Subject: profiles - use @{pid} tunable

This patch adds the kernelvars tunable to the global set that is usually
included by default in apparmor policies. It then converts the rules
that are intended to match /proc/pid to use this tunable.

Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>

profiles/apparmor.d/abstractions/apache2-common

@@ -11,7 +11,7 @@
   /usr/share/apache2/** r,
 
   # changehat itself
-  @{PROC}/[0-9]*/attr/current                        w,
+  @{PROC}/@{pid}/attr/current                        w,
 
   # htaccess files - for what ever it is worth
   /**/.htaccess            r,

profiles/apparmor.d/abstractions/base

@@ -89,7 +89,7 @@
   /sys/devices/system/cpu/online r,
 
   # glibc's *printf protections read the maps file
-  @{PROC}/*/maps                 r,
+  @{PROC}/@{pid}/maps            r,
 
   # libgcrypt reads some flags from /proc
   @{PROC}/sys/crypto/*           r,

profiles/apparmor.d/abstractions/bash

@@ -32,7 +32,7 @@
 
   # bash inspects filesystems at startup
   /etc/mtab                        r,
-  @{PROC}/[0-9]*/mounts            r,
+  @{PROC}/@{pid}/mounts            r,
   @{PROC}/filesystems              r,
 
   # probably readline wants to know terminal capabilities

profiles/apparmor.d/abstractions/gnome

@@ -70,7 +70,7 @@
   # gvfs
   /usr/share/gvfs/remote-volume-monitors/  r,
   /usr/share/gvfs/remote-volume-monitors/* r,
-  @{PROC}/*/mounts                 r,
+  @{PROC}/@{pid}/mounts                    r,
 
   # printing
   /etc/papersize                   r,

profiles/apparmor.d/abstractions/nameservice

@@ -77,4 +77,4 @@
   network inet6 dgram,
 
   # interface details
-  @{PROC}/*/net/route r,
+  @{PROC}/@{pid}/net/route r,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/java

@@ -28,8 +28,8 @@
 
     network inet stream,
     network inet6 stream,
-    @{PROC}/[0-9]*/net/if_inet6 r,
-    @{PROC}/[0-9]*/net/ipv6_route r,
+    @{PROC}/@{pid}/net/if_inet6 r,
+    @{PROC}/@{pid}/net/ipv6_route r,
 
     /etc/java-*/ r,
     /etc/java-*/** r,
@@ -37,8 +37,8 @@
     /etc/ssl/certs/java/* r,
     /etc/timezone r,
 
-    @{PROC}/[0-9]*/ r,
-    @{PROC}/[0-9]*/fd/ r,
+    @{PROC}/@{pid}/ r,
+    @{PROC}/@{pid}/fd/ r,
     @{PROC}/filesystems r,
     /sys/devices/system/cpu/ r,
     /sys/devices/system/cpu/** r,
@@ -70,8 +70,8 @@
 
     network inet stream,
     network inet6 stream,
-    @{PROC}/[0-9]*/net/if_inet6 r,
-    @{PROC}/[0-9]*/net/ipv6_route r,
+    @{PROC}/@{pid}/net/if_inet6 r,
+    @{PROC}/@{pid}/net/ipv6_route r,
     @{PROC}/loadavg r,
 
     /etc/debian_version r,
@@ -81,8 +81,8 @@
     /etc/ssl/certs/java/* r,
     /etc/timezone r,
 
-    @{PROC}/[0-9]*/ r,
-    @{PROC}/[0-9]*/fd/ r,
+    @{PROC}/@{pid}/ r,
+    @{PROC}/@{pid}/fd/ r,
     @{PROC}/filesystems r,
     /sys/devices/system/cpu/ r,
     /sys/devices/system/cpu/** r,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common

@@ -3,7 +3,7 @@
   #
   # Plugins/helpers
   #
-  @{PROC}/[0-9]*/fd/ r,
+  @{PROC}/@{pid}/fd/ r,
   /usr/lib/** rm,
   /bin/bash ixr,
   /bin/dash ixr,

profiles/apparmor.d/abstractions/ubuntu-konsole

@@ -6,9 +6,9 @@
   #include <abstractions/consoles>
   #include <abstractions/kde>
   capability sys_ptrace,
-  @{PROC}/[0-9]*/status r,
-  @{PROC}/[0-9]*/stat r,
-  @{PROC}/[0-9]*/cmdline r,
+  @{PROC}/@{pid}/status r,
+  @{PROC}/@{pid}/stat r,
+  @{PROC}/@{pid}/cmdline r,
   /{,var/}run/utmp r,
   /dev/ptmx rw,
 

profiles/apparmor.d/tunables/global

@@ -16,3 +16,4 @@
 #include <tunables/multiarch>
 #include <tunables/proc>
 #include <tunables/alias>
+#include <tunables/kernelvars>

profiles/apparmor.d/usr.lib.dovecot.dovecot-auth

@@ -11,7 +11,7 @@
   capability chown,
   capability dac_override,
 
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
   /usr/lib/dovecot/dovecot-auth mr,
   /{,var/}run/dovecot/** rw,
   # required for postfix+dovecot integration

profiles/apparmor.d/usr.sbin.avahi-daemon

@@ -17,7 +17,7 @@
   /etc/avahi/hosts r,
   /etc/avahi/services/ r,
   /etc/avahi/services/*.service r,
-  @{PROC}/[0-9]*/fd/ r,
+  @{PROC}/@{pid}/fd/ r,
   /usr/sbin/avahi-daemon mr,
   /usr/share/avahi/introspection/*.introspect r,
   /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,

profiles/apparmor.d/usr.sbin.dovecot

@@ -19,7 +19,7 @@
   /etc/mtab r,
   /etc/lsb-release r,
   /etc/SuSE-release r,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
   /usr/lib/dovecot/dovecot-auth Pxmr,
   /usr/lib/dovecot/imap Pxmr,
   /usr/lib/dovecot/imap-login Pxmr,

profiles/apparmor.d/usr.sbin.nscd

@@ -36,10 +36,10 @@
   /var/{cache,run}/nscd/{passwd,group,services,hosts} rw,
   /{,var/}run/{nscd/,}nscd.pid rwl,
   /var/log/nscd.log rw,
-  @{PROC}/[0-9]*/fd/ r,
-  @{PROC}/[0-9]*/fd/* r,
-  @{PROC}/[0-9]*/maps r,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/fd/* r,
+  @{PROC}/@{pid}/maps r,
+  @{PROC}/@{pid}/mounts r,
   @{PROC}/filesystems r,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/usr.sbin.ntpd

@@ -58,11 +58,11 @@
   /{,var/}run/nscd/services r,
   /{,var/}run/ntpd.pid w,
   /var/tmp/ntp* rwl,
-  @{PROC}/*/net/if_inet6 r,
+  @{PROC}/@{pid}/net/if_inet6 r,
   @{PROC}/sys/kernel/ngroups_max r,
 
   # allow access for when chrooted
-  /var/lib/ntp/@{PROC}/*/net/if_inet6 r,
+  /var/lib/ntp/@{PROC}/@{pid}/net/if_inet6 r,
   /var/lib/ntp/@{PROC}/sys/kernel/ngroups_max r,
 
   @{NTPD_DEVICE} rw,

profiles/apparmor.d/usr.sbin.smbd

@@ -24,7 +24,7 @@
   /etc/netgroup r,
   /etc/printcap r,
   /etc/samba/* rwk,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/charset/*.so mr,

profiles/apparmor/profiles/extras/bin.netstat

@@ -26,16 +26,16 @@
   /bin/netstat rmix,
   /etc/networks r,
   @{PROC} r,
-  @{PROC}/[0-9]*/cmdline r,
-  @{PROC}/[0-9]*/fd r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/fd r,
   @{PROC}/net r,
   @{PROC}/net/* r,
-  @{PROC}/*/fd/ r,
-  owner @{PROC}/*/net/raw r,
-  owner @{PROC}/*/net/raw6 r,
-  owner @{PROC}/*/net/tcp r,
-  owner @{PROC}/*/net/tcp6 r,
-  owner @{PROC}/*/net/udp r,
-  owner @{PROC}/*/net/udp6 r,
-  owner @{PROC}/*/net/unix r,
+  @{PROC}/@{pids}/fd/ r,
+  owner @{PROC}/@{pid}/net/raw r,
+  owner @{PROC}/@{pid}/net/raw6 r,
+  owner @{PROC}/@{pid}/net/tcp r,
+  owner @{PROC}/@{pid}/net/tcp6 r,
+  owner @{PROC}/@{pid}/net/udp r,
+  owner @{PROC}/@{pid}/net/udp6 r,
+  owner @{PROC}/@{pid}/net/unix r,
 }

profiles/apparmor/profiles/extras/etc.cron.daily.logrotate

@@ -40,7 +40,7 @@
   /etc/logrotate.d/* r,
   /etc/subdomain.d r,
   @{PROC} r,
-  @{PROC}/[1-9]* r,
+  @{PROC}/@{pid} r,
   /tmp w,
   /tmp/file* wl,
   /tmp/logrot* wlr,

profiles/apparmor/profiles/extras/sbin.dhclient

@@ -38,7 +38,7 @@
   /etc/dhclient.conf          r,
   @{PROC}/                    r,
   @{PROC}/interrupts          r,
-  @{PROC}/*/net/dev           r,
+  @{PROC}/@{pid}/net/dev      r,
   @{PROC}/rtc                 r,
   # following rule shouldn't work, self is a symlink
   @{PROC}/self/status         r,

profiles/apparmor/profiles/extras/usr.bin.evolution-2.10

@@ -126,7 +126,7 @@
   /usr/share/** r,
   /opt/kde3/share/** r,
   /opt/mozilla/bin/mozilla.sh Pxr,
-  @{PROC}/*/cmdline r,
+  @{PROC}/@{pid}/cmdline r,
   @{PROC}/net r,
   @{PROC}/net/* r,
   /tmp r,

profiles/apparmor/profiles/extras/usr.bin.gaim

@@ -50,7 +50,7 @@
   /usr/share/sounds/gaim/* r,
   /usr/share/themes/** r,
   /opt/kde3/bin/kde-config mixr,
-  @{PROC}/*/cmdline r,
+  @{PROC}/@{pid}/cmdline r,
   /usr/X11R6/lib/Acrobat*/Resource/Font/* r,
   /usr/X11R6/lib/Acrobat*/Resource/Font/PFM/* r,
   /usr/lib/ao/plugins-* r,

profiles/apparmor/profiles/extras/usr.bin.opera

@@ -32,7 +32,7 @@
   /etc/cups/lpoptions r,
   /etc/opera6rc        rw,
   /etc/opera6rc.fixed rw,
-  @{PROC}/[0-9]*/stat r,
+  @{PROC}/@{pid}/stat r,
   @{PROC}/net/if_inet6 r,
   @{PROC}/sys/vm/heap-stack-gap r,
 

profiles/apparmor/profiles/extras/usr.bin.skype

@@ -19,12 +19,12 @@
   #include <abstractions/X>
 
   @{PROC}/sys/kernel/{ostype,osrelease} r,
-  @{PROC}/[0-9]*/net/arp r,
-  owner @{PROC}/[0-9]*/auxv r,
-  owner @{PROC}/[0-9]*/cmdline r,
-  owner @{PROC}/[0-9]*/fd/ r,
-  owner @{PROC}/[0-9]*/task/ r,
-  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
+  @{PROC}/@{pid}/net/arp r,
+  owner @{PROC}/@{pid}/auxv r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/[0-9]*/stat r,
 
   /sys/devices/**/power_supply/**/online r,
   /sys/devices/system/cpu/ r,

profiles/apparmor/profiles/extras/usr.lib.firefox.firefox

@@ -28,8 +28,8 @@
   # for networking
   network inet stream,
   network inet6 stream,
-  @{PROC}/[0-9]*/net/if_inet6 r,
-  @{PROC}/[0-9]*/net/ipv6_route r,
+  @{PROC}/@{pid}/net/if_inet6 r,
+  @{PROC}/@{pid}/net/ipv6_route r,
 
   # should maybe be in abstractions
   /usr/share/xubuntu/applications/defaults.list r,
@@ -68,17 +68,17 @@
   /sbin/killall5 ixr,
   /bin/which ixr,
   /usr/bin/tr ixr,
-  @{PROC}/[0-9]*/cmdline r,
-  @{PROC}/[0-9]*/mountinfo r,
-  @{PROC}/[0-9]*/stat r,
-  @{PROC}/[0-9]*/status r,
+  @{PROC}/@{pid}/cmdline r,
+  @{PROC}/@{pid}/mountinfo r,
+  @{PROC}/@{pid}/stat r,
+  @{PROC}/@{pid}/status r,
 
   /etc/mtab r,
   /etc/fstab r,
 
   # Needed for the crash reporter
-  owner @{PROC}/[0-9]*/environ r,
-  owner @{PROC}/[0-9]*/auxv r,
+  owner @{PROC}/@{pid}/environ r,
+  owner @{PROC}/@{pid}/auxv r,
   /etc/lsb-release r,
   /usr/bin/expr ix,
 

profiles/apparmor/profiles/extras/usr.sbin.smbd

@@ -31,7 +31,7 @@
   @{HOME}/**  rwl,
   @{HOMEDIRS} rwl,
 
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
   /tmp rw,
   /var/tmp rw,
   /var/tmp/** lrw,

profiles/apparmor/profiles/extras/usr.sbin.squid

@@ -29,7 +29,7 @@
   /dev/tty rw,
   /etc/mtab r,
   /etc/squid/* r,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
   @{PROC}/mounts r,
   /usr/share/squid/** r,
   /var/log/squid/access.log w,

profiles/apparmor/profiles/extras/usr.sbin.sshd

@@ -40,15 +40,15 @@
   /etc/hosts.deny r,
   /etc/modules.conf r,
   /etc/ssh/* r,
-  @{PROC}/[0-9]*/oom_adj rw,
-  @{PROC}/[0-9]*/oom_score_adj rw,
+  @{PROC}/@{pid}/oom_adj rw,
+  @{PROC}/@{pid}/oom_score_adj rw,
   /usr/sbin/sshd mrix,
   /var/log/btmp r,
   /{,var/}run w,
   /{,var/}run/sshd{,.init}.pid wl,
 
-  @{PROC}/[0-9]*/fd/ r,
-  @{PROC}/[0-9]*/loginuid w,
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/loginuid w,
 
 # should only be here for use in non-change-hat openssh
 # duplicated from EXEC hat
@@ -74,7 +74,7 @@
 
   /dev/pts/[0-9]* rw,
   /etc/ssh/moduli r,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
 
 # duplicated from AUTHENTICATED
   /etc/motd r,
@@ -143,7 +143,7 @@
     /etc/hosts.allow r,
     /etc/hosts.deny r,
     /etc/ssh/moduli r,
-    @{PROC}/[0-9]*/mounts r,
+    @{PROC}/@{pid}/mounts r,
 
 # for debugging
 #  /dev/pts/[0-9]*                                              rw,

profiles/apparmor/profiles/extras/usr.sbin.useradd

@@ -38,7 +38,7 @@
   /etc/skel r,
   /etc/skel/** r,
   @{HOMEDIRS}**  rw,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
   @{PROC}/filesystems r,
   /usr/lib*/pwdutils/*so* mr,
   /usr/sbin/adduser rmix,

profiles/apparmor/profiles/extras/usr.sbin.userdel

@@ -38,7 +38,7 @@
   /etc/shadow* rwl,
   /etc/pwdutils/logging r,
   @{HOMEDIRS}**  rwl,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
   /usr/bin/crontab rmix,
   /usr/lib*/pwdutils/*.so.* mr,
   /usr/sbin/userdel rmix,