Follow up from !1544 with the other basic variables.
Variables such as `@{rand6}` and `@{word6}` are very commonly used as they allow us to restrict access from rules such as: `/tmp/*`, `/tmp/??????`
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1546
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The unshare-userns-restrict profile contained a cx transition to
transition to a profile that allows most things while denying
capabilities:
audit allow cx /** -> unpriv,
However, this transition does not stack the unshare//unpriv profile
against any other profile the target binary might have had. As a result,
the lack of stacking resulted in a non-namespace-related sandboxing
bypass in which attachments of other profiles that should have confined
the target binary do not get applied. Instead, we adopt a stack similar
to the one in bwrap-userns-restrict, with the exception that unshare
does not use no-new-privs and therefore only needs a two-layer stack
instead of a three-layer stack.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1533
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The unshare-userns-restrict profile contained a cx transition to
transition to a profile that allows most things while denying
capabilities:
audit allow cx /** -> unpriv,
However, this transition does not stack the unshare//unpriv profile
against any other profile the target binary might have had. As a result,
the lack of stacking resulted in a non-namespace-related sandboxing
bypass in which attachments of other profiles that should have confined
the target binary do not get applied. Instead, we adopt a stack similar
to the one in bwrap-userns-restrict, with the exception that unshare
does not use no-new-privs and therefore only needs a two-layer stack
instead of a three-layer stack.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
AppArmor profile for `iotop-c`, developed and tested in Ubuntu 24.04 LTS.
Signed-off-by: Allen Huang <allen.huang@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1520
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
profile for wpa_supplicant in oracular
tested: creating, connecting, disconnecting, removing wireless networks, hotspot and p2 networks
Signed-off-by: Sudhakar Verma <sudhakar.verma@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1385
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
- Remove `owner` in /proc/ rules to enable non-root users
- add "include if exists" line to pass the pipeline
- change <abstractions/nameservice> to smaller <abstractions/nameservice-strict>
Signed-off-by: Allen Huang <allen.huang@canonical.com>
- add profile for tshark
- sub profile for dumpcap
- tested with tests from upstream wireshark project,not all test cases
passed but failures unrelated to apparmor restriction
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1384
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
Some weirdnesses:
- The Perl abstraction specifies an ix execution mode for Perl, while my impression from the Python abstraction is that we shouldn't be specifying execution modes for the script interpreter in the abstractions. It's probably too late to change that though.
- Tcl apparently doesn't have an abstraction available. Given the way it's embedded into applications like ZNC, I'm assuming that Tcl doesn't have support files the way Python does.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1376
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Add AA profile for tnftp. This profile has been tested on the latest oracular tnftp version 20230507-2build3 which is also the latest upstream version. This profile limits the file downloads to common download directories and /tmp. It also cripples the "!" command denying access to network and allowing the execution of binaries located directories for which we deny write access. Any feedback is welcome.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1363
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Add AA profile for `socat`. This profile has been tested on the latest oracular socat version `1.8.0.0-4build3` and the latest upstream version `1.8.0.1`. I raised the PR and this profile has already been merged on the `roddhjav/apparmor.d` repo, [here](https://github.com/roddhjav/apparmor.d/pull/454). For now, I have added this profile in "extra", but let me know if you think otherwise, any feedback is welcome.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1319
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
This profile deliberately does not use `abstractions/audio`, instead listing only the subset of the interfaces required to enumerate audio devices and control their volume, without the parts needed to actually send or receive audio from them. This could also be a useful basis for splitting `abstractions/audio` into finer-grained subcomponents.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1517
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Unfortunately similar to bwrap unshare will need the mediate_deleted
flag in some cases.
see
commit 6488e1fb7 "profiles: add mediate_deleted to bwrap"
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1521
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Ryan Lee <rlee287@yahoo.com>
This was tested using the test-tinyproxy.py script from qa-regression-testing as
well as by running the upstream test suite with a brief hack to ensure it
invokes tinyproxy with aa-exec -p tinyproxy first.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1477
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
Unfortunately similar to bwrap unshare will need the mediate_deleted
flag in some cases.
see
commit 6488e1fb7 "profiles: add mediate_deleted to bwrap"
Signed-off-by: John Johansen <john.johansen@canonical.com>
tinyproxy does not need all of nameservice, nameservice-strict is
sufficient. Thanks to @cboltz for the suggestion.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Add comments to the profile to explain the use of the local override if the
default configuration is changed. As suggested by @rlee287.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Add rules to allow tinyproxy to bind to privileged ports and access files even
when run as unprivileged/privileged users when using non-standard
configurations. As suggested by @rlee287.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
This was tested using the test-tinyproxy.py script from qa-regression-testing as
well as by running the upstream test suite with a brief hack to ensure it
invokes tinyproxy with aa-exec -p tinyproxy first.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
