's Firefox non-ESR path. 
The updated rule covers the old-style /usr/lib/firefox/firefox.sh
wrapper and the current /usr/lib/firefox{,-esr}/firefox{,-esr} paths.

It is a tiny bit wide but let's lean on the side of compatibility with
whatever similar paths are used in the future. It doesn't grant access
to anything we don't want on a current Debian sid system.
 2017-08-07 15:31:19 -04:00
Steve Beattie
0e6a9c54f2 abstractions/gnome: allow reading GLib schemas. 
Merge from intrigeri based on original work by Cameron Norman.

Acked-by: Steve Beattie <steve@nxnw.org>
 2017-08-07 10:37:50 -07:00
intrigeri
2d6fa07fd5 wayland abstraction: allow wayland-cursor-shared-* (Closes: Debian#870807). 2017-08-05 09:47:27 -04:00
Jamie Strandboge
9f7eab039a Adjust python abstraction for python3.6 
Signed-Off-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
 2017-07-26 15:05:25 -05:00
Cameron Norman
52d41feeaf Merged two rule groups 2017-07-03 12:50:38 -07:00
Vincas Dargis
5b5da2b010 fix traceroute denies in tcp mode 2017-07-03 19:44:14 +03:00
intrigeri
89c0051304 abstractions/gnome: allow reading GLib schemas. 
Based on Cameron Norman's initial work
(http://bazaar.launchpad.net/~cameronnemo/apparmor/gnome-abstraction/revision/3111) with the following changes:

 * don't include GTK+ 3.0 configuration: already done earlier
 * generalize to future GLib versions
 * support /usr/local
 * allow reading the parent directory as well, following the lead
   of usr.lib.telepathy: this is harmless and could be needed in some cases.
 2017-07-03 09:44:43 +02:00
Christian Boltz
713b0d2b80 merge Jason Hennessey 2017-02-17 * Fix LP: #1665535 - Enable camera access in browser apparmor profile for WebRTC 
https://code.launchpad.net/~henn/apparmor/fix-for-1665535/+merge/317680


Approved by Jamie Strandboge and intrigeri.

Acked-by: Christian Boltz <apparmor@cboltz.de>
 2017-07-02 11:47:08 +02:00
Vincas Dargis
5d516bb4a9 fix user-write abstraction for non-latin file names 2017-07-02 12:22:21 +03:00
Christian Boltz
7360781a8f dovecot profile: add the attach_disconnected flag 
Reported by pfak on IRC

[...] apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=20313 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0


Acked-by <timeout> for 2.9, 2.10, 2.11 and trunk.
 2017-06-29 22:53:40 +02:00
Jamie Strandboge
e475e2d0b1 Author: Jamie Strandboge <jamie@canonical.com> 
Description: adjust the multiarch alternation rule in the perl abstraction for
 modern Debian and Ubuntu systems which store some modules under the
 architecture-specific perl-base directory instead of perl or perl5.

Signed-Off-By: Jamie Strandboge <jamie@canonical.com>
 2017-06-26 14:04:52 -05:00
Vincas Dargis
c6386bb654 fix user_download abstraction for non-latin file names 2017-06-24 18:12:22 +03:00
Jamie Strandboge
4b3888751a don't var/ alternation with systemd 2017-05-03 16:04:05 -05:00
Jamie Strandboge
0699034db4 The base abstraction already allows write access to 
/run/systemd/journal/dev-log but journald offers both:
- a native journal API at /run/systemd/journal/socket (see sd_journal_print(4))
- /run/systemd/journal/stdout for connecting a program's output to the journal
  (see systemd-cat(1)).

In addition to systemd-cat, the stdout access is required for nested container
(eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
containers require 'r' in addtion to 'w' to work. journald does not allow
reading log entries from this socket so the access is deemed safe.

Signed-off-by: Jamie Strandboge <jamie@canonical.com>
 2017-04-27 08:28:46 -05:00
Simon McVittie
1b15425ea3 abstractions/base: Allow sysconf(_SC_NPROCESSORS_CONF) 
glibc implements this by doing a readdir() and filtering.
We already allowed sysconf(_SC_NPROCESSORS_ONLN), which is
basically a read from /sys/devices/system/cpu/online.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2017-04-12 18:35:10 +01:00
Christian Boltz
68cba4fe27 update dovecot-lda profile 
dovecot-lda needs
- the attach_disconnected flags
- read access to /usr/share/dovecot/protocols.d/
- rw for /run/dovecot/auth-userdb

References: https://bugs.launchpad.net/bugs/1650827


Acked-by: Steve Beattie <steve@nxnw.org> for 2.9, 2.10 and trunk.
 2017-04-07 00:12:53 +02:00
Olivier Tilloy
71566d36e3 Specify device nodes instead of being too permissive. 2017-03-06 19:59:43 +01:00
Olivier Tilloy
fe421f6952 Update nvidia abstraction for newer nvidia drivers. 2017-03-06 19:46:43 +01:00
Jason Hennessey
7c50b9f2eb * Fix LP: #1665535 - Enable camera access in browser apparmor profile for WebRTC 2017-02-17 20:42:19 +00:00