mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
82a4e70248
Bash will try to read the passwd database to find the shell of a user if $SHELL is not set. This causes zgrep to trigger ``` apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/nsswitch.conf" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/passwd" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ``` if called in a sanitized environment. As the functionality of zgrep is not impacted by a limited Bash environment, add deny rules to avoid the potentially misleading AVC messages. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1361 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
71 lines
1.5 KiB
Text
71 lines
1.5 KiB
Text
# ------------------------------------------------------------------
|
|
#
|
|
# Copyright (C) 2022 Christian Boltz
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
# License published by the Free Software Foundation.
|
|
#
|
|
# ------------------------------------------------------------------
|
|
|
|
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
profile zgrep /usr/bin/{x,}zgrep {
|
|
include <abstractions/base>
|
|
include <abstractions/bash>
|
|
|
|
/dev/tty rw,
|
|
@{etc_ro}/nsswitch.conf r,
|
|
/etc/passwd r,
|
|
/usr/bin/{ba,da,}sh ix,
|
|
/usr/bin/bzip2 Cx -> helper,
|
|
/usr/bin/cat ix,
|
|
/usr/bin/egrep Cx -> helper,
|
|
/usr/bin/expr ix,
|
|
/usr/bin/fgrep Cx -> helper,
|
|
/usr/bin/grep Cx -> helper,
|
|
/usr/bin/gzip Cx -> helper,
|
|
/usr/bin/mktemp ix,
|
|
/usr/bin/rm ix,
|
|
/usr/bin/sed Cx -> sed,
|
|
/usr/bin/xz Cx -> helper,
|
|
/usr/bin/xzgrep r,
|
|
/usr/bin/zgrep Cx -> helper,
|
|
/usr/bin/zstd Cx -> helper,
|
|
owner /tmp/zgrep* rw,
|
|
/usr/bin/zgrep r,
|
|
|
|
deny /etc/nsswitch.conf r,
|
|
deny /etc/passwd r,
|
|
|
|
include if exists <local/zgrep>
|
|
|
|
profile helper {
|
|
include <abstractions/base>
|
|
|
|
capability dac_override,
|
|
capability dac_read_search,
|
|
|
|
/dev/tty w,
|
|
|
|
/usr/bin/{ba,da,}sh ix,
|
|
/usr/bin/bzip2 mr,
|
|
/usr/bin/grep mrix,
|
|
/usr/bin/gzip mr,
|
|
/usr/bin/xz mr,
|
|
/usr/bin/zstd mr,
|
|
/{,**} r,
|
|
|
|
}
|
|
|
|
profile sed {
|
|
include <abstractions/base>
|
|
|
|
/dev/tty rw,
|
|
/usr/bin/{ba,da,}sh ix,
|
|
/usr/bin/sed mr,
|
|
|
|
}
|
|
}
|