Subject: profiles - use @{pid} tunable

This patch adds the kernelvars tunable to the global set that is usually included by default in apparmor policies. It then converts the rules that are intended to match /proc/pid to use this tunable. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-By: Seth Arnold <seth.arnold@canonical.com>
2025-09-04 16:25:10 +00:00 · 2013-01-02 15:34:38 -08:00
parent 3810ecb08b
commit 1cc0885890
28 changed files with 67 additions and 66 deletions
--- a/profiles/apparmor.d/abstractions/apache2-common
+++ b/profiles/apparmor.d/abstractions/apache2-common
@@ -11,7 +11,7 @@
  /usr/share/apache2/** r,
  # changehat itself
-  @{PROC}/[0-9]*/attr/current                        w,
+  @{PROC}/@{pid}/attr/current                        w,
  # htaccess files - for what ever it is worth
  /**/.htaccess            r,
--- a/profiles/apparmor.d/abstractions/base
+++ b/profiles/apparmor.d/abstractions/base
@@ -89,7 +89,7 @@
  /sys/devices/system/cpu/online r,
  # glibc's *printf protections read the maps file
-  @{PROC}/*/maps                 r,
+  @{PROC}/@{pid}/maps            r,
  # libgcrypt reads some flags from /proc
  @{PROC}/sys/crypto/*           r,
--- a/profiles/apparmor.d/abstractions/bash
+++ b/profiles/apparmor.d/abstractions/bash
@@ -32,7 +32,7 @@
  # bash inspects filesystems at startup
  /etc/mtab                        r,
-  @{PROC}/[0-9]*/mounts            r,
+  @{PROC}/@{pid}/mounts            r,
  @{PROC}/filesystems              r,
  # probably readline wants to know terminal capabilities
--- a/profiles/apparmor.d/abstractions/gnome
+++ b/profiles/apparmor.d/abstractions/gnome
@@ -70,7 +70,7 @@
  # gvfs
  /usr/share/gvfs/remote-volume-monitors/  r,
  /usr/share/gvfs/remote-volume-monitors/* r,
-  @{PROC}/*/mounts                 r,
+  @{PROC}/@{pid}/mounts                    r,
  # printing
  /etc/papersize                   r,
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -77,4 +77,4 @@
  network inet6 dgram,
  # interface details
-  @{PROC}/*/net/route r,
+  @{PROC}/@{pid}/net/route r,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
@@ -28,8 +28,8 @@
    network inet stream,
    network inet6 stream,
-    @{PROC}/[0-9]*/net/if_inet6 r,
+    @{PROC}/@{pid}/net/if_inet6 r,
-    @{PROC}/[0-9]*/net/ipv6_route r,
+    @{PROC}/@{pid}/net/ipv6_route r,
    /etc/java-*/ r,
    /etc/java-*/** r,
@@ -37,8 +37,8 @@
    /etc/ssl/certs/java/* r,
    /etc/timezone r,
-    @{PROC}/[0-9]*/ r,
+    @{PROC}/@{pid}/ r,
-    @{PROC}/[0-9]*/fd/ r,
+    @{PROC}/@{pid}/fd/ r,
    @{PROC}/filesystems r,
    /sys/devices/system/cpu/ r,
    /sys/devices/system/cpu/** r,
@@ -70,8 +70,8 @@
    network inet stream,
    network inet6 stream,
-    @{PROC}/[0-9]*/net/if_inet6 r,
+    @{PROC}/@{pid}/net/if_inet6 r,
-    @{PROC}/[0-9]*/net/ipv6_route r,
+    @{PROC}/@{pid}/net/ipv6_route r,
    @{PROC}/loadavg r,
    /etc/debian_version r,
@@ -81,8 +81,8 @@
    /etc/ssl/certs/java/* r,
    /etc/timezone r,
-    @{PROC}/[0-9]*/ r,
+    @{PROC}/@{pid}/ r,
-    @{PROC}/[0-9]*/fd/ r,
+    @{PROC}/@{pid}/fd/ r,
    @{PROC}/filesystems r,
    /sys/devices/system/cpu/ r,
    /sys/devices/system/cpu/** r,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
@@ -3,7 +3,7 @@
  #
  # Plugins/helpers
  #
-  @{PROC}/[0-9]*/fd/ r,
+  @{PROC}/@{pid}/fd/ r,
  /usr/lib/** rm,
  /bin/bash ixr,
  /bin/dash ixr,
--- a/profiles/apparmor.d/abstractions/ubuntu-konsole
+++ b/profiles/apparmor.d/abstractions/ubuntu-konsole
@@ -6,9 +6,9 @@
  #include <abstractions/consoles>
  #include <abstractions/kde>
  capability sys_ptrace,
-  @{PROC}/[0-9]*/status r,
+  @{PROC}/@{pid}/status r,
-  @{PROC}/[0-9]*/stat r,
+  @{PROC}/@{pid}/stat r,
-  @{PROC}/[0-9]*/cmdline r,
+  @{PROC}/@{pid}/cmdline r,
  /{,var/}run/utmp r,
  /dev/ptmx rw,
--- a/profiles/apparmor.d/tunables/global
+++ b/profiles/apparmor.d/tunables/global
@@ -16,3 +16,4 @@
 #include <tunables/multiarch>
 #include <tunables/proc>
 #include <tunables/alias>
 #include <tunables/kernelvars>
--- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
@@ -11,7 +11,7 @@
  capability chown,
  capability dac_override,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
  /usr/lib/dovecot/dovecot-auth mr,
  /{,var/}run/dovecot/** rw,
  # required for postfix+dovecot integration
--- a/profiles/apparmor.d/usr.sbin.avahi-daemon
+++ b/profiles/apparmor.d/usr.sbin.avahi-daemon
@@ -17,7 +17,7 @@
  /etc/avahi/hosts r,
  /etc/avahi/services/ r,
  /etc/avahi/services/*.service r,
-  @{PROC}/[0-9]*/fd/ r,
+  @{PROC}/@{pid}/fd/ r,
  /usr/sbin/avahi-daemon mr,
  /usr/share/avahi/introspection/*.introspect r,
  /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -19,7 +19,7 @@
  /etc/mtab r,
  /etc/lsb-release r,
  /etc/SuSE-release r,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
  /usr/lib/dovecot/dovecot-auth Pxmr,
  /usr/lib/dovecot/imap Pxmr,
  /usr/lib/dovecot/imap-login Pxmr,
--- a/profiles/apparmor.d/usr.sbin.nscd
+++ b/profiles/apparmor.d/usr.sbin.nscd
@@ -36,10 +36,10 @@
  /var/{cache,run}/nscd/{passwd,group,services,hosts} rw,
  /{,var/}run/{nscd/,}nscd.pid rwl,
  /var/log/nscd.log rw,
-  @{PROC}/[0-9]*/fd/ r,
+  @{PROC}/@{pid}/fd/ r,
-  @{PROC}/[0-9]*/fd/* r,
+  @{PROC}/@{pid}/fd/* r,
-  @{PROC}/[0-9]*/maps r,
+  @{PROC}/@{pid}/maps r,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
  @{PROC}/filesystems r,
  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -58,11 +58,11 @@
  /{,var/}run/nscd/services r,
  /{,var/}run/ntpd.pid w,
  /var/tmp/ntp* rwl,
-  @{PROC}/*/net/if_inet6 r,
+  @{PROC}/@{pid}/net/if_inet6 r,
  @{PROC}/sys/kernel/ngroups_max r,
  # allow access for when chrooted
-  /var/lib/ntp/@{PROC}/*/net/if_inet6 r,
+  /var/lib/ntp/@{PROC}/@{pid}/net/if_inet6 r,
  /var/lib/ntp/@{PROC}/sys/kernel/ngroups_max r,
  @{NTPD_DEVICE} rw,
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -24,7 +24,7 @@
  /etc/netgroup r,
  /etc/printcap r,
  /etc/samba/* rwk,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
  @{PROC}/sys/kernel/core_pattern r,
  /usr/lib*/samba/vfs/*.so mr,
  /usr/lib*/samba/charset/*.so mr,
--- a/profiles/apparmor/profiles/extras/bin.netstat
+++ b/profiles/apparmor/profiles/extras/bin.netstat
@@ -26,16 +26,16 @@
  /bin/netstat rmix,
  /etc/networks r,
  @{PROC} r,
-  @{PROC}/[0-9]*/cmdline r,
+  @{PROC}/@{pids}/cmdline r,
-  @{PROC}/[0-9]*/fd r,
+  @{PROC}/@{pids}/fd r,
  @{PROC}/net r,
  @{PROC}/net/* r,
-  @{PROC}/*/fd/ r,
+  @{PROC}/@{pids}/fd/ r,
-  owner @{PROC}/*/net/raw r,
+  owner @{PROC}/@{pid}/net/raw r,
-  owner @{PROC}/*/net/raw6 r,
+  owner @{PROC}/@{pid}/net/raw6 r,
-  owner @{PROC}/*/net/tcp r,
+  owner @{PROC}/@{pid}/net/tcp r,
-  owner @{PROC}/*/net/tcp6 r,
+  owner @{PROC}/@{pid}/net/tcp6 r,
-  owner @{PROC}/*/net/udp r,
+  owner @{PROC}/@{pid}/net/udp r,
-  owner @{PROC}/*/net/udp6 r,
+  owner @{PROC}/@{pid}/net/udp6 r,
-  owner @{PROC}/*/net/unix r,
+  owner @{PROC}/@{pid}/net/unix r,
 }
--- a/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate
+++ b/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate
@@ -40,7 +40,7 @@
  /etc/logrotate.d/* r,
  /etc/subdomain.d r,
  @{PROC} r,
-  @{PROC}/[1-9]* r,
+  @{PROC}/@{pid} r,
  /tmp w,
  /tmp/file* wl,
  /tmp/logrot* wlr,
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
@@ -38,7 +38,7 @@
  /etc/dhclient.conf          r,
  @{PROC}/                    r,
  @{PROC}/interrupts          r,
-  @{PROC}/*/net/dev           r,
+  @{PROC}/@{pid}/net/dev      r,
  @{PROC}/rtc                 r,
  # following rule shouldn't work, self is a symlink
  @{PROC}/self/status         r,
--- a/profiles/apparmor/profiles/extras/usr.bin.evolution-2.10
+++ b/profiles/apparmor/profiles/extras/usr.bin.evolution-2.10
@@ -126,7 +126,7 @@
  /usr/share/** r,
  /opt/kde3/share/** r,
  /opt/mozilla/bin/mozilla.sh Pxr,
-  @{PROC}/*/cmdline r,
+  @{PROC}/@{pid}/cmdline r,
  @{PROC}/net r,
  @{PROC}/net/* r,
  /tmp r,
--- a/profiles/apparmor/profiles/extras/usr.bin.gaim
+++ b/profiles/apparmor/profiles/extras/usr.bin.gaim
@@ -50,7 +50,7 @@
  /usr/share/sounds/gaim/* r,
  /usr/share/themes/** r,
  /opt/kde3/bin/kde-config mixr,
-  @{PROC}/*/cmdline r,
+  @{PROC}/@{pid}/cmdline r,
  /usr/X11R6/lib/Acrobat*/Resource/Font/* r,
  /usr/X11R6/lib/Acrobat*/Resource/Font/PFM/* r,
  /usr/lib/ao/plugins-* r,
--- a/profiles/apparmor/profiles/extras/usr.bin.opera
+++ b/profiles/apparmor/profiles/extras/usr.bin.opera
@@ -32,7 +32,7 @@
  /etc/cups/lpoptions r,
  /etc/opera6rc        rw,
  /etc/opera6rc.fixed rw,
-  @{PROC}/[0-9]*/stat r,
+  @{PROC}/@{pid}/stat r,
  @{PROC}/net/if_inet6 r,
  @{PROC}/sys/vm/heap-stack-gap r,
--- a/profiles/apparmor/profiles/extras/usr.bin.skype
+++ b/profiles/apparmor/profiles/extras/usr.bin.skype
@@ -19,12 +19,12 @@
  #include <abstractions/X>
  @{PROC}/sys/kernel/{ostype,osrelease} r,
-  @{PROC}/[0-9]*/net/arp r,
+  @{PROC}/@{pid}/net/arp r,
-  owner @{PROC}/[0-9]*/auxv r,
+  owner @{PROC}/@{pid}/auxv r,
-  owner @{PROC}/[0-9]*/cmdline r,
+  owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/[0-9]*/fd/ r,
+  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/[0-9]*/task/ r,
+  owner @{PROC}/@{pid}/task/ r,
-  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
+  owner @{PROC}/@{pid}/task/[0-9]*/stat r,
  /sys/devices/**/power_supply/**/online r,
  /sys/devices/system/cpu/ r,
--- a/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
+++ b/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
@@ -28,8 +28,8 @@
  # for networking
  network inet stream,
  network inet6 stream,
-  @{PROC}/[0-9]*/net/if_inet6 r,
+  @{PROC}/@{pid}/net/if_inet6 r,
-  @{PROC}/[0-9]*/net/ipv6_route r,
+  @{PROC}/@{pid}/net/ipv6_route r,
  # should maybe be in abstractions
  /usr/share/xubuntu/applications/defaults.list r,
@@ -68,17 +68,17 @@
  /sbin/killall5 ixr,
  /bin/which ixr,
  /usr/bin/tr ixr,
-  @{PROC}/[0-9]*/cmdline r,
+  @{PROC}/@{pid}/cmdline r,
-  @{PROC}/[0-9]*/mountinfo r,
+  @{PROC}/@{pid}/mountinfo r,
-  @{PROC}/[0-9]*/stat r,
+  @{PROC}/@{pid}/stat r,
-  @{PROC}/[0-9]*/status r,
+  @{PROC}/@{pid}/status r,
  /etc/mtab r,
  /etc/fstab r,
  # Needed for the crash reporter
-  owner @{PROC}/[0-9]*/environ r,
+  owner @{PROC}/@{pid}/environ r,
-  owner @{PROC}/[0-9]*/auxv r,
+  owner @{PROC}/@{pid}/auxv r,
  /etc/lsb-release r,
  /usr/bin/expr ix,
--- a/profiles/apparmor/profiles/extras/usr.sbin.smbd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.smbd
@@ -31,7 +31,7 @@
  @{HOME}/**  rwl,
  @{HOMEDIRS} rwl,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
  /tmp rw,
  /var/tmp rw,
  /var/tmp/** lrw,
--- a/profiles/apparmor/profiles/extras/usr.sbin.squid
+++ b/profiles/apparmor/profiles/extras/usr.sbin.squid
@@ -29,7 +29,7 @@
  /dev/tty rw,
  /etc/mtab r,
  /etc/squid/* r,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
  @{PROC}/mounts r,
  /usr/share/squid/** r,
  /var/log/squid/access.log w,
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@@ -40,15 +40,15 @@
  /etc/hosts.deny r,
  /etc/modules.conf r,
  /etc/ssh/* r,
-  @{PROC}/[0-9]*/oom_adj rw,
+  @{PROC}/@{pid}/oom_adj rw,
-  @{PROC}/[0-9]*/oom_score_adj rw,
+  @{PROC}/@{pid}/oom_score_adj rw,
  /usr/sbin/sshd mrix,
  /var/log/btmp r,
  /{,var/}run w,
  /{,var/}run/sshd{,.init}.pid wl,
-  @{PROC}/[0-9]*/fd/ r,
+  @{PROC}/@{pid}/fd/ r,
-  @{PROC}/[0-9]*/loginuid w,
+  @{PROC}/@{pid}/loginuid w,
 # should only be here for use in non-change-hat openssh
 # duplicated from EXEC hat
@@ -74,7 +74,7 @@
  /dev/pts/[0-9]* rw,
  /etc/ssh/moduli r,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
 # duplicated from AUTHENTICATED
  /etc/motd r,
@@ -143,7 +143,7 @@
    /etc/hosts.allow r,
    /etc/hosts.deny r,
    /etc/ssh/moduli r,
-    @{PROC}/[0-9]*/mounts r,
+    @{PROC}/@{pid}/mounts r,
 # for debugging
 #  /dev/pts/[0-9]*                                              rw,
--- a/profiles/apparmor/profiles/extras/usr.sbin.useradd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.useradd
@@ -38,7 +38,7 @@
  /etc/skel r,
  /etc/skel/** r,
  @{HOMEDIRS}**  rw,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
  @{PROC}/filesystems r,
  /usr/lib*/pwdutils/*so* mr,
  /usr/sbin/adduser rmix,
--- a/profiles/apparmor/profiles/extras/usr.sbin.userdel
+++ b/profiles/apparmor/profiles/extras/usr.sbin.userdel
@@ -38,7 +38,7 @@
  /etc/shadow* rwl,
  /etc/pwdutils/logging r,
  @{HOMEDIRS}**  rwl,
-  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/@{pid}/mounts r,
  /usr/bin/crontab rmix,
  /usr/lib*/pwdutils/*.so.* mr,
  /usr/sbin/userdel rmix,