Merge branch 'harden-abstractions' into 'master'

Harden abstractions Harden abstractions remove antiquated abstractions/launchpad-integration abstractions/opencl-nvidia: don't allow PUx on nvidia-modprobe abstractions/private-files-strict: disallow access to the dirs of private files abstractions/private-files: disallow writes to thumbnailer dir (LP: #1788929) ubuntu-browsers.d/user-files: disallow access to the dirs of private files Nominating launchpad-integration and opencl-nvidia for 2.13. Nominating private-files-strict, private-files and user-files for 2.10 and higher See merge request apparmor/apparmor!203 Acked-by: John Johansen <john.johansen@canonical.com>
2025-09-05 00:35:13 +00:00 · 2018-09-27 17:32:47 +00:00
parent 7e22b0a894 5efd257585
commit 63ffb8ea64
5 changed files with 23 additions and 44 deletions
--- a/profiles/apparmor.d/abstractions/launchpad-integration
+++ b/profiles/apparmor.d/abstractions/launchpad-integration
@@ -1,28 +0,0 @@
-# vim:syntax=apparmor
-# launchpad-integration
-
-  # Launchpad integration should run in a sanitizing profile
-  /usr/bin/launchpad-integration Cxr -> launchpad_integration,
-  profile launchpad_integration {
-    #include <abstractions/base>
-    #include <abstractions/nameservice>
-    #include <abstractions/ubuntu-browsers>
-
-    # Required for debuggers
-    capability sys_ptrace,
-
-    # Run confined with security execution. sudo scrubs the environment, so we
-    # don't have to
-    /usr/bin/sudo Ux,
-
-    # Give it wide permissions since it and apport need to do a lot
-    /** rwlk,
-    /{,usr/}{,s}bin/* Pixr,
-    /{,usr/}lib*/{,**/}*.so{,.*} m,
-    /usr/share/apport/* Pixr,
-
-    # Dangerous files
-    audit deny owner /**/*.py* r,       # python imports
-    audit deny owner /**/* m,           # compiled libraries
-  }
-
--- a/profiles/apparmor.d/abstractions/opencl-nvidia
+++ b/profiles/apparmor.d/abstractions/opencl-nvidia
@@ -6,7 +6,13 @@

  # Executables

-  /usr/bin/nvidia-modprobe PUx,
+  # https://github.com/NVIDIA/nvidia-modprobe
+  # This setuid executable is used to create various device files and load the
+  # the nvidia kernel module and is therefore not appropriate for a general
+  # purpose abstraction. Confined applications currently need to add this rule
+  # in their policy. At some point, a profile may be provided for this command
+  # such that Px would succeed.
+  #/usr/bin/nvidia-modprobe Pix,

  # System files

--- a/profiles/apparmor.d/abstractions/private-files
+++ b/profiles/apparmor.d/abstractions/private-files
@@ -19,6 +19,7 @@
  audit deny @{HOME}/.init/** wl,
  audit deny @{HOME}/.kde{,4}/Autostart/** wl,
  audit deny @{HOME}/.kde{,4}/env/** wl,
+  audit deny @{HOME}/.local/share/thumbnailers/** wl,
  audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,

  # don't allow reading/updating of run control files
--- a/profiles/apparmor.d/abstractions/private-files-strict
+++ b/profiles/apparmor.d/abstractions/private-files-strict
@@ -5,17 +5,17 @@
  #include <abstractions/private-files>

  # potentially extremely sensitive files
-  audit deny @{HOME}/.gnupg/** mrwkl,
-  audit deny @{HOME}/.ssh/** mrwkl,
-  audit deny @{HOME}/.gnome2_private/** mrwkl,
-  audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
+  audit deny @{HOME}/.gnupg/{,**} mrwkl,
+  audit deny @{HOME}/.ssh/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
  # don't allow access to any gnome-keyring modules
  audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
-  audit deny @{HOME}/.mozilla/** mrwkl,
-  audit deny @{HOME}/.config/chromium/** mrwkl,
-  audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
-  audit deny @{HOME}/.evolution/** mrwkl,
-  audit deny @{HOME}/.config/evolution/** mrwkl,
-  audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/** mrwkl,
-  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
+  audit deny @{HOME}/.mozilla/{,**} mrwkl,
+  audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
+  audit deny @{HOME}/.evolution/{,**} mrwkl,
+  audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,

--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files
@@ -8,12 +8,12 @@

  # Do not allow read and/or write to particularly sensitive/problematic files
  #include <abstractions/private-files>
-  audit deny @{HOME}/.ssh/** mrwkl,
-  audit deny @{HOME}/.gnome2_private/** mrwkl,
-  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
+  audit deny @{HOME}/.ssh/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,

  # Comment this out if using gpg plugin/addons
-  audit deny @{HOME}/.gnupg/** mrwkl,
+  audit deny @{HOME}/.gnupg/{,**} mrwkl,

  # Allow read to all files user has DAC access to and write for files the user
  # owns on removable media and filesystems.