2
0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 14:25:52 +00:00

Subject: profiles - use @{pid} tunable

This patch adds the kernelvars tunable to the global set that is usually
included by default in apparmor policies. It then converts the rules
that are intended to match /proc/pid to use this tunable.

Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
Steve Beattie
2013-01-02 15:34:38 -08:00
parent 3810ecb08b
commit 1cc0885890
28 changed files with 67 additions and 66 deletions

View File

@@ -11,7 +11,7 @@
/usr/share/apache2/** r,
# changehat itself
@{PROC}/[0-9]*/attr/current w,
@{PROC}/@{pid}/attr/current w,
# htaccess files - for what ever it is worth
/**/.htaccess r,

View File

@@ -89,7 +89,7 @@
/sys/devices/system/cpu/online r,
# glibc's *printf protections read the maps file
@{PROC}/*/maps r,
@{PROC}/@{pid}/maps r,
# libgcrypt reads some flags from /proc
@{PROC}/sys/crypto/* r,

View File

@@ -32,7 +32,7 @@
# bash inspects filesystems at startup
/etc/mtab r,
@{PROC}/[0-9]*/mounts r,
@{PROC}/@{pid}/mounts r,
@{PROC}/filesystems r,
# probably readline wants to know terminal capabilities

View File

@@ -70,7 +70,7 @@
# gvfs
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
@{PROC}/*/mounts r,
@{PROC}/@{pid}/mounts r,
# printing
/etc/papersize r,

View File

@@ -77,4 +77,4 @@
network inet6 dgram,
# interface details
@{PROC}/*/net/route r,
@{PROC}/@{pid}/net/route r,

View File

@@ -28,8 +28,8 @@
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
/etc/java-*/ r,
/etc/java-*/** r,
@@ -37,8 +37,8 @@
/etc/ssl/certs/java/* r,
/etc/timezone r,
@{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/filesystems r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
@@ -70,8 +70,8 @@
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
@{PROC}/loadavg r,
/etc/debian_version r,
@@ -81,8 +81,8 @@
/etc/ssl/certs/java/* r,
/etc/timezone r,
@{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/filesystems r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,

View File

@@ -3,7 +3,7 @@
#
# Plugins/helpers
#
@{PROC}/[0-9]*/fd/ r,
@{PROC}/@{pid}/fd/ r,
/usr/lib/** rm,
/bin/bash ixr,
/bin/dash ixr,

View File

@@ -6,9 +6,9 @@
#include <abstractions/consoles>
#include <abstractions/kde>
capability sys_ptrace,
@{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/cmdline r,
/{,var/}run/utmp r,
/dev/ptmx rw,

View File

@@ -16,3 +16,4 @@
#include <tunables/multiarch>
#include <tunables/proc>
#include <tunables/alias>
#include <tunables/kernelvars>

View File

@@ -11,7 +11,7 @@
capability chown,
capability dac_override,
@{PROC}/[0-9]*/mounts r,
@{PROC}/@{pid}/mounts r,
/usr/lib/dovecot/dovecot-auth mr,
/{,var/}run/dovecot/** rw,
# required for postfix+dovecot integration

View File

@@ -17,7 +17,7 @@
/etc/avahi/hosts r,
/etc/avahi/services/ r,
/etc/avahi/services/*.service r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/@{pid}/fd/ r,
/usr/sbin/avahi-daemon mr,
/usr/share/avahi/introspection/*.introspect r,
/usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,

View File

@@ -19,7 +19,7 @@
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/[0-9]*/mounts r,
@{PROC}/@{pid}/mounts r,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,

View File

@@ -36,10 +36,10 @@
/var/{cache,run}/nscd/{passwd,group,services,hosts} rw,
/{,var/}run/{nscd/,}nscd.pid rwl,
/var/log/nscd.log rw,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/fd/* r,
@{PROC}/[0-9]*/maps r,
@{PROC}/[0-9]*/mounts r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/fd/* r,
@{PROC}/@{pid}/maps r,
@{PROC}/@{pid}/mounts r,
@{PROC}/filesystems r,
# Site-specific additions and overrides. See local/README for details.

View File

@@ -58,11 +58,11 @@
/{,var/}run/nscd/services r,
/{,var/}run/ntpd.pid w,
/var/tmp/ntp* rwl,
@{PROC}/*/net/if_inet6 r,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/sys/kernel/ngroups_max r,
# allow access for when chrooted
/var/lib/ntp/@{PROC}/*/net/if_inet6 r,
/var/lib/ntp/@{PROC}/@{pid}/net/if_inet6 r,
/var/lib/ntp/@{PROC}/sys/kernel/ngroups_max r,
@{NTPD_DEVICE} rw,

View File

@@ -24,7 +24,7 @@
/etc/netgroup r,
/etc/printcap r,
/etc/samba/* rwk,
@{PROC}/[0-9]*/mounts r,
@{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/core_pattern r,
/usr/lib*/samba/vfs/*.so mr,
/usr/lib*/samba/charset/*.so mr,

View File

@@ -26,16 +26,16 @@
/bin/netstat rmix,
/etc/networks r,
@{PROC} r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/fd r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/fd r,
@{PROC}/net r,
@{PROC}/net/* r,
@{PROC}/*/fd/ r,
owner @{PROC}/*/net/raw r,
owner @{PROC}/*/net/raw6 r,
owner @{PROC}/*/net/tcp r,
owner @{PROC}/*/net/tcp6 r,
owner @{PROC}/*/net/udp r,
owner @{PROC}/*/net/udp6 r,
owner @{PROC}/*/net/unix r,
@{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pid}/net/raw r,
owner @{PROC}/@{pid}/net/raw6 r,
owner @{PROC}/@{pid}/net/tcp r,
owner @{PROC}/@{pid}/net/tcp6 r,
owner @{PROC}/@{pid}/net/udp r,
owner @{PROC}/@{pid}/net/udp6 r,
owner @{PROC}/@{pid}/net/unix r,
}

View File

@@ -40,7 +40,7 @@
/etc/logrotate.d/* r,
/etc/subdomain.d r,
@{PROC} r,
@{PROC}/[1-9]* r,
@{PROC}/@{pid} r,
/tmp w,
/tmp/file* wl,
/tmp/logrot* wlr,

View File

@@ -38,7 +38,7 @@
/etc/dhclient.conf r,
@{PROC}/ r,
@{PROC}/interrupts r,
@{PROC}/*/net/dev r,
@{PROC}/@{pid}/net/dev r,
@{PROC}/rtc r,
# following rule shouldn't work, self is a symlink
@{PROC}/self/status r,

View File

@@ -126,7 +126,7 @@
/usr/share/** r,
/opt/kde3/share/** r,
/opt/mozilla/bin/mozilla.sh Pxr,
@{PROC}/*/cmdline r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/net r,
@{PROC}/net/* r,
/tmp r,

View File

@@ -50,7 +50,7 @@
/usr/share/sounds/gaim/* r,
/usr/share/themes/** r,
/opt/kde3/bin/kde-config mixr,
@{PROC}/*/cmdline r,
@{PROC}/@{pid}/cmdline r,
/usr/X11R6/lib/Acrobat*/Resource/Font/* r,
/usr/X11R6/lib/Acrobat*/Resource/Font/PFM/* r,
/usr/lib/ao/plugins-* r,

View File

@@ -32,7 +32,7 @@
/etc/cups/lpoptions r,
/etc/opera6rc rw,
/etc/opera6rc.fixed rw,
@{PROC}/[0-9]*/stat r,
@{PROC}/@{pid}/stat r,
@{PROC}/net/if_inet6 r,
@{PROC}/sys/vm/heap-stack-gap r,

View File

@@ -19,12 +19,12 @@
#include <abstractions/X>
@{PROC}/sys/kernel/{ostype,osrelease} r,
@{PROC}/[0-9]*/net/arp r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/cmdline r,
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
@{PROC}/@{pid}/net/arp r,
owner @{PROC}/@{pid}/auxv r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/[0-9]*/stat r,
/sys/devices/**/power_supply/**/online r,
/sys/devices/system/cpu/ r,

View File

@@ -28,8 +28,8 @@
# for networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
# should maybe be in abstractions
/usr/share/xubuntu/applications/defaults.list r,
@@ -68,17 +68,17 @@
/sbin/killall5 ixr,
/bin/which ixr,
/usr/bin/tr ixr,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/mountinfo r,
@{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/status r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/status r,
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter
owner @{PROC}/[0-9]*/environ r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/auxv r,
/etc/lsb-release r,
/usr/bin/expr ix,

View File

@@ -31,7 +31,7 @@
@{HOME}/** rwl,
@{HOMEDIRS} rwl,
@{PROC}/[0-9]*/mounts r,
@{PROC}/@{pid}/mounts r,
/tmp rw,
/var/tmp rw,
/var/tmp/** lrw,

View File

@@ -29,7 +29,7 @@
/dev/tty rw,
/etc/mtab r,
/etc/squid/* r,
@{PROC}/[0-9]*/mounts r,
@{PROC}/@{pid}/mounts r,
@{PROC}/mounts r,
/usr/share/squid/** r,
/var/log/squid/access.log w,

View File

@@ -40,15 +40,15 @@
/etc/hosts.deny r,
/etc/modules.conf r,
/etc/ssh/* r,
@{PROC}/[0-9]*/oom_adj rw,
@{PROC}/[0-9]*/oom_score_adj rw,
@{PROC}/@{pid}/oom_adj rw,
@{PROC}/@{pid}/oom_score_adj rw,
/usr/sbin/sshd mrix,
/var/log/btmp r,
/{,var/}run w,
/{,var/}run/sshd{,.init}.pid wl,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/loginuid w,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/loginuid w,
# should only be here for use in non-change-hat openssh
# duplicated from EXEC hat
@@ -74,7 +74,7 @@
/dev/pts/[0-9]* rw,
/etc/ssh/moduli r,
@{PROC}/[0-9]*/mounts r,
@{PROC}/@{pid}/mounts r,
# duplicated from AUTHENTICATED
/etc/motd r,
@@ -143,7 +143,7 @@
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/ssh/moduli r,
@{PROC}/[0-9]*/mounts r,
@{PROC}/@{pid}/mounts r,
# for debugging
# /dev/pts/[0-9]* rw,

View File

@@ -38,7 +38,7 @@
/etc/skel r,
/etc/skel/** r,
@{HOMEDIRS}** rw,
@{PROC}/[0-9]*/mounts r,
@{PROC}/@{pid}/mounts r,
@{PROC}/filesystems r,
/usr/lib*/pwdutils/*so* mr,
/usr/sbin/adduser rmix,

View File

@@ -38,7 +38,7 @@
/etc/shadow* rwl,
/etc/pwdutils/logging r,
@{HOMEDIRS}** rwl,
@{PROC}/[0-9]*/mounts r,
@{PROC}/@{pid}/mounts r,
/usr/bin/crontab rmix,
/usr/lib*/pwdutils/*.so.* mr,
/usr/sbin/userdel rmix,