From eb8f9302aa664e8ac84a03eaf11b1cb1372b1e44 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 31 Aug 2020 17:27:56 -0700 Subject: [PATCH] profiles: Add a hosts_access abstraction Host files accessed by tcp_wrapper can reference other files, from man 5 hosts.allow ``` A string that begins with a '/' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file format is zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used. ``` This means adding a file to hosts requires updating multiple profiles Add a hosts abstraction so users only have to modify a single location. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/605 Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1864466 Signed-off-by: John Johansen Acked-by: Christian Boltz --- profiles/apparmor.d/abstractions/hosts_access | 17 +++++++++++++++++ profiles/apparmor.d/sbin.syslog-ng | 3 +-- profiles/apparmor.d/usr.lib.dovecot.dovecot-lda | 3 +-- profiles/apparmor/profiles/extras/sbin.portmap | 3 +-- .../apparmor/profiles/extras/usr.sbin.cupsd | 3 +-- .../apparmor/profiles/extras/usr.sbin.dhcpd | 3 +-- .../apparmor/profiles/extras/usr.sbin.mysqld | 3 +-- .../apparmor/profiles/extras/usr.sbin.sendmail | 3 +-- .../profiles/extras/usr.sbin.sendmail.sendmail | 3 +-- profiles/apparmor/profiles/extras/usr.sbin.sshd | 3 +-- .../apparmor/profiles/extras/usr.sbin.vsftpd | 3 +-- .../apparmor/profiles/extras/usr.sbin.xinetd | 3 +-- 12 files changed, 28 insertions(+), 22 deletions(-) create mode 100644 profiles/apparmor.d/abstractions/hosts_access diff --git a/profiles/apparmor.d/abstractions/hosts_access b/profiles/apparmor.d/abstractions/hosts_access new file mode 100644 index 000000000..e5ea88c11 --- /dev/null +++ b/profiles/apparmor.d/abstractions/hosts_access @@ -0,0 +1,17 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + abi , + + /etc/hosts.deny r, + /etc/hosts.allow r, + + include if exists diff --git a/profiles/apparmor.d/sbin.syslog-ng b/profiles/apparmor.d/sbin.syslog-ng index 6f8a19fbd..26e1234cf 100644 --- a/profiles/apparmor.d/sbin.syslog-ng +++ b/profiles/apparmor.d/sbin.syslog-ng @@ -24,6 +24,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng { include include include + include capability chown, capability dac_override, @@ -47,8 +48,6 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng { /etc/syslog-ng/conf.d/ r, /etc/syslog-ng/conf.d/* r, @{PROC}/kmsg r, - /etc/hosts.deny r, - /etc/hosts.allow r, /{usr/,}{bin,sbin}/syslog-ng mr, @{sys}/devices/system/cpu/online r, /usr/share/syslog-ng/** r, diff --git a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda index 700e20fcd..c9d3fe4b1 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda +++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda @@ -48,14 +48,13 @@ profile dovecot-dovecot-lda /usr/lib/dovecot/dovecot-lda flags=(attach_disconnec include include include + include capability sys_ptrace, /etc/aliases rw, # newaliases is a symlink to sendmail, so it's /etc/aliases.db rw, # actually the same binary /etc/fstab r, - /etc/hosts.allow r, - /etc/hosts.deny r, /etc/mail/* r, /etc/mail/statistics rw, /etc/mtab r, diff --git a/profiles/apparmor/profiles/extras/sbin.portmap b/profiles/apparmor/profiles/extras/sbin.portmap index 3ffb56819..0d5b23936 100644 --- a/profiles/apparmor/profiles/extras/sbin.portmap +++ b/profiles/apparmor/profiles/extras/sbin.portmap @@ -15,13 +15,12 @@ include profile portmap /{usr/,}sbin/portmap { include include + include capability net_bind_service, capability setuid, capability setgid, /etc/bindresvport.blacklist r, - /etc/hosts.allow r, - /etc/hosts.deny r, /{usr/,}sbin/portmap rmix, } diff --git a/profiles/apparmor/profiles/extras/usr.sbin.cupsd b/profiles/apparmor/profiles/extras/usr.sbin.cupsd index e381e0169..24f521e00 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd +++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd @@ -9,6 +9,7 @@ include include include include + include capability chown, capability dac_override, @@ -44,8 +45,6 @@ include /etc/cups/printcap rw, /etc/cups/ssl rw, /etc/cups/yes/* rw, - /etc/hosts.allow r, - /etc/hosts.deny r, @{PROC}/meminfo r, @{PROC}/sys/dev/parport/** r, /sys/class/usb r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd index 13f210a5d..098d78f93 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd +++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd @@ -15,6 +15,7 @@ include /usr/sbin/dhcpd { include include + include capability dac_override, capability net_bind_service, @@ -29,8 +30,6 @@ include /db/dhcpd.leases* lrw, /etc/dhcpd.conf r, /etc/named.d/* r, - /etc/hosts.allow r, - /etc/hosts.deny r, @{PROC}/net/dev r, /usr/sbin/dhcpd rmix, /var/lib/dhcp/{db/,}dhcpd{6,}.leases* rwl, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.mysqld b/profiles/apparmor/profiles/extras/usr.sbin.mysqld index cd0801944..8410467b1 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.mysqld +++ b/profiles/apparmor/profiles/extras/usr.sbin.mysqld @@ -21,13 +21,12 @@ include include include include + include capability dac_override, capability setgid, capability setuid, - /etc/hosts.allow r, - /etc/hosts.deny r, /etc/my.cnf r, /etc/my.cnf.d/ r, /etc/my.cnf.d/*.cnf r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail b/profiles/apparmor/profiles/extras/usr.sbin.sendmail index f6e57e5cb..f1326d8de 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail +++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail @@ -22,14 +22,13 @@ include include include include + include /usr/bin/procmail Px, /etc/aliases.db rw, /etc/aliases rw, /etc/fstab r, - /etc/hosts.allow r, - /etc/hosts.deny r, /etc/ldap.conf r, /etc/mail/* r, /etc/mail/statistics rw, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail index 85f5dbd1d..4bce297d8 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail +++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail @@ -15,13 +15,12 @@ include /usr/sbin/sendmail.sendmail { include include + include @{PROC}/loadavg r, /etc/aliases rw, /etc/aliases.db rw, /etc/fstab r, - /etc/hosts.allow r, - /etc/hosts.deny r, /etc/ldap.conf r, /etc/mail/statistics rw, /etc/mail/* r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sshd b/profiles/apparmor/profiles/extras/usr.sbin.sshd index 8a04a5225..98927ddd5 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sshd +++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd @@ -25,6 +25,7 @@ include include include include + include capability sys_chroot, capability sys_resource, @@ -54,8 +55,6 @@ include /dev/urandom r, /etc/default/locale r, /etc/environment r, - /etc/hosts.allow r, - /etc/hosts.deny r, /etc/modules.conf r, /etc/security/** r, /etc/ssh/** r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.vsftpd b/profiles/apparmor/profiles/extras/usr.sbin.vsftpd index 0027fbae0..7d4862dfb 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.vsftpd +++ b/profiles/apparmor/profiles/extras/usr.sbin.vsftpd @@ -17,13 +17,12 @@ include include include include + include /dev/urandom r, /etc/environment r, /etc/fstab r, /etc/ftpusers r, - /etc/hosts.allow r, - /etc/hosts.deny r, /etc/mtab r, /etc/shells r, /etc/vsftpd.* r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.xinetd b/profiles/apparmor/profiles/extras/usr.sbin.xinetd index 857fcd4e3..d5fb26a37 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.xinetd +++ b/profiles/apparmor/profiles/extras/usr.sbin.xinetd @@ -15,13 +15,12 @@ include /usr/sbin/xinetd { include include + include capability net_bind_service, capability setgid, capability setuid, - /etc/hosts.allow r, - /etc/hosts.deny r, /etc/xinetd.conf r, /etc/xinetd.d r, /etc/xinetd.d/* r,