mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 09:21:00 +01:00
d4e0a94511
Currently the wutmp abstraction has the following rules:
/var/log/lastlog rwk,
/var/log/wtmp wk,
@{run}/utmp rwk,
According to what I see in my apparmor profiles, just a few apps want
to interact with the files listed above, especially with the
/var/log/wtmp . But when the apps do this, they sometimes want the
read access to this file. An example could be the last command. Is
there any reason for not having the r in the rule? The second thing
is the file /var/log/btmp (which isn't included in the
abstracion). Whenever I see an app, which wants to access the
/var/log/wtmp file, it also tries to interact with the /var/log/btmp
file, for instance lightdm/sddm or su . Most of the time they need
just wk permissions, but sometimes apps need also r on this file, an
example could be the lastb command, which is just a link to last.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/152
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/724
Signed-off-by: John Johansen <john.johansen@canonical.com>
22 lines
711 B
Text
22 lines
711 B
Text
# ------------------------------------------------------------------
|
|
#
|
|
# Copyright (C) 2002-2009 Novell/SUSE
|
|
# Copyright (C) 2009 Canonical Ltd.
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
# License published by the Free Software Foundation.
|
|
#
|
|
# ------------------------------------------------------------------
|
|
|
|
abi <abi/3.0>,
|
|
|
|
# some services update wtmp, utmp, and lastlog with per-user
|
|
# connection information
|
|
/var/log/lastlog rwk,
|
|
/var/log/wtmp rwk,
|
|
/var/log/btmp rwk,
|
|
@{run}/utmp rwk,
|
|
|
|
# Include additions to the abstraction
|
|
include if exists <abstractions/wutmp.d>
|