mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 06:45:38 +00:00
Code Issues Releases Wiki Activity

Subject: profiles - finish @{PROC} conversion

Browse Source 
This patch finishes the conversion from /proc to the @{PROC}
tunable within profiles and abstractions. It also adjusts some of
the /proc/*/something usages to @{PROC}/[0-9]*/something to restrict
things to just the /proc/pid directories. (A followup patch will
convert these to use @{pid} from the kernelvars tunable.)

Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
This commit is contained in:
Steve Beattie
2013-01-02 15:31:01 -08:00
parent 39b1aa98eb
commit 3810ecb08b
8 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
profiles/apparmor.d/abstractions/apache2-common
View File

@@ -11,7 +11,7 @@
/usr/share/apache2/** r, /usr/share/apache2/** r,
# changehat itself # changehat itself
/proc/*/attr/current w, @{PROC}/[0-9]*/attr/current w,
# htaccess files - for what ever it is worth # htaccess files - for what ever it is worth
/**/.htaccess r, /**/.htaccess r,

2
profiles/apparmor.d/apache2.d/phpsysinfo
View File

@@ -17,7 +17,7 @@
/etc/lsb-release r, /etc/lsb-release r,
/etc/mtab r, /etc/mtab r,
/etc/phpsysinfo/config.php r, /etc/phpsysinfo/config.php r,
/proc/** r, @{PROC}/** r,
/sys/bus/pci/devices/ r, /sys/bus/pci/devices/ r,
/sys/devices/** r, /sys/devices/** r,
/usr/bin/apt-cache ixr, /usr/bin/apt-cache ixr,

2
profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
View File

@@ -11,7 +11,7 @@
capability chown, capability chown,
capability dac_override, capability dac_override,
/proc/*/mounts r, @{PROC}/[0-9]*/mounts r,
/usr/lib/dovecot/dovecot-auth mr, /usr/lib/dovecot/dovecot-auth mr,
/{,var/}run/dovecot/** rw, /{,var/}run/dovecot/** rw,
# required for postfix+dovecot integration # required for postfix+dovecot integration

2
profiles/apparmor.d/usr.sbin.avahi-daemon
View File

@@ -17,7 +17,7 @@
/etc/avahi/hosts r, /etc/avahi/hosts r,
/etc/avahi/services/ r, /etc/avahi/services/ r,
/etc/avahi/services/*.service r, /etc/avahi/services/*.service r,
/proc/*/fd/ r, @{PROC}/[0-9]*/fd/ r,
/usr/sbin/avahi-daemon mr, /usr/sbin/avahi-daemon mr,
/usr/share/avahi/introspection/*.introspect r, /usr/share/avahi/introspection/*.introspect r,
/usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r, /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,

2
profiles/apparmor.d/usr.sbin.nmbd
View File

@@ -7,7 +7,7 @@
capability net_bind_service, capability net_bind_service,
/proc/sys/kernel/core_pattern r, @{PROC}/sys/kernel/core_pattern r,
/usr/sbin/nmbd mr, /usr/sbin/nmbd mr,

4
profiles/apparmor.d/usr.sbin.smbd
View File

@@ -24,8 +24,8 @@
/etc/netgroup r, /etc/netgroup r,
/etc/printcap r, /etc/printcap r,
/etc/samba/* rwk, /etc/samba/* rwk,
/proc/*/mounts r, @{PROC}/[0-9]*/mounts r,
/proc/sys/kernel/core_pattern r, @{PROC}/sys/kernel/core_pattern r,
/usr/lib*/samba/vfs/*.so mr, /usr/lib*/samba/vfs/*.so mr,
/usr/lib*/samba/charset/*.so mr, /usr/lib*/samba/charset/*.so mr,
/usr/lib*/samba/auth/script.so mr, /usr/lib*/samba/auth/script.so mr,

4
profiles/apparmor/profiles/extras/usr.sbin.cupsd
View File

@@ -43,8 +43,8 @@
/etc/cups/yes/* rw, /etc/cups/yes/* rw,
/etc/hosts.allow r, /etc/hosts.allow r,
/etc/hosts.deny r, /etc/hosts.deny r,
/proc/meminfo r, @{PROC}/meminfo r,
/proc/sys/dev/parport/** r, @{PROC}/sys/dev/parport/** r,
/sys/class/usb r, /sys/class/usb r,
/usr/bin/perl ix, /usr/bin/perl ix,
/usr/bin/smbspool ixr, /usr/bin/smbspool ixr,

4
profiles/apparmor/profiles/extras/usr.sbin.sshd
View File

@@ -40,8 +40,8 @@
/etc/hosts.deny r, /etc/hosts.deny r,
/etc/modules.conf r, /etc/modules.conf r,
/etc/ssh/* r, /etc/ssh/* r,
/proc/*/oom_adj rw, @{PROC}/[0-9]*/oom_adj rw,
/proc/*/oom_score_adj rw, @{PROC}/[0-9]*/oom_score_adj rw,
/usr/sbin/sshd mrix, /usr/sbin/sshd mrix,
/var/log/btmp r, /var/log/btmp r,
/{,var/}run w, /{,var/}run w,