From 983003131475ce3f1c83d19e15d2edb290902296 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Mon, 8 Mar 2021 01:26:10 +0100 Subject: [PATCH 1/4] Add crypto abstraction and include it in base crypto allows reading /etc/gcrypt/random.conf, which is possibly needed for all programs that use libgcrypt. Reported by darix, he has seen it with vivaldi. --- profiles/apparmor.d/abstractions/base | 1 + profiles/apparmor.d/abstractions/crypto | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 profiles/apparmor.d/abstractions/crypto diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base index cf939ebdc..4853bef50 100644 --- a/profiles/apparmor.d/abstractions/base +++ b/profiles/apparmor.d/abstractions/base @@ -12,6 +12,7 @@ abi , + include # (Note that the ldd profile has inlined this file; if you make # modifications here, please consider including them in the ldd diff --git a/profiles/apparmor.d/abstractions/crypto b/profiles/apparmor.d/abstractions/crypto new file mode 100644 index 000000000..1000c919d --- /dev/null +++ b/profiles/apparmor.d/abstractions/crypto @@ -0,0 +1,18 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2021 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + abi , + + @{etc_ro}/gcrypt/random.conf r, + + include if exists From 534a6d305724702ef64187ffbe5972fecb9715ea Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Tue, 13 Jul 2021 20:44:19 +0200 Subject: [PATCH 2/4] move @{PROC}/sys/crypto/* permissions from base to crypto --- profiles/apparmor.d/abstractions/base | 3 --- profiles/apparmor.d/abstractions/crypto | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base index 4853bef50..a03be4b07 100644 --- a/profiles/apparmor.d/abstractions/base +++ b/profiles/apparmor.d/abstractions/base @@ -105,9 +105,6 @@ # glibc's *printf protections read the maps file @{PROC}/@{pid}/{maps,auxv,status} r, - # libgcrypt reads some flags from /proc - @{PROC}/sys/crypto/* r, - # some applications will display license information /usr/share/common-licenses/** r, diff --git a/profiles/apparmor.d/abstractions/crypto b/profiles/apparmor.d/abstractions/crypto index 1000c919d..a8e824f3c 100644 --- a/profiles/apparmor.d/abstractions/crypto +++ b/profiles/apparmor.d/abstractions/crypto @@ -15,4 +15,7 @@ @{etc_ro}/gcrypt/random.conf r, + # libgcrypt reads some flags from /proc + @{PROC}/sys/crypto/* r, + include if exists From ba8087927f78dddc170f8c58a7cb6198c9f121eb Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Tue, 13 Jul 2021 20:49:27 +0200 Subject: [PATCH 3/4] Move crypto-policies rules from ssl_certs to crypto No additional include rule needed since crypto is included in base. --- profiles/apparmor.d/abstractions/crypto | 4 ++++ profiles/apparmor.d/abstractions/ssl_certs | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/profiles/apparmor.d/abstractions/crypto b/profiles/apparmor.d/abstractions/crypto index a8e824f3c..5cdd133cd 100644 --- a/profiles/apparmor.d/abstractions/crypto +++ b/profiles/apparmor.d/abstractions/crypto @@ -18,4 +18,8 @@ # libgcrypt reads some flags from /proc @{PROC}/sys/crypto/* r, + # crypto policies used by various libraries + /etc/crypto-policies/*/*.txt r, + /usr/share/crypto-policies/*/*.txt r, + include if exists diff --git a/profiles/apparmor.d/abstractions/ssl_certs b/profiles/apparmor.d/abstractions/ssl_certs index b6ba6c0c7..57d0f41a2 100644 --- a/profiles/apparmor.d/abstractions/ssl_certs +++ b/profiles/apparmor.d/abstractions/ssl_certs @@ -41,9 +41,5 @@ /etc/certbot/archive/*/chain*.pem r, /etc/certbot/archive/*/fullchain*.pem r, - # crypto policies used by various libraries - /etc/crypto-policies/*/*.txt r, - /usr/share/crypto-policies/*/*.txt r, - # Include additions to the abstraction include if exists From b5241282e87c65437a81bcb8da37bb3596f16804 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Tue, 13 Jul 2021 21:05:34 +0200 Subject: [PATCH 4/4] move @{PROC}/sys/crypto/fips_enabled r, rule ... from openssl to crypto abstraction --- profiles/apparmor.d/abstractions/crypto | 1 + profiles/apparmor.d/abstractions/openssl | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/profiles/apparmor.d/abstractions/crypto b/profiles/apparmor.d/abstractions/crypto index 5cdd133cd..83676003d 100644 --- a/profiles/apparmor.d/abstractions/crypto +++ b/profiles/apparmor.d/abstractions/crypto @@ -14,6 +14,7 @@ abi , @{etc_ro}/gcrypt/random.conf r, + @{PROC}/sys/crypto/fips_enabled r, # libgcrypt reads some flags from /proc @{PROC}/sys/crypto/* r, diff --git a/profiles/apparmor.d/abstractions/openssl b/profiles/apparmor.d/abstractions/openssl index 7dec53bf8..8ed90bc25 100644 --- a/profiles/apparmor.d/abstractions/openssl +++ b/profiles/apparmor.d/abstractions/openssl @@ -12,8 +12,6 @@ /etc/ssl/openssl.cnf r, /usr/share/ssl/openssl.cnf r, - @{PROC}/sys/crypto/fips_enabled r, - # Include additions to the abstraction include if exists