profiles: Add a hosts_access abstraction

Host files accessed by tcp_wrapper can reference other files, from man 5 hosts.allow ``` A string that begins with a '/' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file format is zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used. ``` This means adding a file to hosts requires updating multiple profiles Add a hosts abstraction so users only have to modify a single location. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/605 Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1864466 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2025-08-29 21:38:15 +00:00 · 2020-08-31 17:27:56 -07:00 · 2020-08-31 17:27:56 -07:00 · eb8f9302aa
commit eb8f9302aa
parent e1ba76375b
12 changed files with 28 additions and 22 deletions
--- a/profiles/apparmor.d/abstractions/hosts_access
+++ b/profiles/apparmor.d/abstractions/hosts_access
@ -0,0 +1,17 @@
 # vim:syntax=apparmor
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2020 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
 #    License published by the Free Software Foundation.
 #
 # ------------------------------------------------------------------
  abi <abi/3.0>,
  /etc/hosts.deny r,
  /etc/hosts.allow r,
  include if exists <abstractions/hosts_access.d>
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@ -24,6 +24,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
  include <abstractions/mysql>
  include <abstractions/openssl>
  include <abstractions/python>
  include <abstractions/hosts_access>
  capability chown,
  capability dac_override,
@ -47,8 +48,6 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
  /etc/syslog-ng/conf.d/ r,
  /etc/syslog-ng/conf.d/* r,
  @{PROC}/kmsg r,
  /etc/hosts.deny r,
  /etc/hosts.allow r,
  /{usr/,}{bin,sbin}/syslog-ng mr,
  @{sys}/devices/system/cpu/online r,
  /usr/share/syslog-ng/** r,
--- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
+++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
@ -48,14 +48,13 @@ profile dovecot-dovecot-lda /usr/lib/dovecot/dovecot-lda flags=(attach_disconnec
    include <abstractions/nameservice>
    include <abstractions/user-tmp>
    include <abstractions/postfix-common>
    include <abstractions/hosts_access>
    capability sys_ptrace,
    /etc/aliases rw,     # newaliases is a symlink to sendmail, so it's
    /etc/aliases.db rw,  # actually the same binary
    /etc/fstab r,
    /etc/hosts.allow r,
    /etc/hosts.deny r,
    /etc/mail/* r,
    /etc/mail/statistics rw,
    /etc/mtab r,
--- a/profiles/apparmor/profiles/extras/sbin.portmap
+++ b/profiles/apparmor/profiles/extras/sbin.portmap
@ -15,13 +15,12 @@ include <tunables/global>
 profile portmap /{usr/,}sbin/portmap {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/hosts_access>
  capability net_bind_service,
  capability setuid,
  capability setgid,
  /etc/bindresvport.blacklist r,
  /etc/hosts.allow	r,
  /etc/hosts.deny	r,
  /{usr/,}sbin/portmap         rmix,
 }
--- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
@ -9,6 +9,7 @@ include <tunables/global>
  include <abstractions/dbus>
  include <abstractions/nameservice>
  include <abstractions/perl>
  include <abstractions/hosts_access>
  capability chown,
  capability dac_override,
@ -44,8 +45,6 @@ include <tunables/global>
  /etc/cups/printcap rw,
  /etc/cups/ssl rw,
  /etc/cups/yes/* rw,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  @{PROC}/meminfo r,
  @{PROC}/sys/dev/parport/** r,
  /sys/class/usb r,
--- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
@ -15,6 +15,7 @@ include <tunables/global>
 /usr/sbin/dhcpd {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/hosts_access>
  capability dac_override,
  capability net_bind_service,
@ -29,8 +30,6 @@ include <tunables/global>
  /db/dhcpd.leases*     lrw,
  /etc/dhcpd.conf	r,
  /etc/named.d/*	r,
  /etc/hosts.allow	r,
  /etc/hosts.deny	r,
  @{PROC}/net/dev	r,
  /usr/sbin/dhcpd	rmix,
  /var/lib/dhcp/{db/,}dhcpd{6,}.leases*	rwl,
--- a/profiles/apparmor/profiles/extras/usr.sbin.mysqld
+++ b/profiles/apparmor/profiles/extras/usr.sbin.mysqld
@ -21,13 +21,12 @@ include <tunables/global>
  include <abstractions/mysql>
  include <abstractions/nameservice>
  include <abstractions/user-tmp>
  include <abstractions/hosts_access>
  capability dac_override,
  capability setgid,
  capability setuid,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/my.cnf r,
  /etc/my.cnf.d/ r,
  /etc/my.cnf.d/*.cnf r,
--- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail
@ -22,14 +22,13 @@ include <tunables/global>
  include <abstractions/nameservice>
  include <abstractions/user-tmp>
  include <abstractions/postfix-common>
  include <abstractions/hosts_access>
  /usr/bin/procmail           Px,
  /etc/aliases.db             rw,
  /etc/aliases                rw,
  /etc/fstab                  r,
  /etc/hosts.allow            r,
  /etc/hosts.deny             r,
  /etc/ldap.conf              r,
  /etc/mail/*                 r,
  /etc/mail/statistics        rw,
--- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail
@ -15,13 +15,12 @@ include <tunables/global>
 /usr/sbin/sendmail.sendmail {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/hosts_access>
  @{PROC}/loadavg             r,
  /etc/aliases                rw,
  /etc/aliases.db             rw,
  /etc/fstab                  r,
  /etc/hosts.allow            r,
  /etc/hosts.deny             r,
  /etc/ldap.conf              r,
  /etc/mail/statistics        rw,
  /etc/mail/*                 r,
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@ -25,6 +25,7 @@ include <tunables/global>
  include <abstractions/libpam-systemd>
  include <abstractions/nameservice>
  include <abstractions/wutmp>
  include <abstractions/hosts_access>
  capability sys_chroot,
  capability sys_resource,
@ -54,8 +55,6 @@ include <tunables/global>
  /dev/urandom r,
  /etc/default/locale r,
  /etc/environment r,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/modules.conf r,
  /etc/security/** r,
  /etc/ssh/** r,
--- a/profiles/apparmor/profiles/extras/usr.sbin.vsftpd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.vsftpd
@ -17,13 +17,12 @@ include <tunables/global>
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/authentication>
  include <abstractions/hosts_access>
  /dev/urandom               r,
  /etc/environment           r,
  /etc/fstab                 r,
  /etc/ftpusers              r,
  /etc/hosts.allow           r,
  /etc/hosts.deny            r,
  /etc/mtab                  r,
  /etc/shells                r,
  /etc/vsftpd.*              r,
--- a/profiles/apparmor/profiles/extras/usr.sbin.xinetd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.xinetd
@ -15,13 +15,12 @@ include <tunables/global>
 /usr/sbin/xinetd {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/hosts_access>
  capability net_bind_service,
  capability setgid,
  capability setuid,
  /etc/hosts.allow                 r,
  /etc/hosts.deny                  r,
  /etc/xinetd.conf                 r,
  /etc/xinetd.d                    r,
  /etc/xinetd.d/*                  r,