Merge branch 'drg-mods-1' into 'master'

Various profile/abstraction updates See merge request apparmor/apparmor!153 Acked-by: intrigeri <intrigeri@debian.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2025-08-29 13:28:19 +00:00 · 2018-08-02 17:17:30 +00:00 · 2018-08-02 17:17:30 +00:00 · b4c848c81e
commit b4c848c81e
parent ddb256076b 67728c4f91
5 changed files with 47 additions and 9 deletions
--- a/profiles/apparmor.d/abstractions/ldapclient
+++ b/profiles/apparmor.d/abstractions/ldapclient
@ -18,4 +18,7 @@
  /etc/sasl2/*              r,
  /usr/lib{,32,64}/sasl2/*  r,

+  # local LDAP name service daemon
+  /{,var/}run/nslcd/socket  rw,
+
  #include <abstractions/ssl_certs>
--- a/profiles/apparmor/profiles/extras/sbin.rpc.statd
+++ b/profiles/apparmor/profiles/extras/sbin.rpc.statd
@ -13,17 +13,38 @@
 profile rpc.statd /{usr/,}sbin/rpc.statd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
+
+  # needed to sanely drop privileges
+  capability setgid,
+  capability setuid,
+
+  # changes ownership of pidfile
+  capability chown,
+
+  # not sure why this is needed
+  capability setpcap,
+
+  owner @{PROC}/@{pid}/fd/         r,
+  @{PROC}/fs/lockd/nlm_end_grace   w,
+  @{PROC}/sys/fs/nfs/**            r,
+  @{PROC}/sys/fs/nfs/nsm_local_state w,
+
+  /etc/netconfig                   r,
  /etc/rpc                         r,
-  /{usr/,}sbin/rpc.statd           rmix,
-  /sm                              rw,
-  /sm.bak                          rw,
-  /state                           rw,
+  /{usr/,}sbin/rpc.statd           mrix,
+  /{usr/,}sbin/sm-notify           mrix,
+  /var/lib/nfs/sm/                 r,
  /var/lib/nfs/sm/*                rw,
-  /var/lib/nfs/statd               rw,
-  /var/lib/nfs/statd/sm            r,
+  /var/lib/nfs/sm.bak/             r,
+  /var/lib/nfs/statd/              rw,
+  /var/lib/nfs/statd/sm/           r,
  /var/lib/nfs/statd/sm/*          rwl,
  /var/lib/nfs/statd/state         rw,
-  /var/lib/nfs/statd/sm.bak        r,
+  /var/lib/nfs/statd/sm.bak/       r,
  /var/lib/nfs/statd/sm.bak/*      rwl,
-  /{,var/}run/rpc.statd.pid           w,
+  /var/lib/nfs/state               rwk,
+  /var/lib/nfs/state.new           rwl,
+  /{,var/}run/rpc.statd.pid        w,
+  /{,var/}run/rpcbind.sock         rw,
+  /{,var/}run/sm-notify.pid        w,
 }
--- a/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd
@ -19,5 +19,5 @@

  /usr/bin/finger        mix,
  /var/log/lastlog       r,
-  /{,var/}run/utmp          r,
+  /{,var/}run/utmp       rk,
 }
--- a/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
@ -14,6 +14,7 @@
 /usr/sbin/lighttpd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
+  #include <abstractions/perl>
  #include <abstractions/web-data>

  # needed to change max file descriptors
@ -26,6 +27,8 @@
  capability setgid,
  capability setuid,

+  @{PROC}/loadavg r,
+
  /etc/lighttpd r,
  /etc/lighttpd/*.conf r,
  /etc/lighttpd/conf.d/*.conf r,
@ -50,7 +53,17 @@
  /var/log/lighttpd/*.log rw,
  # include_shell
  /{usr/,}bin/bash mix,
+  /{usr/,}bin/dash mix,
  /{usr/,}bin/zsh mix,
  /{usr/,}bin/cat mix,
+
+  # Debian/Ubuntu integration in default installation
+  /etc/mime.types r,
+  /usr/share/lighttpd/ r,
+  /usr/share/lighttpd/*.pl mrix,
+  /etc/lighttpd/conf-available/ r,
+  /etc/lighttpd/conf-available/*.conf r,
+  /etc/lighttpd/conf-enabled/ r,
+  /etc/lighttpd/conf-enabled/*.conf r,
 }

--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@ -129,6 +129,7 @@
  /etc.legal r,
  /etc/motd r,
  /{,var/}run/motd{,.dynamic}{,.new} rw,
+  /tmp/krb5cc* wk,
  /tmp/ssh-[a-zA-Z0-9]*/ w,
  /tmp/ssh-[a-zA-Z0-9]*/agent.[0-9]* wl,