mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 22:05:27 +00:00
Code Issues Releases Wiki Activity

Update Java abstraction for version 8 and 9

Browse Source 
Merge branch 'update-java' into 'master'

I have discovered denies on Debian Sid by Thunderbird being unable to load IcedTead plugin upon profile creation (can be reproduced by deleteing/moving `$HOME/.thunderbird` directory).

Additionally, profile was tested with (modified) `usr.lib.firefox.firefox` and made it run some random IcedTea applet successfully [0].

There are still denies for `/usr/bin/logger`, but I left this for later patches.

Please note that path to Java 9 binary is different that to previous versions.

Relevant DENIED messages:

```
type=AVC msg=audit(1511099962.556:810): apparmor="DENIED" operation="file_mmap" profile="thunderbird" name="/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so" pid=5186 comm="thunderbird" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
type=SYSCALL msg=audit(1511099962.556:810): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=296bc8 a2=5 a3=802 items=0 ppid=1541 pid=5186 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="thunderbird" exe="/usr/lib/thunderbird/thunderbird" key=(null)
type=PROCTITLE msg=audit(1511099962.556:810): proctitle="/usr/lib/thunderbird/thunderbird"
```

```
type=AVC msg=audit(1511100105.471:1018): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-debug-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100105.471:1018): arch=c000003e syscall=2 success=no exit=-13 a0=7f3638000cb0 a1=0 a2=1b6 a3=7f36ae502620 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100105.471:1018): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

```
type=AVC msg=audit(1511100105.471:1019): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-gHIeGy/6064-icedteanp-plugin-to-appletviewer" pid=6073 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100105.471:1019): arch=c000003e syscall=2 success=no exit=-13 a0=7f36a822bdc0 a1=0 a2=1b6 a3=10002ae08 items=0 ppid=6064 pid=6073 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100105.471:1019): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

```
type=AVC msg=audit(1511100221.153:1132): apparmor="DENIED" operation="open" profile="/usr/lib/firefox{,-esr}/firefox{,-esr}{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-vincas-JY8Sat/6405-icedteanp-appletviewer-to-plugin" pid=6414 comm="java" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1511100221.153:1132): arch=c000003e syscall=2 success=no exit=-13 a0=7f20e025e280 a1=241 a2=1b6 a3=10002ae08 items=0 ppid=6405 pid=6414 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" key=(null)
type=PROCTITLE msg=audit(1511100221.153:1132): proctitle=2F7573722F6C69622F6A766D2F6A6176612D382D6F70656E6A646B2D616D6436342F62696E2F6A617661002D44696365647465612D7765622E62696E2E6C6F636174696F6E3D2F7573722F62696E2F6A6176617773002D44696365647465612D7765622E62696E2E6E616D653D6A6176617773002D58626F6F74636C61737370
```

[0] https://centra.tecnico.ulisboa.pt/~amaro/Spline3D.html

See merge request https://gitlab.com/apparmor/apparmor/merge_requests/13/
This commit is contained in:
Steve Beattie
2017-11-29 23:41:42 +00:00
parent 014695786c d662c2be72
commit 2aabf0c0f0
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
View File

@@ -4,11 +4,10 @@
owner @{HOME}/.java/deployment/deployment.properties k,
/etc/java-*/ r,
/etc/java-*/** r,
/usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/*/IcedTeaPlugin.so mr,
/usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-7-openjdk/jre/bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-7-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk,
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
/usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
/usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
@@ -48,12 +47,15 @@
/var/lib/dbus/machine-id r,
/usr/bin/env ix,
/usr/lib/jvm/java-{6,7}-openjdk*/jre/bin/java ix,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix,
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix,
/usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
# Why would java need this?
deny /usr/bin/gconftool-2 x,
owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw,
owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r,
owner @{HOME}/ r,
owner @{HOME}/** rwk,
}