mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 09:21:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/profiles/apparmor.d
History
Rich McAllister eeac8c11c9 abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns 
In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.

It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow

Therefore I'm asking to add
   /etc/mdns.allow r,
to the file
   /etc/apparmor.d/abstractions/mdns"
by default.

--- original bug ---

Many repetitions of

audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0

in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains

hosts: files mdns [NOTFOUND=return] myhostname dns

and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)

Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.

Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629
Signed-off-by: John Johansen <john.johansen@canonical.com>
2020-03-31 21:03:52 -07:00
..
abstractions abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns 2020-03-31 21:03:52 -07:00
apache2.d Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
local exported smbd files need to have 'k' to work properly with certain applications 2010-09-14 14:12:49 -05:00
tunables Add trailing slash to the run variable definition 2020-02-20 10:43:21 +02:00
bin.ping profiles: support void-specific binary names for openntpd, traceroute, and ping 2018-09-11 09:54:33 -07:00
lsb_release lsb_release: added permissions needed by openSUSE implementation. 2018-08-01 19:13:26 -04:00
nvidia_modprobe Use @{sys} tunable in profiles and abstractions 2018-11-08 20:04:46 +02:00
sbin.klogd Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
sbin.syslog-ng Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
sbin.syslogd Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.lib.apache2.mpm-prefork.apache2 profiles: Allow CAP_CHOWN in usr.lib.apache2.mpm-prefork.apache2 2016-03-19 03:10:00 -05:00
usr.lib.dovecot.anvil Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.lib.dovecot.auth Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.lib.dovecot.config dovecot/config: allow dac_read_search and reading ssl-parameters.dat 2018-04-14 22:53:40 +02:00
usr.lib.dovecot.deliver profiles: add dovecot-common abstraction 2014-06-27 12:14:53 -07:00
usr.lib.dovecot.dict Update /usr/lib/dovecot/* profiles 2017-12-18 17:00:35 +01:00
usr.lib.dovecot.dovecot-auth Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.lib.dovecot.dovecot-lda Use "PROC" variable in profiles 2020-02-13 11:07:42 +02:00
usr.lib.dovecot.imap Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.lib.dovecot.imap-login Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.lib.dovecot.lmtp Use "PROC" variable in profiles 2020-02-13 11:07:42 +02:00
usr.lib.dovecot.log Update dovecot profiles 2016-12-27 17:46:07 +01:00
usr.lib.dovecot.managesieve dovecot profile update 2014-07-07 23:35:18 +02:00
usr.lib.dovecot.managesieve-login Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.lib.dovecot.pop3 profiles: add dovecot-common abstraction 2014-06-27 12:14:53 -07:00
usr.lib.dovecot.pop3-login Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.lib.dovecot.ssl-params Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.lib.dovecot.stats add dovecot/stats profile, and allow dovecot to run it 2018-04-13 13:55:05 +00:00
usr.sbin.apache2 Add profile names to all profiles with {bin,sbin} attachment 2018-10-15 20:57:33 +02:00
usr.sbin.avahi-daemon Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.sbin.dnsmasq policy: invalid path to libvirt_leaseshelper in usr.sbin.dnsmasq 2020-03-28 14:00:58 -07:00
usr.sbin.dovecot Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.sbin.identd Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.sbin.mdnsd Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.sbin.nmbd Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.sbin.nscd Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.sbin.ntpd Use "run" variable in profiles 2020-02-13 11:02:49 +02:00
usr.sbin.smbd Merge usr.sbin.smbd: add usershare directory 2020-02-20 08:18:37 +00:00
usr.sbin.smbldap-useradd Add profile names to all profiles with {bin,sbin} attachment 2018-10-15 20:57:33 +02:00
usr.sbin.traceroute profiles: support void-specific binary names for openntpd, traceroute, and ping 2018-09-11 09:54:33 -07:00
usr.sbin.winbindd Update usr.sbin.winbindd profile to allow krb5 rcache files locking 2020-03-20 13:57:18 +01:00