mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 17:31:01 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/profiles/apparmor.d/abstractions
History
Steve Beattie 2aabf0c0f0 Update Java abstraction for version 8 and 9 
Merge branch 'update-java' into 'master'

I have discovered denies on Debian Sid by Thunderbird being unable to load IcedTead plugin upon profile creation (can be reproduced by deleteing/moving `$HOME/.thunderbird` directory).

Additionally, profile was tested with (modified) `usr.lib.firefox.firefox` and made it run some random IcedTea applet successfully [0].

There are still denies for `/usr/bin/logger`, but I left this for later patches.

Please note that path to Java 9 binary is different that to previous versions.

Relevant DENIED messages:

```
type=AVC msg=audit(1511099962.556:810): apparmor="DENIED" operation="file_mmap" profile="thunderbird" name="/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so" pid=5186 comm="thunderbird" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
type=SYSCALL msg=audit(1511099962.556:810): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=296bc8 a2=5 a3=802 items=0 ppid=1541 pid=5186 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="thunderbird" exe="/usr/lib/thunderbird/thunderbird" key=(null)
type=PROCTITLE msg=audit(1511099962.556:810): proctitle="/usr/lib/thunderbird/thunderbird"
```

```
type=AVC msg=audit(1511100105.471:1018): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-debug-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100105.471:1018): arch=c000003e syscall=2 success=no exit=-13 a0=7f3638000cb0 a1=0 a2=1b6 a3=7f36ae502620 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100105.471:1018): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

```
type=AVC msg=audit(1511100105.471:1019): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100105.471:1019): arch=c000003e syscall=2 success=no exit=-13 a0=7f36a822bdc0 a1=0 a2=1b6 a3=10002ae08 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100105.471:1019): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

```
type=AVC msg=audit(1511100221.153:1132): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-JY8Sat/6405-icedteanp-appletviewer-to-plugin" pid=6414 comm="java" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100221.153:1132): arch=c000003e syscall=2 success=no exit=-13 a0=7f20e025e280 a1=241 a2=1b6 a3=10002ae08 items=0 ppid=6405 pid=6414 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100221.153:1132): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

[0] https://centra.tecnico.ulisboa.pt/~amaro/Spline3D.html

See merge request https://gitlab.com/apparmor/apparmor/merge_requests/13/
2017-11-29 23:41:42 +00:00
..
apparmor_api Subject: profiles - fix apparmor_api abstractions 2013-01-02 15:02:29 -08:00
ubuntu-browsers.d Update Java abstraction for version 8 and up 2017-11-25 16:04:24 +02:00
apache2-common Apache2 profile updates for proper signal handling, optional saslauth, 2017-01-20 16:58:46 -08:00
aspell profiles: allow aspell access to /usr/share/aspell/ 2015-02-27 23:14:03 -08:00
audio Allow to read pulseaudio config subdirectories 2017-11-18 14:20:07 +00:00
authentication Make policy compatible with merged-/usr. 2016-12-03 10:59:01 +01:00
base don't var/ alternation with systemd 2017-05-03 16:04:05 -05:00
bash Subject: profiles - use @{pid} tunable 2013-01-02 15:34:38 -08:00
consoles as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
cups-client profiles: rw file perms are now needed on AF_UNIX socket files 2013-12-19 23:19:40 -08:00
dbus profiles: Add strict system bus abstraction 2014-01-10 15:34:45 -06:00
dbus-accessibility profiles: Add strict accessibility bus abstraction 2014-01-10 15:35:30 -06:00
dbus-accessibility-strict profiles: Add strict accessibility bus abstraction 2014-01-10 15:35:30 -06:00
dbus-session profiles: Add strict session bus abstraction 2014-01-10 15:35:09 -06:00
dbus-session-strict Allow dbus-user-session D-Bus path 2016-07-26 22:49:51 -05:00
dbus-strict profiles: Add strict system bus abstraction 2014-01-10 15:34:45 -06:00
dconf dconf abstraction: allow reading /etc/dconf/**. 2015-07-19 15:42:54 +02:00
dovecot-common profiles: add dovecot-common abstraction 2014-06-27 12:14:53 -07:00
enchant Fix from Felix Geyer: in the enchant abstraction, allow the creation of 2012-01-10 11:37:54 +01:00
fcitx profiles: Create abstractions for fcitx input method framework 2016-06-04 00:27:59 -05:00
fcitx-strict profiles: Create abstractions for fcitx input method framework 2016-06-04 00:27:59 -05:00
fonts libthai-data is used by LibThai which is the library used to deal with 2014-02-14 14:28:12 -06:00
freedesktop.org Merged two rule groups 2017-07-03 12:50:38 -07:00
gnome abstractions/gnome: allow reading GLib schemas. 2017-07-03 09:44:43 +02:00
gnupg Subject: profiles - owner usage for @{HOME} rules 2013-01-04 22:05:53 -08:00
ibus add preliminary ibus abstraction. Will likely need more once more ibus users 2010-12-22 16:57:35 -06:00
kde update kde abstraction for /etc/xdg/Trolltech.conf 2014-09-03 14:48:41 -05:00
kerberosclient Update samba profiles for samba 4.x 2013-11-20 01:17:52 +01:00
launchpad-integration fix up comments in launchpad-integration 2012-01-11 09:27:22 +01:00
ldapclient split off abstractions/ldapclient from abstractions/nameservice 2011-11-01 17:08:37 +01:00
libpam-systemd usr.sbin.sshd: refresh profile and add libpam-systemd abstractions 2016-01-08 20:43:56 -05:00
likewise as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
mdns update for /var/run -> /run udev transition. For compatibility, distributions 2011-07-14 07:57:57 -05:00
mir profiles: add mir abstraction 2015-03-05 11:46:11 -08:00
mozc profiles: Create abstraction for mozc input method editor 2016-06-04 00:28:03 -05:00
mysql abstractions/mysql: allow access to mysqld.sock 2014-04-28 14:07:17 -07:00
nameservice Allow reading /etc/netconfig in abstractions/nameservice 2017-10-20 22:53:09 +02:00
nis as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
nvidia Specify device nodes instead of being too permissive. 2017-03-06 19:59:43 +01:00
openssl add FIPS support to abstractions/openssl 2014-01-03 20:43:43 +01:00
orbit2 fixes for abstractions from Mathias Gug 2007-08-28 23:05:56 +00:00
p11-kit profiles: rw file perms are now needed on AF_UNIX socket files 2013-12-19 23:19:40 -08:00
perl Author: Jamie Strandboge <jamie@canonical.com> 2017-06-26 14:04:52 -05:00
php abstractions/php: make comment version-independent 2016-12-07 21:24:30 +01:00
php5 Add backwards compatibility php5 abstraction 2016-12-07 02:46:59 -08:00
postfix-common update some Postfix profiles 2017-08-22 12:43:18 +02:00
private-files deny writes to upstart user sessions jobs in abstractions/private-files 2013-05-13 14:56:10 -05:00
private-files-strict profiles: rw file perms are now needed on AF_UNIX socket files 2013-12-19 23:19:40 -08:00
python Adjust python abstraction for python3.6 2017-07-26 15:05:25 -05:00
ruby abstractions/ruby: add /usr/local/ and vendor_ruby paths 2014-09-08 21:36:47 +02:00
samba Samba profile updates for ActiveDirectory / Kerberos 2017-08-29 13:31:20 +02:00
smbpass as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
ssl_certs Update abstractions/ssl_* for acmetool-generated certificates 2016-03-28 21:42:39 +02:00
ssl_keys Update abstractions/ssl_* for acmetool-generated certificates 2016-03-28 21:42:39 +02:00
svn-repositories as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
ubuntu-bittorrent-clients profiles: Add deluge-{gtk,console} to ubuntu-bittorrent-clients abstraction 2016-03-19 03:08:52 -05:00
ubuntu-browsers ubuntu-browsers, ubuntu-helpers: add support for Google Chrome unstable (LP: #1730536). 2017-11-12 13:39:54 +00:00
ubuntu-console-browsers don't #include ubuntu-helpers in the abstractions. This can only be included 2012-01-11 09:00:35 +01:00
ubuntu-console-email don't #include ubuntu-helpers in the abstractions. This can only be included 2012-01-11 09:00:35 +01:00
ubuntu-email abstractions/ubuntu-email: add geary 2015-02-22 20:23:04 -08:00
ubuntu-feed-readers don't #include ubuntu-helpers in the abstractions. This can only be included 2012-01-11 09:00:35 +01:00
ubuntu-gnome-terminal update ubuntu abstractions to use '# vim:syntax=apparmor' 2010-12-21 12:53:33 -06:00
ubuntu-helpers ubuntu-browsers, ubuntu-helpers: add support for Google Chrome unstable (LP: #1730536). 2017-11-12 13:39:54 +00:00
ubuntu-konsole Subject: profiles - use @{pid} tunable 2013-01-02 15:34:38 -08:00
ubuntu-media-players don't #include ubuntu-helpers in the abstractions. This can only be included 2012-01-11 09:00:35 +01:00
ubuntu-unity7-base profiles/apparmor.d/abstractions/ubuntu-unity7-base: update to use dbus 2016-03-10 16:53:24 -06:00
ubuntu-unity7-launcher add ubuntu-unity7-* abstractions for Ubuntu desktop users 2014-02-05 23:44:04 -05:00
ubuntu-unity7-messaging add ubuntu-unity7-* abstractions for Ubuntu desktop users 2014-02-05 23:44:04 -05:00
ubuntu-xterm update for /var/run -> /run udev transition. For compatibility, distributions 2011-07-14 07:57:57 -05:00
user-download fix user_download abstraction for non-latin file names 2017-06-24 18:12:22 +03:00
user-mail abstractions/user-mail: /var/mail/* should only be accessible to their owners 2016-04-14 15:15:36 -04:00
user-manpages From: Christian Boltz <apparmor@cboltz.de> 2011-08-05 13:12:35 -07:00
user-tmp as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
user-write fix user-write abstraction for non-latin file names 2017-07-02 12:22:21 +03:00
video fixes for abstractions from Mathias Gug 2007-08-28 23:05:56 +00:00
wayland wayland abstraction: allow wayland-cursor-shared-* (Closes: Debian#870807). 2017-08-05 09:47:27 -04:00
web-data Add /var/www/html to abstractions/web-data, which is the path used on Debian 2014-02-27 14:49:54 -06:00
winbind update abstractions/winbind 2014-02-14 23:37:13 +01:00
wutmp Merge k permission for /var/log/lastlog into abstractions/wutmp 2011-08-16 12:26:44 +02:00
X abstractions/X: yet another location for Xauthority 2016-12-01 16:03:37 -08:00
xad as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
xdg-desktop Create an xdg-desktop abstraction based on the upstream documentation for 2012-01-11 13:00:34 +01:00