mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 06:16:03 +00:00
Compare commits
103 Commits
v4.0.0-bet
...
v4.0.2
Author | SHA1 | Date | |
---|---|---|---|
|
84a6bc1b6d | ||
|
9f849247b9 | ||
|
3fe2d323fc | ||
|
f0f7420f6c | ||
|
efef7d1b28 | ||
|
d61109d47e | ||
|
113ce2cfcd | ||
|
af7a10b5d9 | ||
|
4bb134e4bb | ||
|
4569381ec3 | ||
|
73a29ade16 | ||
|
d8e17207e8 | ||
|
0f51513a11 | ||
|
a07a8e69e0 | ||
|
24a0ebb5ef | ||
|
0310a122d4 | ||
|
6cad7b889e | ||
|
e2aff72f53 | ||
|
046fe9c1bd | ||
|
e4e60f1a4f | ||
|
ae01582798 | ||
|
98a0a2fee9 | ||
|
aada708bc1 | ||
|
dca6ac3b73 | ||
|
9d1388fdb6 | ||
|
a8637a5aa1 | ||
|
a866d77e72 | ||
|
527205bda9 | ||
|
e3be2e52ea | ||
|
d1311cc93f | ||
|
2a3cf471ab | ||
|
c31da2ec55 | ||
|
e8b2597676 | ||
|
6dee9d0a6a | ||
|
aa74b9b12d | ||
|
9ec5134322 | ||
|
fcd02fb69b | ||
|
1f4bba0448 | ||
|
af88a13712 | ||
|
8e74855531 | ||
|
951ea5b2fb | ||
|
eee50538da | ||
|
86be5d35f3 | ||
|
b7f9b66cba | ||
|
6d1e5dbbe6 | ||
|
f1173379ff | ||
|
b0eb95457b | ||
|
5ad4efec50 | ||
|
a635a86e1d | ||
|
c8e25e4689 | ||
|
68dd052873 | ||
|
4cef932170 | ||
|
8108a217a3 | ||
|
2284e99613 | ||
|
f763c44cd0 | ||
|
1d36e1f196 | ||
|
22ee6c19bc | ||
|
6198edb3d0 | ||
|
4d2a171466 | ||
|
e88cf3cd02 | ||
|
6f856dfee3 | ||
|
a6d8171bd6 | ||
|
26e7249f44 | ||
|
117d0cc444 | ||
|
1c7127d30d | ||
|
d111ddcc21 | ||
|
fa26623e6d | ||
|
451bb8b235 | ||
|
6e46631b6f | ||
|
f9527d2113 | ||
|
9dc2f48773 | ||
|
2fc80487f7 | ||
|
c87969b37c | ||
|
b68bb18860 | ||
|
c47789340a | ||
|
e23a3eeba5 | ||
|
d0fadc48cf | ||
|
aec3f3b22c | ||
|
101651c88f | ||
|
efc2ec5fdd | ||
|
b01b9895e7 | ||
|
a0a0c88d9e | ||
|
63676459c4 | ||
|
9ed04cb01e | ||
|
2a885872a3 | ||
|
989501428e | ||
|
25f21a0758 | ||
|
022af9c528 | ||
|
9a1838016c | ||
|
f4c19acfba | ||
|
dac9d08764 | ||
|
243162ca29 | ||
|
ae978c1953 | ||
|
d19db55a37 | ||
|
e3d381cf91 | ||
|
aa69d9adc9 | ||
|
3d1dedfa7e | ||
|
f27b1ef93a | ||
|
18d6a917f8 | ||
|
d1d39d176e | ||
|
2d654477f2 | ||
|
66dc2cc7d0 | ||
|
021c3248f9 |
4
.gitignore
vendored
4
.gitignore
vendored
@@ -266,8 +266,8 @@ tests/regression/apparmor/mmap
|
||||
tests/regression/apparmor/mount
|
||||
tests/regression/apparmor/move_mount
|
||||
tests/regression/apparmor/named_pipe
|
||||
tests/regression/apparmor/net_finegrained_rcv
|
||||
tests/regression/apparmor/net_finegrained_snd
|
||||
tests/regression/apparmor/net_inet_rcv
|
||||
tests/regression/apparmor/net_inet_snd
|
||||
tests/regression/apparmor/net_raw
|
||||
tests/regression/apparmor/open
|
||||
tests/regression/apparmor/openat
|
||||
|
@@ -112,7 +112,7 @@ shellcheck:
|
||||
extends:
|
||||
- .ubuntu-before_script
|
||||
script:
|
||||
- apt-get install --no-install-recommends -y file shellcheck xmlstarlet
|
||||
- apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet
|
||||
- shellcheck --version
|
||||
- './tests/bin/shellcheck-tree --format=checkstyle
|
||||
| xmlstarlet tr tests/checkstyle2junit.xslt
|
||||
|
@@ -1 +1 @@
|
||||
4.0.0~beta2
|
||||
4.0.2
|
||||
|
@@ -93,7 +93,7 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
|
||||
fi
|
||||
|
||||
m4_ifndef([AX_CHECK_COMPILE_FLAG], [AC_MSG_ERROR(['autoconf-archive' missing])])
|
||||
EXTRA_CFLAGS="-Wall $(EXTRA_WARNINGS) -fPIC"
|
||||
EXTRA_CFLAGS="-Wall $EXTRA_WARNINGS -fPIC"
|
||||
AX_CHECK_COMPILE_FLAG([-flto-partition=none], , , [-Werror])
|
||||
AS_VAR_IF([ax_cv_check_cflags__Werror__flto_partition_none], [yes],
|
||||
[EXTRA_CFLAGS="$EXTRA_CFLAGS -flto-partition=none"]
|
||||
|
@@ -32,10 +32,10 @@ INCLUDES = $(all_includes)
|
||||
#
|
||||
# After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
|
||||
|
||||
AA_LIB_CURRENT = 18
|
||||
AA_LIB_REVISION = 1
|
||||
AA_LIB_AGE = 17
|
||||
EXPECTED_SO_NAME = libapparmor.so.1.17.1
|
||||
AA_LIB_CURRENT = 19
|
||||
AA_LIB_REVISION = 0
|
||||
AA_LIB_AGE = 18
|
||||
EXPECTED_SO_NAME = libapparmor.so.1.18.0
|
||||
|
||||
SUFFIXES = .pc.in .pc
|
||||
|
||||
|
@@ -157,9 +157,13 @@ key_capname "capname"
|
||||
key_offset "offset"
|
||||
key_target "target"
|
||||
key_laddr "laddr"
|
||||
key_saddr "saddr"
|
||||
key_faddr "faddr"
|
||||
key_daddr "daddr"
|
||||
key_lport "lport"
|
||||
key_srcport "src"
|
||||
key_fport "fport"
|
||||
key_destport "dest"
|
||||
key_bus "bus"
|
||||
key_dest "dest"
|
||||
key_path "path"
|
||||
@@ -351,9 +355,13 @@ yy_flex_debug = 0;
|
||||
{key_offset} { return(TOK_KEY_OFFSET); }
|
||||
{key_target} { return(TOK_KEY_TARGET); }
|
||||
{key_laddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
|
||||
{key_saddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
|
||||
{key_faddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
|
||||
{key_daddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
|
||||
{key_lport} { return(TOK_KEY_LPORT); }
|
||||
{key_srcport} { return(TOK_KEY_LPORT); }
|
||||
{key_fport} { return(TOK_KEY_FPORT); }
|
||||
{key_destport} { return(TOK_KEY_FPORT); }
|
||||
{key_bus} { return(TOK_KEY_BUS); }
|
||||
{key_path} { return(TOK_KEY_PATH); }
|
||||
{key_interface} { return(TOK_KEY_INTERFACE); }
|
||||
|
@@ -14,7 +14,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
|
||||
|
||||
all-local: libapparmor_wrap.c setup.py
|
||||
if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
|
||||
CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
|
||||
CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(CFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
|
||||
|
||||
install-exec-local:
|
||||
$(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"
|
||||
|
@@ -1,4 +1,4 @@
|
||||
/home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount {
|
||||
mount fstype=ext2 options="rw, mand" /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
|
||||
mount fstype=(ext2) options=(mand, rw) /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
|
||||
|
||||
}
|
||||
|
@@ -0,0 +1 @@
|
||||
type=AVC msg=audit(1715045678.914:344186): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="steam" name="/newroot/dev/" pid=26487 comm="srt-bwrap" flags="rw, nosuid, nodev, remount, bind, silent, relatime"
|
@@ -0,0 +1,14 @@
|
||||
START
|
||||
File: testcase_mount_02.in
|
||||
Event type: AA_RECORD_ALLOWED
|
||||
Audit ID: 1715045678.914:344186
|
||||
Operation: mount
|
||||
Profile: steam
|
||||
Name: /newroot/dev/
|
||||
Command: srt-bwrap
|
||||
Info: failed flags match
|
||||
ErrorCode: 13
|
||||
PID: 26487
|
||||
Flags: rw, nosuid, nodev, remount, bind, silent, relatime
|
||||
Epoch: 1715045678
|
||||
Audit subid: 344186
|
@@ -0,0 +1,4 @@
|
||||
profile steam {
|
||||
mount options=(bind, nodev, nosuid, relatime, remount, rw, silent) -> /newroot/dev/,
|
||||
|
||||
}
|
@@ -440,7 +440,6 @@ install-arch: $(INSTALLDEPS)
|
||||
install-indep: indep
|
||||
install -m 755 -d $(INSTALL_CONFDIR)
|
||||
install -m 644 parser.conf $(INSTALL_CONFDIR)
|
||||
install -m 755 -d ${DESTDIR}/var/lib/apparmor
|
||||
install -m 755 -d $(APPARMOR_BIN_PREFIX)
|
||||
install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
|
||||
install -m 755 profile-load $(APPARMOR_BIN_PREFIX)
|
||||
|
@@ -39,7 +39,7 @@ void all_rule::add_implied_rules(Profile &prof)
|
||||
prefix_rule_t *rule;
|
||||
const prefixes *prefix = this;
|
||||
|
||||
rule = new unix_rule(0, audit, rule_mode);
|
||||
rule = new unix_rule(0xffffffff, audit, rule_mode);
|
||||
(void) rule->add_prefix(*prefix);
|
||||
prof.rule_ents.push_back(rule);
|
||||
|
||||
@@ -67,7 +67,7 @@ void all_rule::add_implied_rules(Profile &prof)
|
||||
(void) rule->add_prefix(*prefix);
|
||||
prof.rule_ents.push_back(rule);
|
||||
|
||||
rule = new mnt_rule(NULL, NULL, NULL, NULL, 0);
|
||||
rule = new mnt_rule(NULL, NULL, NULL, NULL, AA_MAY_MOUNT);
|
||||
(void) rule->add_prefix(*prefix);
|
||||
prof.rule_ents.push_back(rule);
|
||||
|
||||
|
@@ -29,8 +29,6 @@
|
||||
class all_rule: public prefix_rule_t {
|
||||
void move_conditionals(struct cond_entry *conds);
|
||||
public:
|
||||
char *label;
|
||||
|
||||
all_rule(void): prefix_rule_t(RULE_TYPE_ALL) { }
|
||||
|
||||
virtual bool valid_prefix(const prefixes &p, const char *&error) {
|
||||
|
@@ -148,7 +148,14 @@ B<CAPABILITY LIST> = ( I<CAPABILITY> )+
|
||||
B<CAPABILITY> = (lowercase capability name without 'CAP_' prefix; see
|
||||
capabilities(7))
|
||||
|
||||
B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
|
||||
B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<NETWORK ACCESS EXPR> ] [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ] [ I<NETWORK LOCAL EXPR> ] [ I<NETWORK PEER EXPR> ]
|
||||
|
||||
B<NETWORK ACCESS EXPR> = ( I<NETWORK ACCESS> | I<NETWORK ACCESS LIST> )
|
||||
|
||||
B<NETWORK ACCESS> = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' )
|
||||
Some access modes are incompatible with some rules.
|
||||
|
||||
B<NETWORK ACCESS LIST> = '(' I<NETWORK ACCESS> ( [','] I<NETWORK ACCESS> )* ')'
|
||||
|
||||
B<DOMAIN> = ( 'unix' | 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'netlink' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'rds' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'llc' | 'ib' | 'mpls' | 'can' | 'tipc' | 'bluetooth' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'kcm' | 'qipcrtr' | 'smc' | 'xdp' | 'mctp' ) ','
|
||||
|
||||
@@ -156,6 +163,22 @@ B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' )
|
||||
|
||||
B<PROTOCOL> = ( 'tcp' | 'udp' | 'icmp' )
|
||||
|
||||
B<NETWORK LOCAL EXPR> = ( I<NETWORK IP COND> | I<NETWORK PORT COND> )*
|
||||
Each cond can appear at most once.
|
||||
|
||||
B<NETWORK PEER EXPR> = 'peer' '=' '(' ( I<NETWORK IP COND> | I<NETWORK PORT COND> )+ ')'
|
||||
Each cond can appear at most once.
|
||||
|
||||
B<NETWORK IP COND> = 'ip' '=' ( 'none' | I<NETWORK IPV4> | I<NETWORK IPV6> )
|
||||
|
||||
B<NETWORK PORT COND> = 'port' '=' ( I<NETWORK PORT> )
|
||||
|
||||
B<NETWORK IPV4> = IPv4, represented by four 8-bit decimal numbers separated by '.'
|
||||
|
||||
B<NETWORK IPV6> = IPv6, represented by eight groups of four hexadecimal numbers separated by ':'. Shortened representation of contiguous zeros is allowed by using '::'
|
||||
|
||||
B<NETWORK PORT> = 16-bit number ranging from 0 to 65535
|
||||
|
||||
B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> )
|
||||
|
||||
B<MOUNT> = [ I<QUALIFIERS> ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ '-E<gt>' [ I<MOUNTPOINT FILEGLOB> ]
|
||||
@@ -912,11 +935,10 @@ and other operations that are typically reserved for the root user.
|
||||
|
||||
=head2 Network Rules
|
||||
|
||||
AppArmor supports simple coarse grained network mediation. The network
|
||||
rule restrict all socket(2) based operations. The mediation done is
|
||||
a coarse-grained check on whether a socket of a given type and family
|
||||
can be created, read, or written. There is no mediation based of port
|
||||
number or protocol beyond tcp, udp, and raw. Network netlink(7) rules may
|
||||
AppArmor supports simple coarse grained network mediation. The
|
||||
network rule restrict all socket(2) based operations. The mediation
|
||||
done is a coarse-grained check on whether a socket of a given type and
|
||||
family can be created, read, or written. Network netlink(7) rules may
|
||||
only specify type 'dgram' and 'raw'.
|
||||
|
||||
AppArmor network rules are accumulated so that the granted network
|
||||
@@ -933,6 +955,48 @@ eg.
|
||||
network inet6 tcp, #allow access to tcp only for inet6 addresses
|
||||
network netlink raw, #allow access to AF_NETLINK SOCK_RAW
|
||||
|
||||
=head3 Network permissions
|
||||
|
||||
Network rule permissions are implied when a rule does not explicitly
|
||||
state an access list. By default if a rule does not have an access
|
||||
list all permissions that are compatible with the specified set of
|
||||
local and peer conditionals are implied.
|
||||
|
||||
The create, bind, listen, shutdown, getattr, setattr, getopt, and
|
||||
setopt permissions are local socket permissions. They are only applied
|
||||
to the local socket and can't be specified in rules that have a peer
|
||||
conditional. The accept permission applies to the combination of a
|
||||
local and peer socket. The connect, send, and receive permissions are
|
||||
peer socket permissions.
|
||||
|
||||
=head3 Mediation of inet/inet6 family
|
||||
|
||||
AppArmor supports fine grained mediation of the inet and inet6
|
||||
families by using the ip and port conditionals. The ip conditional
|
||||
accepts both IPv4 and IPv6 using the regular representation of four
|
||||
octets separated by '.' for IPv4 and eight groups of four hexadecimal
|
||||
numbers separated by ':' for IPv6. Contiguous leading zeros can be
|
||||
replaced by '::' once. On a connected socket, the sender and receiver
|
||||
don't need to be specified in the recvfrom and sendto system calls. In
|
||||
that case, and with unbounded sockets, the IP address is none, or
|
||||
unknown. Unknown or Unbound IP addresses are represented in policy by the
|
||||
'none' keyword. When the ip conditional is omitted, then all IP
|
||||
addresses will be allowed: IPv4, IPv6 and none. If INADDR_ANY or
|
||||
in6addr_any is used, then the ip conditional can be omitted or they
|
||||
can be represented by:
|
||||
|
||||
network ip=::, #allow in6addr_any
|
||||
network ip=0.0.0.0; #allow INADDR_ANY
|
||||
|
||||
The network rules support the specification of local and remote IP
|
||||
addresses and ports.
|
||||
|
||||
network ip=127.0.0.1 port=8080,
|
||||
network peer=(ip=10.139.15.23 port=8081),
|
||||
network ip=fd74:1820:b03a:b361::cf32 peer=(ip=fd74:1820:b03a:b361::a0f9),
|
||||
network port=8080 peer=(port=8081),
|
||||
network ip=127.0.0.1 port=8080 peer=(ip=10.139.15.23 port=8081),
|
||||
|
||||
=head2 Mount Rules
|
||||
|
||||
AppArmor supports mount mediation and allows specifying filesystem types and
|
||||
|
@@ -17,6 +17,8 @@
|
||||
|
||||
APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
|
||||
|
||||
# This function is used in rc.apparmor.functions
|
||||
# shellcheck disable=SC2317
|
||||
aa_action()
|
||||
{
|
||||
echo "$1"
|
||||
@@ -25,36 +27,50 @@ aa_action()
|
||||
return $?
|
||||
}
|
||||
|
||||
# This function is used in rc.apparmor.functions
|
||||
# shellcheck disable=SC2317
|
||||
aa_log_warning_msg()
|
||||
{
|
||||
echo "Warning: $*"
|
||||
}
|
||||
|
||||
# This function is used in rc.apparmor.functions
|
||||
# shellcheck disable=SC2317
|
||||
aa_log_failure_msg()
|
||||
{
|
||||
echo "Error: $*"
|
||||
}
|
||||
|
||||
# This function is used in rc.apparmor.functions
|
||||
# shellcheck disable=SC2317
|
||||
aa_log_action_start()
|
||||
{
|
||||
echo "$@"
|
||||
}
|
||||
|
||||
# This function is used in rc.apparmor.functions
|
||||
# shellcheck disable=SC2317
|
||||
aa_log_action_end()
|
||||
{
|
||||
printf ""
|
||||
}
|
||||
|
||||
# This function is used in rc.apparmor.functions
|
||||
# shellcheck disable=SC2317
|
||||
aa_log_daemon_msg()
|
||||
{
|
||||
echo "$@"
|
||||
}
|
||||
|
||||
# This function is used in rc.apparmor.functions
|
||||
# shellcheck disable=SC2317
|
||||
aa_log_skipped_msg()
|
||||
{
|
||||
echo "Skipped: $*"
|
||||
}
|
||||
|
||||
# This function is used in rc.apparmor.functions
|
||||
# shellcheck disable=SC2317
|
||||
aa_log_end_msg()
|
||||
{
|
||||
printf ""
|
||||
|
@@ -189,6 +189,19 @@ void Node::dump_syntax_tree(ostream &os)
|
||||
* a b c T
|
||||
*
|
||||
*/
|
||||
|
||||
|
||||
static Node *simplify_eps_pair(Node *t)
|
||||
{
|
||||
if (t->is_type(NODE_TYPE_TWOCHILD) &&
|
||||
t->child[0] == &epsnode &&
|
||||
t->child[1] == &epsnode) {
|
||||
t->release();
|
||||
return &epsnode;
|
||||
}
|
||||
return t;
|
||||
}
|
||||
|
||||
static void rotate_node(Node *t, int dir)
|
||||
{
|
||||
// (a | b) | c -> a | (b | c)
|
||||
@@ -197,7 +210,9 @@ static void rotate_node(Node *t, int dir)
|
||||
t->child[dir] = left->child[dir];
|
||||
left->child[dir] = left->child[!dir];
|
||||
left->child[!dir] = t->child[!dir];
|
||||
t->child[!dir] = left;
|
||||
|
||||
// check that rotation didn't create (E | E)
|
||||
t->child[!dir] = simplify_eps_pair(left);
|
||||
}
|
||||
|
||||
/* return False if no work done */
|
||||
@@ -209,13 +224,7 @@ int TwoChildNode::normalize_eps(int dir)
|
||||
// Ea -> aE
|
||||
// Test for E | (E | E) and E . (E . E) which will
|
||||
// result in an infinite loop
|
||||
Node *c = child[!dir];
|
||||
if (c->is_type(NODE_TYPE_TWOCHILD) &&
|
||||
&epsnode == c->child[dir] &&
|
||||
&epsnode == c->child[!dir]) {
|
||||
c->release();
|
||||
c = &epsnode;
|
||||
}
|
||||
Node *c = simplify_eps_pair(child[!dir]);
|
||||
child[!dir] = child[dir];
|
||||
child[dir] = c;
|
||||
return 1;
|
||||
|
@@ -192,14 +192,14 @@ int mqueue_rule::gen_policy_re(Profile &prof)
|
||||
return RULE_NOT_SUPPORTED;
|
||||
} else if (qtype == mqueue_sysv && !features_supports_sysv_mqueue) {
|
||||
warn_once(prof.name);
|
||||
// return RULE_NOT_SUPPORTED;
|
||||
return RULE_NOT_SUPPORTED;
|
||||
} else if (qtype == mqueue_unspecified &&
|
||||
!(features_supports_posix_mqueue ||
|
||||
features_supports_sysv_mqueue)) {
|
||||
warn_once(prof.name);
|
||||
// should split into warning where posix and sysv can
|
||||
// be separated from nothing being enforced
|
||||
// return RULE_NOT_SUPPORTED;
|
||||
return RULE_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
/* always generate a label and mqueue entry */
|
||||
@@ -231,10 +231,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
|
||||
/* store perms at name match so label doesn't need
|
||||
* to be checked
|
||||
*/
|
||||
if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, parseopts, false))
|
||||
if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false))
|
||||
goto fail;
|
||||
/* also provide label match with perm */
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, parseopts, false))
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, size, vec, parseopts, false))
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
@@ -266,10 +266,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
|
||||
}
|
||||
|
||||
if (perms & AA_VALID_SYSV_MQ_PERMS) {
|
||||
if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, parseopts, false))
|
||||
if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false))
|
||||
goto fail;
|
||||
/* also provide label match with perm */
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, parseopts, false))
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, size, vec, parseopts, false))
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
@@ -52,13 +52,13 @@
|
||||
* kernel doesn't allow for us to control
|
||||
* - posix
|
||||
* - notify
|
||||
* - getattr/setattr
|
||||
* - labels at anything other than mqueue label, via mqueue inode.
|
||||
*/
|
||||
|
||||
#define AA_VALID_POSIX_MQ_PERMS (AA_MQUEUE_WRITE | AA_MQUEUE_READ | \
|
||||
AA_MQUEUE_CREATE | AA_MQUEUE_DELETE | \
|
||||
AA_MQUEUE_OPEN)
|
||||
AA_MQUEUE_OPEN | \
|
||||
AA_MQUEUE_SETATTR | AA_MQUEUE_GETATTR)
|
||||
|
||||
/* TBD - for now make it wider than posix */
|
||||
#define AA_VALID_SYSV_MQ_PERMS (AA_MQUEUE_WRITE | AA_MQUEUE_READ | \
|
||||
@@ -78,6 +78,11 @@ typedef enum mqueue_type {
|
||||
mqueue_sysv
|
||||
} mqueue_type;
|
||||
|
||||
static inline uint32_t map_mqueue_perms(uint32_t mask)
|
||||
{
|
||||
return (mask & 0x7f) |
|
||||
((mask & (AA_MQUEUE_GETATTR | AA_MQUEUE_SETATTR)) << (AA_OTHER_SHIFT - 8));
|
||||
}
|
||||
|
||||
int parse_mqueue_perms(const char *str_perms, perms_t *perms, int fail);
|
||||
|
||||
|
@@ -252,6 +252,19 @@ const char *net_find_af_name(unsigned int af)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const char *net_find_protocol_name(unsigned int protocol)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
for (i = 0; i < sizeof(network_mappings) / sizeof(*network_mappings); i++) {
|
||||
if (network_mappings[i].protocol == protocol) {
|
||||
return network_mappings[i].protocol_name;
|
||||
}
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const struct network_tuple *net_find_mapping(const struct network_tuple *map,
|
||||
const char *family,
|
||||
const char *type,
|
||||
@@ -331,8 +344,8 @@ bool parse_port_number(const char *port_entry, uint16_t *port) {
|
||||
char *eptr;
|
||||
unsigned long port_tmp = strtoul(port_entry, &eptr, 10);
|
||||
|
||||
if (port_tmp >= 0 && port_entry != eptr &&
|
||||
*eptr == '\0' && port_tmp <= UINT16_MAX) {
|
||||
if (port_entry != eptr && *eptr == '\0' &&
|
||||
port_tmp <= UINT16_MAX) {
|
||||
*port = port_tmp;
|
||||
return true;
|
||||
}
|
||||
@@ -347,6 +360,10 @@ bool network_rule::parse_port(ip_conds &entry)
|
||||
|
||||
bool network_rule::parse_address(ip_conds &entry)
|
||||
{
|
||||
if (strcmp(entry.sip, "none") == 0) {
|
||||
entry.is_none = true;
|
||||
return true;
|
||||
}
|
||||
entry.is_ip = true;
|
||||
return parse_ip(entry.sip, &entry.ip);
|
||||
}
|
||||
@@ -374,30 +391,45 @@ void network_rule::move_conditionals(struct cond_entry *conds, ip_conds &ip_cond
|
||||
}
|
||||
}
|
||||
|
||||
void network_rule::set_netperm(unsigned int family, unsigned int type)
|
||||
void network_rule::set_netperm(unsigned int family, unsigned int type, unsigned int protocol)
|
||||
{
|
||||
if (type > SOCK_PACKET) {
|
||||
/* setting mask instead of a bit */
|
||||
network_perms[family] |= type;
|
||||
network_perms[family].first |= type;
|
||||
} else
|
||||
network_perms[family] |= 1 << type;
|
||||
network_perms[family].first |= 1 << type;
|
||||
network_perms[family].second |= protocol;
|
||||
}
|
||||
|
||||
network_rule::network_rule(perms_t perms_p, struct cond_entry *conds,
|
||||
struct cond_entry *peer_conds):
|
||||
dedup_perms_rule_t(AA_CLASS_NETV8)
|
||||
dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
|
||||
{
|
||||
size_t family_index;
|
||||
for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
|
||||
network_map[family_index].push_back({ family_index, 0xFFFFFFFF, 0xFFFFFFFF });
|
||||
set_netperm(family_index, 0xFFFFFFFF);
|
||||
}
|
||||
size_t family_index, i;
|
||||
|
||||
move_conditionals(conds, local);
|
||||
move_conditionals(peer_conds, peer);
|
||||
free_cond_list(conds);
|
||||
free_cond_list(peer_conds);
|
||||
|
||||
if (has_local_conds() || has_peer_conds()) {
|
||||
const char *family[] = { "inet", "inet6" };
|
||||
for (i = 0; i < sizeof(family)/sizeof(family[0]); i++) {
|
||||
const struct network_tuple *mapping = NULL;
|
||||
while ((mapping = net_find_mapping(mapping, family[i], NULL, NULL))) {
|
||||
network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
|
||||
set_netperm(mapping->family, mapping->type, mapping->protocol);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
|
||||
network_map[family_index].push_back({ family_index, 0xFFFFFFFF, 0xFFFFFFFF });
|
||||
set_netperm(family_index, 0xFFFFFFFF, 0xFFFFFFFF);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
if (perms_p) {
|
||||
perms = perms_p;
|
||||
if (perms & ~AA_VALID_NET_PERMS)
|
||||
@@ -412,29 +444,45 @@ network_rule::network_rule(perms_t perms_p, struct cond_entry *conds,
|
||||
network_rule::network_rule(perms_t perms_p, const char *family, const char *type,
|
||||
const char *protocol, struct cond_entry *conds,
|
||||
struct cond_entry *peer_conds):
|
||||
dedup_perms_rule_t(AA_CLASS_NETV8)
|
||||
dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
|
||||
{
|
||||
const struct network_tuple *mapping = NULL;
|
||||
while ((mapping = net_find_mapping(mapping, family, type, protocol))) {
|
||||
network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
|
||||
set_netperm(mapping->family, mapping->type);
|
||||
}
|
||||
|
||||
if (type == NULL && network_map.empty()) {
|
||||
while ((mapping = net_find_mapping(mapping, type, family, protocol))) {
|
||||
network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
|
||||
set_netperm(mapping->family, mapping->type);
|
||||
}
|
||||
}
|
||||
|
||||
if (network_map.empty())
|
||||
yyerror(_("Invalid network entry."));
|
||||
|
||||
move_conditionals(conds, local);
|
||||
move_conditionals(peer_conds, peer);
|
||||
free_cond_list(conds);
|
||||
free_cond_list(peer_conds);
|
||||
|
||||
while ((mapping = net_find_mapping(mapping, family, type, protocol))) {
|
||||
/* if inet conds and family are specified, fail if
|
||||
* family is not af_inet or af_inet6
|
||||
*/
|
||||
if ((has_local_conds() || has_peer_conds()) &&
|
||||
mapping->family != AF_INET && mapping->family != AF_INET6) {
|
||||
yyerror("network family does not support local or peer conditionals\n");
|
||||
}
|
||||
network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
|
||||
set_netperm(mapping->family, mapping->type, mapping->protocol);
|
||||
}
|
||||
|
||||
if (type == NULL && network_map.empty()) {
|
||||
while ((mapping = net_find_mapping(mapping, type, family, protocol))) {
|
||||
/* if inet conds and type/protocol are
|
||||
* specified, only add rules for af_inet and
|
||||
* af_inet6
|
||||
*/
|
||||
if ((has_local_conds() || has_peer_conds()) &&
|
||||
mapping->family != AF_INET && mapping->family != AF_INET6)
|
||||
continue;
|
||||
|
||||
network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
|
||||
set_netperm(mapping->family, mapping->type, mapping->protocol);
|
||||
}
|
||||
}
|
||||
|
||||
if (network_map.empty())
|
||||
yyerror(_("Invalid network entry."));
|
||||
|
||||
if (perms_p) {
|
||||
perms = perms_p;
|
||||
if (perms & ~AA_VALID_NET_PERMS)
|
||||
@@ -447,10 +495,10 @@ network_rule::network_rule(perms_t perms_p, const char *family, const char *type
|
||||
}
|
||||
|
||||
network_rule::network_rule(perms_t perms_p, unsigned int family, unsigned int type):
|
||||
dedup_perms_rule_t(AA_CLASS_NETV8)
|
||||
dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
|
||||
{
|
||||
network_map[family].push_back({ family, type, 0xFFFFFFFF });
|
||||
set_netperm(family, type);
|
||||
set_netperm(family, type, 0xFFFFFFFF);
|
||||
|
||||
if (perms_p) {
|
||||
perms = perms_p;
|
||||
@@ -479,7 +527,8 @@ ostream &network_rule::dump(ostream &os)
|
||||
|
||||
for (const auto& perm : network_perms) {
|
||||
unsigned int family = perm.first;
|
||||
unsigned int type = perm.second;
|
||||
unsigned int type = perm.second.first;
|
||||
unsigned int protocol = perm.second.second;
|
||||
|
||||
const char *family_name = net_find_af_name(family);
|
||||
if (family_name)
|
||||
@@ -507,6 +556,12 @@ ostream &network_rule::dump(ostream &os)
|
||||
os << " #" << std::hex << (type & mask);
|
||||
|
||||
printf(" }");
|
||||
|
||||
const char *protocol_name = net_find_protocol_name(protocol);
|
||||
if (protocol_name)
|
||||
os << " " << protocol_name;
|
||||
else
|
||||
os << " #" << protocol;
|
||||
}
|
||||
|
||||
os << ",\n";
|
||||
@@ -531,14 +586,14 @@ std::string gen_ip_cond(const struct ip_address ip)
|
||||
int i;
|
||||
if (ip.family == AF_INET) {
|
||||
/* add a byte containing the size of the following ip */
|
||||
oss << "\\x04";
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV4_SIZE;
|
||||
|
||||
u8 *byte = (u8 *) &ip.address.address_v4; /* in network byte order */
|
||||
for (i = 0; i < 4; i++)
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(byte[i]);
|
||||
} else {
|
||||
/* add a byte containing the size of the following ip */
|
||||
oss << "\\x10";
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV6_SIZE;
|
||||
for (i = 0; i < 16; ++i)
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(ip.address.address_v6[i]);
|
||||
}
|
||||
@@ -557,48 +612,114 @@ std::string gen_port_cond(uint16_t port)
|
||||
return oss.str();
|
||||
}
|
||||
|
||||
void network_rule::gen_ip_conds(std::ostringstream &oss, ip_conds entry, bool is_peer, bool is_cmd)
|
||||
std::list<std::ostringstream> gen_all_ip_options(std::ostringstream &oss) {
|
||||
|
||||
std::list<std::ostringstream> all_streams;
|
||||
std::ostringstream none, ipv4, ipv6;
|
||||
int i;
|
||||
none << oss.str();
|
||||
ipv4 << oss.str();
|
||||
ipv6 << oss.str();
|
||||
|
||||
none << "\\x" << std::setfill('0') << std::setw(2) << std::hex << NONE_SIZE;
|
||||
|
||||
/* add a byte containing the size of the following ip */
|
||||
ipv4 << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV4_SIZE;
|
||||
for (i = 0; i < 4; i++)
|
||||
ipv4 << ".";
|
||||
|
||||
/* add a byte containing the size of the following ip */
|
||||
ipv6 << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV6_SIZE;
|
||||
for (i = 0; i < 16; ++i)
|
||||
ipv6 << ".";
|
||||
|
||||
all_streams.push_back(std::move(none));
|
||||
all_streams.push_back(std::move(ipv4));
|
||||
all_streams.push_back(std::move(ipv6));
|
||||
|
||||
return all_streams;
|
||||
}
|
||||
|
||||
std::list<std::ostringstream> copy_streams_list(std::list<std::ostringstream> &streams)
|
||||
{
|
||||
/* encode protocol */
|
||||
if (!is_cmd) {
|
||||
if (entry.is_ip) {
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((entry.ip.family & 0xff00) >> 8);
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (entry.ip.family & 0xff);
|
||||
std::list<std::ostringstream> streams_copy;
|
||||
for (auto &oss : streams) {
|
||||
std::ostringstream oss_copy(oss.str());
|
||||
streams_copy.push_back(std::move(oss_copy));
|
||||
}
|
||||
return streams_copy;
|
||||
}
|
||||
|
||||
bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd)
|
||||
{
|
||||
std::string buf;
|
||||
perms_t cond_perms;
|
||||
std::list<std::ostringstream> ip_streams;
|
||||
|
||||
for (auto &oss : streams) {
|
||||
if (entry.is_port && !(entry.is_ip && entry.is_none)) {
|
||||
/* encode port type (privileged - 1, remote - 2, unprivileged - 0) */
|
||||
if (!is_peer && perms & AA_NET_BIND && entry.port < IPPORT_RESERVED)
|
||||
oss << "\\x01";
|
||||
else if (is_peer)
|
||||
oss << "\\x02";
|
||||
else
|
||||
oss << "\\x00";
|
||||
|
||||
oss << gen_port_cond(entry.port);
|
||||
} else {
|
||||
oss << "..";
|
||||
/* port type + port number */
|
||||
oss << "...";
|
||||
}
|
||||
}
|
||||
|
||||
if (entry.is_port) {
|
||||
/* encode port type (privileged - 1, remote - 2, unprivileged - 0) */
|
||||
if (!is_peer && perms & AA_NET_BIND && entry.port < IPPORT_RESERVED)
|
||||
oss << "\\x01";
|
||||
else if (is_peer)
|
||||
oss << "\\x02";
|
||||
else
|
||||
oss << "\\x00";
|
||||
ip_streams = std::move(streams);
|
||||
streams.clear();
|
||||
|
||||
oss << gen_port_cond(entry.port);
|
||||
} else {
|
||||
/* port type + port number */
|
||||
if (!is_cmd)
|
||||
oss << ".";
|
||||
oss << "..";
|
||||
for (auto &oss : ip_streams) {
|
||||
if (entry.is_ip) {
|
||||
oss << gen_ip_cond(entry.ip);
|
||||
streams.push_back(std::move(oss));
|
||||
} else if (entry.is_none) {
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << NONE_SIZE;
|
||||
streams.push_back(std::move(oss));
|
||||
} else {
|
||||
streams.splice(streams.end(), gen_all_ip_options(oss));
|
||||
}
|
||||
}
|
||||
|
||||
if (entry.is_ip) {
|
||||
oss << gen_ip_cond(entry.ip);
|
||||
} else {
|
||||
/* encode 0 to indicate there's no ip (ip size) */
|
||||
oss << "\\x00";
|
||||
}
|
||||
cond_perms = map_perms(perms);
|
||||
if (!is_cmd && (label || is_peer))
|
||||
cond_perms = (AA_CONT_MATCH << 1);
|
||||
|
||||
oss << "\\-x01"; /* oob separator */
|
||||
oss << default_match_pattern; /* label - not used for now */
|
||||
oss << "\\x00"; /* null transition */
|
||||
for (auto &oss : streams) {
|
||||
oss << "\\x00"; /* null transition */
|
||||
|
||||
buf = oss.str();
|
||||
/* AA_CONT_MATCH mapping (cond_perms) only applies to perms, not audit */
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, cond_perms,
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
|
||||
if (label || is_peer) {
|
||||
if (!is_peer)
|
||||
cond_perms = map_perms(perms);
|
||||
|
||||
oss << default_match_pattern; /* label - not used for now */
|
||||
oss << "\\x00"; /* null transition */
|
||||
|
||||
buf = oss.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, cond_perms,
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mask) {
|
||||
bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mask, unsigned int protocol) {
|
||||
std::ostringstream buffer;
|
||||
std::string buf;
|
||||
|
||||
@@ -621,49 +742,87 @@ bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mas
|
||||
return true;
|
||||
}
|
||||
|
||||
if (perms & AA_PEER_NET_PERMS) {
|
||||
gen_ip_conds(buffer, peer, true, false);
|
||||
|
||||
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_ADDR;
|
||||
|
||||
gen_ip_conds(buffer, local, false, true);
|
||||
|
||||
buf = buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
|
||||
buf = buffer.str();
|
||||
/* create perms need to be generated excluding the rest of the perms */
|
||||
if (perms & AA_NET_CREATE) {
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms & AA_NET_CREATE) | (AA_CONT_MATCH << 1),
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms & AA_NET_CREATE) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
}
|
||||
if ((perms & AA_NET_LISTEN) || (perms & AA_NET_OPT)) {
|
||||
gen_ip_conds(buffer, local, false, false);
|
||||
|
||||
if (perms & AA_NET_LISTEN) {
|
||||
std::ostringstream cmd_buffer;
|
||||
cmd_buffer << buffer.str();
|
||||
cmd_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_LISTEN;
|
||||
/* length of queue allowed - not used for now */
|
||||
cmd_buffer << "..";
|
||||
buf = cmd_buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
/* encode protocol */
|
||||
if (protocol > 0xffff) {
|
||||
buffer << "..";
|
||||
} else {
|
||||
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((protocol & 0xff00) >> 8);
|
||||
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (protocol & 0xff);
|
||||
}
|
||||
|
||||
if (perms & AA_PEER_NET_PERMS) {
|
||||
std::list<std::ostringstream> streams;
|
||||
std::ostringstream cmd_buffer;
|
||||
|
||||
cmd_buffer << buffer.str();
|
||||
streams.push_back(std::move(cmd_buffer));
|
||||
|
||||
if (!gen_ip_conds(prof, streams, peer, true, false))
|
||||
return false;
|
||||
|
||||
for (auto &oss : streams) {
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_ADDR;
|
||||
}
|
||||
if (perms & AA_NET_OPT) {
|
||||
std::ostringstream cmd_buffer;
|
||||
cmd_buffer << buffer.str();
|
||||
cmd_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_OPT;
|
||||
/* level - not used for now */
|
||||
cmd_buffer << "..";
|
||||
/* socket mapping - not used for now */
|
||||
cmd_buffer << "..";
|
||||
buf = cmd_buffer.str();
|
||||
|
||||
if (!gen_ip_conds(prof, streams, local, false, true))
|
||||
return false;
|
||||
}
|
||||
|
||||
std::list<std::ostringstream> streams;
|
||||
std::ostringstream common_buffer;
|
||||
|
||||
common_buffer << buffer.str();
|
||||
streams.push_back(std::move(common_buffer));
|
||||
|
||||
if (!gen_ip_conds(prof, streams, local, false, false))
|
||||
return false;
|
||||
|
||||
if (perms & AA_NET_LISTEN) {
|
||||
std::list<std::ostringstream> cmd_streams;
|
||||
cmd_streams = copy_streams_list(streams);
|
||||
|
||||
for (auto &cmd_buffer : streams) {
|
||||
std::ostringstream listen_buffer;
|
||||
listen_buffer << cmd_buffer.str();
|
||||
listen_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_LISTEN;
|
||||
/* length of queue allowed - not used for now */
|
||||
listen_buffer << "..";
|
||||
buf = listen_buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (perms & AA_NET_OPT) {
|
||||
std::list<std::ostringstream> cmd_streams;
|
||||
cmd_streams = copy_streams_list(streams);
|
||||
|
||||
for (auto &cmd_buffer : streams) {
|
||||
std::ostringstream opt_buffer;
|
||||
opt_buffer << cmd_buffer.str();
|
||||
opt_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_OPT;
|
||||
/* level - not used for now */
|
||||
opt_buffer << "..";
|
||||
/* socket mapping - not used for now */
|
||||
opt_buffer << "..";
|
||||
buf = opt_buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -679,17 +838,18 @@ int network_rule::gen_policy_re(Profile &prof)
|
||||
|
||||
for (const auto& perm : network_perms) {
|
||||
unsigned int family = perm.first;
|
||||
unsigned int type = perm.second;
|
||||
unsigned int type = perm.second.first;
|
||||
unsigned int protocol = perm.second.second;
|
||||
|
||||
if (type > 0xffff) {
|
||||
if (!gen_net_rule(prof, family, type))
|
||||
if (!gen_net_rule(prof, family, type, protocol))
|
||||
goto fail;
|
||||
} else {
|
||||
int t;
|
||||
/* generate rules for types that are set */
|
||||
for (t = 0; t < 16; t++) {
|
||||
if (type & (1 << t)) {
|
||||
if (!gen_net_rule(prof, family, t))
|
||||
if (!gen_net_rule(prof, family, t, protocol))
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
@@ -760,13 +920,27 @@ void network_rule::update_compat_net(void)
|
||||
}
|
||||
}
|
||||
|
||||
static int cmp_network_map(std::unordered_map<unsigned int, perms_t> lhs,
|
||||
std::unordered_map<unsigned int, perms_t> rhs)
|
||||
static int cmp_ip_conds(ip_conds const &lhs, ip_conds const &rhs)
|
||||
{
|
||||
int res = null_strcmp(lhs.sip, rhs.sip);
|
||||
if (res)
|
||||
return res;
|
||||
res = null_strcmp(lhs.sport, rhs.sport);
|
||||
if (res)
|
||||
return res;
|
||||
return lhs.is_none - rhs.is_none;
|
||||
}
|
||||
|
||||
static int cmp_network_map(std::unordered_map<unsigned int, std::pair<unsigned int, unsigned int>> lhs,
|
||||
std::unordered_map<unsigned int, std::pair<unsigned int, unsigned int>> rhs)
|
||||
{
|
||||
int res;
|
||||
size_t family_index;
|
||||
for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
|
||||
res = lhs[family_index] - rhs[family_index];
|
||||
res = lhs[family_index].first - rhs[family_index].first;
|
||||
if (res)
|
||||
return res;
|
||||
res = lhs[family_index].second - rhs[family_index].second;
|
||||
if (res)
|
||||
return res;
|
||||
}
|
||||
@@ -779,5 +953,14 @@ int network_rule::cmp(rule_t const &rhs) const
|
||||
if (res)
|
||||
return res;
|
||||
network_rule const &nrhs = rule_cast<network_rule const &>(rhs);
|
||||
return cmp_network_map(network_perms, nrhs.network_perms);
|
||||
res = cmp_network_map(network_perms, nrhs.network_perms);
|
||||
if (res)
|
||||
return res;
|
||||
res = cmp_ip_conds(local, nrhs.local);
|
||||
if (res)
|
||||
return res;
|
||||
res = cmp_ip_conds(peer, nrhs.peer);
|
||||
if (res)
|
||||
return res;
|
||||
return null_strcmp(label, nrhs.label);
|
||||
};
|
||||
|
@@ -26,6 +26,7 @@
|
||||
#include <arpa/inet.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <list>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
@@ -79,6 +80,10 @@
|
||||
#define CMD_LISTEN 2
|
||||
#define CMD_OPT 4
|
||||
|
||||
#define NONE_SIZE 0
|
||||
#define IPV4_SIZE 1
|
||||
#define IPV6_SIZE 2
|
||||
|
||||
struct network_tuple {
|
||||
const char *family_name;
|
||||
unsigned int family;
|
||||
@@ -127,6 +132,8 @@ public:
|
||||
uint16_t port;
|
||||
struct ip_address ip;
|
||||
|
||||
bool is_none = false;
|
||||
|
||||
void free_conds() {
|
||||
if (sip)
|
||||
free(sip);
|
||||
@@ -139,17 +146,18 @@ class network_rule: public dedup_perms_rule_t {
|
||||
void move_conditionals(struct cond_entry *conds, ip_conds &ip_cond);
|
||||
public:
|
||||
std::unordered_map<unsigned int, std::vector<struct aa_network_entry>> network_map;
|
||||
std::unordered_map<unsigned int, perms_t> network_perms;
|
||||
std::unordered_map<unsigned int, std::pair<unsigned int, unsigned int>> network_perms;
|
||||
|
||||
ip_conds peer;
|
||||
ip_conds local;
|
||||
char *label;
|
||||
|
||||
bool has_local_conds(void) { return local.sip || local.sport; }
|
||||
bool has_peer_conds(void) { return peer.sip || peer.sport; }
|
||||
/* empty constructor used only for the profile to access
|
||||
* static elements to maintain compatibility with
|
||||
* AA_CLASS_NET */
|
||||
network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8) { }
|
||||
network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL) { }
|
||||
network_rule(perms_t perms_p, struct cond_entry *conds,
|
||||
struct cond_entry *peer_conds);
|
||||
network_rule(perms_t perms_p, const char *family, const char *type,
|
||||
@@ -178,9 +186,9 @@ public:
|
||||
}
|
||||
};
|
||||
|
||||
void gen_ip_conds(std::ostringstream &oss, ip_conds entry, bool is_peer, bool is_cmd);
|
||||
bool gen_net_rule(Profile &prof, u16 family, unsigned int type_mask);
|
||||
void set_netperm(unsigned int family, unsigned int type);
|
||||
bool gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd);
|
||||
bool gen_net_rule(Profile &prof, u16 family, unsigned int type_mask, unsigned int protocol);
|
||||
void set_netperm(unsigned int family, unsigned int type, unsigned int protocol);
|
||||
void update_compat_net(void);
|
||||
bool parse_address(ip_conds &entry);
|
||||
bool parse_port(ip_conds &entry);
|
||||
|
@@ -255,9 +255,11 @@ MODES {MODE_CHARS}+
|
||||
WS [[:blank:]]
|
||||
NUMBER [[:digit:]]+
|
||||
|
||||
ID_FIRST_CHARS [^ \t\r\n"!,#]
|
||||
ID_FIRST {ID_CHARS}|(,{ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,|\\#)
|
||||
ID_CHARS [^ \t\r\n"!,]
|
||||
ID {ID_CHARS}|(,{ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,)
|
||||
IDS {ID}+
|
||||
IDS {ID_FIRST}{ID}*
|
||||
INC_ID [^ \t\r\n"!,<>]|(,[^ \t\r\n"!,<>]|\\[ ]|\\\t|\\\"|\\!|\\,)
|
||||
INC_IDS {INC_ID}+
|
||||
POST_VAR_ID_CHARS [^ \t\n"!,]{-}[=\+]
|
||||
@@ -507,6 +509,12 @@ GT >
|
||||
yyerror(_("Variable declarations do not accept trailing commas"));
|
||||
}
|
||||
|
||||
#.*\r?\n { /* normal comment */
|
||||
DUMP_AND_DEBUG("comment(%d): %s\n", current_lineno, yytext);
|
||||
current_lineno++;
|
||||
POP();
|
||||
}
|
||||
|
||||
\\\n { DUMP_PREPROCESS; current_lineno++ ; }
|
||||
|
||||
\r?\n {
|
||||
|
@@ -921,7 +921,7 @@ void set_supported_features()
|
||||
"network_v8");
|
||||
features_supports_inet = features_intersect(kernel_features,
|
||||
policy_features,
|
||||
"network/af_inet");
|
||||
"network_v8/af_inet");
|
||||
features_supports_unix = features_intersect(kernel_features,
|
||||
policy_features,
|
||||
"network/af_unix");
|
||||
|
@@ -1000,41 +1000,46 @@ int process_profile_policydb(Profile *prof)
|
||||
* to be supported
|
||||
*/
|
||||
|
||||
/* note: this activates fs based unix domain sockets mediation on connect */
|
||||
if (kernel_abi_version > 5 &&
|
||||
!prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_mount &&
|
||||
!prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_dbus &&
|
||||
!prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_signal &&
|
||||
!prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_ptrace &&
|
||||
!prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_networkv8 &&
|
||||
!prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_unix &&
|
||||
(!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) ||
|
||||
!prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts)))
|
||||
goto out;
|
||||
if (features_supports_userns &&
|
||||
!prof->policy.rules->add_rule(mediates_ns, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_posix_mqueue &&
|
||||
!prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_sysv_mqueue &&
|
||||
!prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_io_uring &&
|
||||
!prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
|
||||
/* don't add mediated classes to unconfined profiles */
|
||||
if (prof->flags.mode != MODE_UNCONFINED &&
|
||||
prof->flags.mode != MODE_DEFAULT_ALLOW) {
|
||||
/* note: this activates fs based unix domain sockets mediation on connect */
|
||||
if (kernel_abi_version > 5 &&
|
||||
!prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_mount &&
|
||||
!prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_dbus &&
|
||||
!prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_signal &&
|
||||
!prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_ptrace &&
|
||||
!prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_networkv8 &&
|
||||
!prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_unix &&
|
||||
(!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) ||
|
||||
!prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts)))
|
||||
goto out;
|
||||
if (features_supports_posix_mqueue &&
|
||||
!prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_sysv_mqueue &&
|
||||
!prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
if (features_supports_io_uring &&
|
||||
!prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts))
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (prof->policy.rules->rule_count > 0) {
|
||||
int xmatch_len = 0;
|
||||
|
@@ -253,13 +253,14 @@ remove_profiles() {
|
||||
retval=0
|
||||
# We filter child profiles as removing the parent will remove
|
||||
# the children
|
||||
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | \
|
||||
sed -e "s/ (\(enforce\|complain\|unconfined\))$//" "$SFS_MOUNTPOINT/profiles" | \
|
||||
LC_COLLATE=C sort | grep -v // | {
|
||||
while read -r profile ; do
|
||||
printf "%s" "$profile" > "$SFS_MOUNTPOINT/.remove"
|
||||
rc=$?
|
||||
if [ "$rc" -ne 0 ] ; then
|
||||
retval=$rc
|
||||
aa_log_failure_msg "Unloading profile '$profile' failed"
|
||||
fi
|
||||
done
|
||||
return "$retval"
|
||||
|
@@ -643,6 +643,18 @@ verify_binary_equality "attachment slash filtering" \
|
||||
@{FOO}=/foo
|
||||
/t @{BAR}/@{FOO} { }"
|
||||
|
||||
# verify comment at end of variable assignment is not treated as a value
|
||||
verify_binary_equality "comment at end of set var" \
|
||||
"/t { /bin/ r, }" \
|
||||
"@{BAR}=/bin/ #a tail comment
|
||||
/t { @{BAR} r, }"
|
||||
|
||||
verify_binary_equality "value like comment at end of set var" \
|
||||
"/t { /{bin/,#value} r, }" \
|
||||
"@{BAR}=bin/ \#value
|
||||
/t { /@{BAR} r, }"
|
||||
|
||||
|
||||
# This can potentially fail as ideally it requires a better dfa comparison
|
||||
# routine as it can generates hormomorphic dfas. The enumeration of the
|
||||
# dfas dumped will be different, even if the binary is the same
|
||||
|
9
parser/tst/simple_tests/mount/ok_opt_85.sd
Normal file
9
parser/tst/simple_tests/mount/ok_opt_85.sd
Normal file
@@ -0,0 +1,9 @@
|
||||
#
|
||||
#=Description test globbed destination MR 1195
|
||||
#=EXRESULT PASS
|
||||
/usr/bin/foo {
|
||||
mount options=(rw, make-slave) -> **,
|
||||
mount options=(rw) foo -> **,
|
||||
mount fstype=tmpfs options=(rw) foo -> **,
|
||||
mount -> **,
|
||||
}
|
9
parser/tst/simple_tests/mount/ok_quoted_1.sd
Normal file
9
parser/tst/simple_tests/mount/ok_quoted_1.sd
Normal file
@@ -0,0 +1,9 @@
|
||||
#
|
||||
#=Description basic mount rules with quoted paths
|
||||
#=EXRESULT PASS
|
||||
#
|
||||
/usr/bin/foo {
|
||||
mount "" -> "/",
|
||||
mount "" -> "/tmp/",
|
||||
umount "/",
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_83.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_83.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid family for inet conditionals
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network unix ip=127.0.0.1 port=1234 peer=(ip=127.0.0.1 port=1234),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_84.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_84.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid family for inet conditionals
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network netlink ip=127.0.0.1,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_85.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_85.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid family for inet conditionals
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network packet peer=(port=1234),
|
||||
|
||||
}
|
@@ -5,5 +5,7 @@
|
||||
/usr/bin/foo {
|
||||
network inet ip=10.0.2.1 peer=(ip=10.0.2.1),
|
||||
network inet tcp ip=192.168.2.254 peer=(ip=192.168.2.254),
|
||||
network stream ip=192.168.2.254 peer=(ip=192.168.2.254),
|
||||
network raw ip=10.0.2.1 peer=(ip=10.0.2.1),
|
||||
|
||||
}
|
||||
|
11
parser/tst/simple_tests/network/network_ok_44.sd
Normal file
11
parser/tst/simple_tests/network/network_ok_44.sd
Normal file
@@ -0,0 +1,11 @@
|
||||
#
|
||||
#=DESCRIPTION network none ip conditional test
|
||||
#=EXRESULT PASS
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=none,
|
||||
network peer=(ip=none),
|
||||
network inet ip=none peer=(ip=none),
|
||||
network inet tcp ip=none peer=(ip=none),
|
||||
|
||||
}
|
25
parser/tst/simple_tests/regressions/ok_normalize.sd
Normal file
25
parser/tst/simple_tests/regressions/ok_normalize.sd
Normal file
@@ -0,0 +1,25 @@
|
||||
#
|
||||
#=Description caused an infinite loop in expr normalization
|
||||
#=EXRESULT PASS
|
||||
|
||||
# This test triggers an infinite loop bug in expr normalization
|
||||
# Note: this test might be able to be reduced more but, each element appears
|
||||
# to be required to trigger the bug.
|
||||
# that is the initial var assignment, += with the "comment" at the end
|
||||
# (which is a separate bug), the expansion in the 2nd variable and then
|
||||
# the use of the 2nd variable.
|
||||
# This seems to be due to difference in consistency check between expansion
|
||||
# at parse time and variable expansion.
|
||||
# eg. expanding @{exec_path} manually will result in a failure to parse
|
||||
# see: https://gitlab.com/apparmor/apparmor/-/issues/398
|
||||
|
||||
@{var}=*-linux-gnu*
|
||||
@{var}+=*-suse-linux* #aa:only opensuse
|
||||
|
||||
@{exec_path} = /{,@{var}/}t
|
||||
|
||||
profile test {
|
||||
|
||||
|
||||
@{exec_path} mr,
|
||||
}
|
@@ -28,6 +28,7 @@
|
||||
owner @{run}/user/*/gdm/Xauthority r,
|
||||
owner @{run}/user/*/X11/Xauthority r,
|
||||
owner @{run}/user/*/xauth_* r,
|
||||
owner /tmp/xauth_?????? r,
|
||||
|
||||
# the unix socket to use to connect to the display
|
||||
/tmp/.X11-unix/* rw,
|
||||
|
@@ -31,6 +31,17 @@
|
||||
/{usr/,}lib/@{multiarch}/security/pam_*.so mr,
|
||||
/{usr/,}lib/@{multiarch}/security/ r,
|
||||
|
||||
# pam_unix
|
||||
owner /proc/@{pid}/loginuid r,
|
||||
/{,usr/}{,s}bin/unix_chkpwd Px,
|
||||
|
||||
# pam_env
|
||||
@{etc_ro}/environment r,
|
||||
|
||||
# pam_limit
|
||||
@{etc_ro}/security/limits.d/ r,
|
||||
@{etc_ro}/security/limits.d/*.conf r,
|
||||
|
||||
# gssapi
|
||||
@{etc_ro}/gss/mech r,
|
||||
@{etc_ro}/gss/mech.d/ r,
|
||||
|
@@ -13,6 +13,9 @@
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# Global config of openssl
|
||||
include <abstractions/openssl>
|
||||
|
||||
@{etc_ro}/gcrypt/hwf.deny r,
|
||||
@{etc_ro}/gcrypt/random.conf r,
|
||||
@{PROC}/sys/crypto/fips_enabled r,
|
||||
@@ -24,4 +27,8 @@
|
||||
/etc/crypto-policies/*/*.txt r,
|
||||
/usr/share/crypto-policies/*/*.txt r,
|
||||
|
||||
# Global gnutls config
|
||||
@{etc_ro}/gnutls/config r,
|
||||
@{etc_ro}/gnutls/pkcs11.conf r,
|
||||
|
||||
include if exists <abstractions/crypto.d>
|
||||
|
@@ -22,5 +22,18 @@
|
||||
|
||||
owner @{HOME}/.config/fcitx/dbus/* r,
|
||||
|
||||
# Allow access to the Fcitx portal, supported by fcitx/fcitx5
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/{,org/freedesktop/portal/}inputmethod
|
||||
interface=org.fcitx.Fcitx.InputMethod1
|
||||
member={CreateInputContext,Version}
|
||||
peer=(name=org.freedesktop.portal.Fcitx),
|
||||
|
||||
dbus (send, receive)
|
||||
bus=session
|
||||
path=/{,org/freedesktop/portal/}inputcontext/**
|
||||
interface=org.fcitx.Fcitx.InputContext1,
|
||||
|
||||
# Include additions to the abstraction
|
||||
include if exists <abstractions/fcitx-strict.d>
|
||||
|
@@ -50,7 +50,6 @@
|
||||
include <abstractions/kde-icon-cache-write>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/recent-documents-write>
|
||||
include <abstractions/X>
|
||||
|
@@ -116,6 +116,7 @@
|
||||
network netlink raw,
|
||||
|
||||
# interface details
|
||||
@{PROC}/@{pid}/net/ipv6_route r,
|
||||
@{PROC}/@{pid}/net/route r,
|
||||
|
||||
# Include additions to the abstraction
|
||||
|
@@ -12,6 +12,7 @@
|
||||
abi <abi/4.0>,
|
||||
|
||||
/etc/samba/* r,
|
||||
/etc/gnutls/config r,
|
||||
/usr/lib*/ldb/*.so mr,
|
||||
/usr/lib*/ldb2/*.so mr,
|
||||
/usr/lib*/ldb2/modules/ldb/*.so mr,
|
||||
|
153
profiles/apparmor.d/abstractions/transmission-common
Normal file
153
profiles/apparmor.d/abstractions/transmission-common
Normal file
@@ -0,0 +1,153 @@
|
||||
# vim:syntax=apparmor
|
||||
# LOGPROF-SUGGEST: no
|
||||
# Author: Daniel Richard G. <skunk@iSKUNK.ORG>
|
||||
|
||||
include <abstractions/base>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network netlink dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
dbus (bind)
|
||||
bus=session
|
||||
name=com.transmissionbt.Transmission,
|
||||
dbus (bind)
|
||||
bus=session
|
||||
name=com.transmissionbt.transmission_*,
|
||||
|
||||
dbus (receive)
|
||||
bus=session
|
||||
path=/ca/desrt/dconf/Writer/user
|
||||
interface=ca.desrt.dconf.Writer
|
||||
member=Notify,
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/ca/desrt/dconf/Writer/user
|
||||
interface=ca.desrt.dconf.Writer
|
||||
member=Change
|
||||
peer=(name=ca.desrt.dconf),
|
||||
|
||||
dbus (receive)
|
||||
bus=accessibility
|
||||
path=/org/a11y/atspi/accessible/root
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Set,
|
||||
dbus (send)
|
||||
bus=accessibility
|
||||
path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry),
|
||||
dbus (send)
|
||||
bus=accessibility
|
||||
path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=GetRegisteredEvents
|
||||
peer=(name=org.a11y.atspi.Registry),
|
||||
dbus (send)
|
||||
bus=accessibility
|
||||
path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
member={GetDeviceEventListeners,GetKeystrokeListeners}
|
||||
peer=(name=org.a11y.atspi.Registry),
|
||||
|
||||
dbus (send)
|
||||
bus={accessibility,session}
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={AddMatch,GetNameOwner,Hello,ReleaseName,RemoveMatch,RequestName,StartServiceByName}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
dbus (send)
|
||||
bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
path=/StatusNotifierWatcher
|
||||
member=Introspect
|
||||
peer=(name=org.kde.StatusNotifierWatcher),
|
||||
dbus (send)
|
||||
bus=session
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
path=/StatusNotifierWatcher
|
||||
member=Get
|
||||
peer=(name=org.kde.StatusNotifierWatcher),
|
||||
dbus (send)
|
||||
bus=session
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
path=/org/a11y/bus
|
||||
member=Get
|
||||
peer=(name=org.a11y.Bus),
|
||||
dbus (send)
|
||||
bus=system
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
path=/org/freedesktop/hostname1
|
||||
member=GetAll,
|
||||
|
||||
dbus (send)
|
||||
bus=session
|
||||
interface=org.freedesktop.Notifications
|
||||
path=/org/freedesktop/Notifications
|
||||
member={GetCapabilities,Notify},
|
||||
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
member={IsSupported,List},
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/org/gtk/vfs/Daemon
|
||||
interface=org.gtk.vfs.Daemon
|
||||
member={GetConnection,ListMonitorImplementations},
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/org/gtk/vfs/mount/[1-9]*
|
||||
interface=org.gtk.vfs.Mount
|
||||
member={CreateFileMonitor,Enumerate,QueryInfo},
|
||||
dbus (receive)
|
||||
bus=session
|
||||
path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=Mounted,
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member={ListMountableInfo,ListMounts2,LookupMount},
|
||||
|
||||
@{PROC}/sys/kernel/random/uuid r,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
|
||||
|
||||
@{etc_ro}/fstab r,
|
||||
|
||||
@{system_share_dirs}/hwdata/** r,
|
||||
@{system_share_dirs}/lxqt/** r,
|
||||
|
||||
owner /tmp/tr_session_id_* rwk,
|
||||
|
||||
# allow a top-level directory listing
|
||||
@{HOME}/ r,
|
||||
|
||||
owner @{HOME}/.cache/transmission/ w,
|
||||
owner @{HOME}/.cache/transmission/** rw,
|
||||
owner @{HOME}/.config/transmission/ w,
|
||||
owner @{HOME}/.config/transmission/** rw,
|
||||
|
||||
owner @{HOME}/.config/lxqt/lxqt.conf r,
|
||||
|
||||
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
|
||||
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rw,
|
||||
|
||||
# exclude these for now
|
||||
deny /usr/share/thumbnailers/ r,
|
||||
deny @{HOME}/.local/share/gvfs-metadata/** r,
|
||||
deny @{HOME}/.config/lxqt/** rw,
|
||||
|
||||
include if exists <abstractions/transmission-common.d>
|
@@ -13,6 +13,8 @@
|
||||
|
||||
# some services update wtmp, utmp, and lastlog with per-user
|
||||
# connection information
|
||||
/var/lib/wtmpdb/ r,
|
||||
/var/lib/wtmpdb/wtmp.db{,-journal} rwlk,
|
||||
/var/log/lastlog rwk,
|
||||
/var/log/wtmp rwk,
|
||||
/var/log/btmp rwk,
|
||||
|
12
profiles/apparmor.d/balena-etcher
Normal file
12
profiles/apparmor.d/balena-etcher
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile balena-etcher /usr/lib/balena-etcher/balena-etcher flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/balena-etcher>
|
||||
}
|
14
profiles/apparmor.d/chromium
Normal file
14
profiles/apparmor.d/chromium
Normal file
@@ -0,0 +1,14 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{chromium} = {,ungoogled-}chromium{,-browser}
|
||||
|
||||
profile chromium /usr/lib/@{chromium}/@{chromium} flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/chromium>
|
||||
}
|
@@ -4,7 +4,7 @@
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile firefox /usr/lib/firefox{,-esr}/firefox{,-esr} flags=(unconfined) {
|
||||
profile firefox /{usr/lib/firefox{,-esr,-beta,-devedition,-nightly},opt/firefox}/firefox{,-esr,-bin} flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
|
12
profiles/apparmor.d/foliate
Normal file
12
profiles/apparmor.d/foliate
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile foliate /usr/bin/foliate flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/foliate>
|
||||
}
|
12
profiles/apparmor.d/geary
Normal file
12
profiles/apparmor.d/geary
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile geary /usr/bin/geary flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/geary>
|
||||
}
|
12
profiles/apparmor.d/goldendict
Normal file
12
profiles/apparmor.d/goldendict
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile goldendict /usr/bin/goldendict flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/goldendict>
|
||||
}
|
12
profiles/apparmor.d/kchmviewer
Normal file
12
profiles/apparmor.d/kchmviewer
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile kchmviewer /usr/bin/kchmviewer flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/kchmviewer>
|
||||
}
|
12
profiles/apparmor.d/loupe
Normal file
12
profiles/apparmor.d/loupe
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile loupe /usr/bin/loupe flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/loupe>
|
||||
}
|
12
profiles/apparmor.d/notepadqq
Normal file
12
profiles/apparmor.d/notepadqq
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile notepadqq /{{usr/bin,etc/alternatives}/notepadqq,usr/lib/notepadqq/notepadqq.sh} flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/notepadqq>
|
||||
}
|
12
profiles/apparmor.d/pageedit
Normal file
12
profiles/apparmor.d/pageedit
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile pageedit /usr/bin/pageedit flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/pageedit>
|
||||
}
|
@@ -11,8 +11,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
|
||||
include <abstractions/nameservice>
|
||||
# common php files and support files that php needs
|
||||
include <abstractions/php>
|
||||
# read openssl configuration
|
||||
include <abstractions/openssl>
|
||||
# read the system certificates
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
@@ -38,6 +36,9 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
|
||||
@{run}/php*-fpm.pid rw,
|
||||
@{run}/php{,-fpm}/php*-fpm.sock rwlk,
|
||||
|
||||
# LP: #2061113
|
||||
owner @{run}/systemd/notify w,
|
||||
|
||||
# to reload
|
||||
/usr/sbin/php-fpm* rix,
|
||||
|
||||
|
@@ -17,8 +17,13 @@ profile plasmashell /usr/bin/plasmashell {
|
||||
unix,
|
||||
ptrace,
|
||||
|
||||
/usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
|
||||
# allow executing QtWebEngineProcess with full permissions including userns (using profile stacking to avoid no_new_privs issues)
|
||||
/usr/lib/x86_64-linux-gnu/qt[56]/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
|
||||
/usr/libexec/qt[56]/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
|
||||
|
||||
# allow to execute all other programs under their own profile, or to run unconfined
|
||||
/** pux,
|
||||
|
||||
/{,**} mrwlk,
|
||||
|
||||
profile QtWebEngineProcess {
|
||||
|
12
profiles/apparmor.d/privacybrowser
Normal file
12
profiles/apparmor.d/privacybrowser
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile privacybrowser /usr/bin/privacybrowser flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/privacybrowser>
|
||||
}
|
12
profiles/apparmor.d/qmapshack
Normal file
12
profiles/apparmor.d/qmapshack
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile qmapshack /usr/bin/qmapshack flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/qmapshack>
|
||||
}
|
12
profiles/apparmor.d/qutebrowser
Normal file
12
profiles/apparmor.d/qutebrowser
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile qutebrowser /usr/bin/qutebrowser flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/qutebrowser>
|
||||
}
|
12
profiles/apparmor.d/rssguard
Normal file
12
profiles/apparmor.d/rssguard
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile rssguard /usr/bin/rssguard flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/rssguard>
|
||||
}
|
@@ -6,7 +6,6 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {
|
||||
include <abstractions/base>
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/samba>
|
||||
|
||||
signal receive set=term peer=smbd,
|
||||
|
@@ -16,12 +16,14 @@ include <tunables/global>
|
||||
profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {
|
||||
include <abstractions/samba-rpcd>
|
||||
|
||||
capability sys_resource,
|
||||
|
||||
@{run}/{,samba/}samba-dcerpcd.pid rwk,
|
||||
|
||||
/usr/lib*/samba/{,samba/}samba-dcerpcd mr,
|
||||
|
||||
/usr/lib*/samba/ r,
|
||||
/usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
|
||||
/usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} Px -> samba-rpcd,
|
||||
/usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic,
|
||||
/usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss,
|
||||
|
||||
|
@@ -13,10 +13,15 @@ abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
|
||||
profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} {
|
||||
include <abstractions/samba-rpcd>
|
||||
/usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
|
||||
|
||||
capability sys_resource,
|
||||
|
||||
/usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} mr,
|
||||
|
||||
@{run}/samba/ncalrpc/np/lsarpc wr,
|
||||
@{run}/samba/ncalrpc/np/mdssvc wr,
|
||||
@{run}/samba/ncalrpc/np/winreg wr,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
|
@@ -17,8 +17,18 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
|
||||
include <abstractions/samba-rpcd>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability sys_resource,
|
||||
|
||||
/usr/lib*/samba/{,samba/}rpcd_classic mr,
|
||||
|
||||
@{run}/samba/ncalrpc/np/srvsvc wr,
|
||||
@{run}/samba/ncalrpc/np/winreg wr,
|
||||
/dev/urandom rw,
|
||||
|
||||
/usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
|
||||
|
||||
@{HOMEDIRS}/** lrwk,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/samba-rpcd-classic>
|
||||
}
|
||||
|
@@ -22,7 +22,6 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/mysql>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/hosts_access>
|
||||
|
||||
|
13
profiles/apparmor.d/scide
Normal file
13
profiles/apparmor.d/scide
Normal file
@@ -0,0 +1,13 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
#supercollider-ide
|
||||
profile scide /usr/bin/scide flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/scide>
|
||||
}
|
76
profiles/apparmor.d/transmission
Normal file
76
profiles/apparmor.d/transmission
Normal file
@@ -0,0 +1,76 @@
|
||||
# vim:syntax=apparmor
|
||||
# Author: Daniel Richard G. <skunk@iSKUNK.ORG>
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile transmission-daemon /usr/bin/transmission-daemon flags=(complain) {
|
||||
# Don't use abstractions/transmission-common here, as the
|
||||
# access needed is narrower than the user applications
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/random/uuid r,
|
||||
|
||||
@{run}/systemd/notify w,
|
||||
|
||||
/etc/transmission-daemon/** r,
|
||||
owner /etc/transmission-daemon/settings.json{,.tmp.*} rw,
|
||||
|
||||
owner /tmp/tr_session_id_* rwk,
|
||||
|
||||
/usr/share/transmission/web/** r,
|
||||
|
||||
owner /var/lib/transmission-daemon/.config/transmission-daemon/** rw,
|
||||
owner /var/lib/transmission-daemon/downloads/** rw,
|
||||
owner /var/lib/transmission-daemon/info/** rw,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/transmission>
|
||||
include if exists <local/transmission-daemon>
|
||||
}
|
||||
|
||||
profile transmission-cli /usr/bin/transmission-cli flags=(complain) {
|
||||
include <abstractions/transmission-common>
|
||||
include <abstractions/consoles>
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/transmission>
|
||||
include if exists <local/transmission-cli>
|
||||
}
|
||||
|
||||
profile transmission-gtk /usr/bin/transmission-gtk flags=(complain) {
|
||||
include <abstractions/transmission-common>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/gnome>
|
||||
|
||||
owner @{run}/user/*/dconf/user w,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/transmission>
|
||||
include if exists <local/transmission-gtk>
|
||||
}
|
||||
|
||||
profile transmission-qt /usr/bin/transmission-qt flags=(complain) {
|
||||
include <abstractions/transmission-common>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/X>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/qt5-settings-write>
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/transmission>
|
||||
include if exists <local/transmission-qt>
|
||||
}
|
12
profiles/apparmor.d/tuxedo-control-center
Normal file
12
profiles/apparmor.d/tuxedo-control-center
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label unconfined
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile tuxedo-control-center /opt/tuxedo-control-center/tuxedo-control-center flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/tuxedo-control-center>
|
||||
}
|
35
profiles/apparmor.d/unix-chkpwd
Normal file
35
profiles/apparmor.d/unix-chkpwd
Normal file
@@ -0,0 +1,35 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# The apparmor.d project comes with several variables and abstractions
|
||||
# that are not part of upstream AppArmor yet. Therefore this profile was
|
||||
# adopted to use abstractions and variables that are available.
|
||||
# Copyright (C) Christian Boltz 2024
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
# To write records to the kernel auditing log.
|
||||
capability audit_write,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
/{,usr/}{,s}bin/unix_chkpwd mr,
|
||||
|
||||
/etc/shadow r,
|
||||
|
||||
# systemd userdb, used in nspawn
|
||||
/run/host/userdb/*.user r,
|
||||
/run/host/userdb/*.user-privileged r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/unix-chkpwd>
|
||||
}
|
@@ -19,7 +19,6 @@ profile dovecot-auth /usr/lib*/dovecot/auth {
|
||||
include <abstractions/base>
|
||||
include <abstractions/mysql>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/wutmp>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
|
@@ -17,7 +17,6 @@ profile dovecot-dict /usr/lib*/dovecot/dict {
|
||||
include <abstractions/base>
|
||||
include <abstractions/mysql>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
capability setuid,
|
||||
|
@@ -17,7 +17,6 @@ include <tunables/global>
|
||||
profile dovecot-imap-login /usr/lib*/dovecot/imap-login {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
|
@@ -18,7 +18,6 @@ profile dovecot-lmtp /usr/lib*/dovecot/lmtp {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/dovecot-common>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/ssl_keys>
|
||||
|
||||
|
@@ -19,7 +19,6 @@ include <tunables/global>
|
||||
profile dovecot-managesieve-login /usr/lib*/dovecot/managesieve-login {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
|
@@ -17,7 +17,6 @@ include <tunables/global>
|
||||
profile dovecot-pop3-login /usr/lib*/dovecot/pop3-login {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
|
@@ -8,6 +8,7 @@ profile nmbd /usr/{bin,sbin}/nmbd {
|
||||
include <abstractions/samba>
|
||||
|
||||
capability net_bind_service,
|
||||
capability sys_resource,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
|
@@ -16,7 +16,6 @@ include <tunables/ntpd>
|
||||
profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/xad>
|
||||
|
||||
|
@@ -8,7 +8,6 @@ profile smbd /usr/{bin,sbin}/smbd {
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/samba>
|
||||
include <abstractions/user-tmp>
|
||||
include <abstractions/wutmp>
|
||||
@@ -33,9 +32,6 @@ profile smbd /usr/{bin,sbin}/smbd {
|
||||
/etc/samba/* rwk,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
/usr/etc/environment r,
|
||||
/usr/etc/security/limits.d/ r,
|
||||
/usr/etc/security/limits.d/*.conf r,
|
||||
/usr/lib*/samba/vfs/*.so mr,
|
||||
/usr/lib*/samba/auth/*.so mr,
|
||||
/usr/lib*/samba/charset/*.so mr,
|
||||
@@ -50,7 +46,6 @@ profile smbd /usr/{bin,sbin}/smbd {
|
||||
/usr/share/samba/** r,
|
||||
/usr/{bin,sbin}/smbd mr,
|
||||
/usr/{bin,sbin}/smbldap-useradd Px,
|
||||
/usr/sbin/unix_chkpwd Px,
|
||||
/var/cache/samba/** rwk,
|
||||
/var/{cache,lib}/samba/printing/printers.tdb mrw,
|
||||
/var/lib/nscd/netgroup r,
|
||||
@@ -63,8 +58,6 @@ profile smbd /usr/{bin,sbin}/smbd {
|
||||
@{run}/samba/ncalrpc/** rw,
|
||||
/var/spool/samba/** rw,
|
||||
|
||||
owner /proc/@{pid}/loginuid r,
|
||||
|
||||
@{HOMEDIRS}/** lrwk,
|
||||
/var/lib/samba/usershares/{,**} lrwk,
|
||||
|
||||
|
12
profiles/apparmor.d/wike
Normal file
12
profiles/apparmor.d/wike
Normal file
@@ -0,0 +1,12 @@
|
||||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile wike /usr/bin/wike flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/wike>
|
||||
}
|
68
profiles/apparmor/profiles/extras/bwrap-userns-restrict
Normal file
68
profiles/apparmor/profiles/extras/bwrap-userns-restrict
Normal file
@@ -0,0 +1,68 @@
|
||||
# This profile allows almost everything and only exists to allow
|
||||
# bwrap to work on a system with user namespace restrictions
|
||||
# being enforced.
|
||||
# bwrap is allowed access to user namespaces and capabilities
|
||||
# within the user namespace, but its children do not have
|
||||
# capabilities, blocking bwrap from being able to be used to
|
||||
# arbitrarily by-pass the user namespace restrictions.
|
||||
#
|
||||
# Note: the bwrap child is stacked against the bwrap profile due to
|
||||
# bwraps use of no-new-privs
|
||||
|
||||
# disabled by default as it can break some use cases on a system that
|
||||
# doesn't have or has disable user namespace restrictions for unconfined
|
||||
# use aa-enforce to enable it
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) {
|
||||
allow capability,
|
||||
# not allow all, to allow for pix stack
|
||||
# sadly we have to allow m every where to allow children to work under
|
||||
# stacking.
|
||||
allow file rwlkm /{**,},
|
||||
allow network,
|
||||
allow unix,
|
||||
allow ptrace,
|
||||
allow signal,
|
||||
allow mqueue,
|
||||
allow io_uring,
|
||||
allow userns,
|
||||
allow mount,
|
||||
allow umount,
|
||||
allow pivot_root,
|
||||
allow dbus,
|
||||
allow px /** -> bwrap//&unpriv_bwrap,
|
||||
|
||||
# the local include should not be used without understanding the userns
|
||||
# restriction.
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/bwrap-userns-restrict>
|
||||
}
|
||||
|
||||
profile unpriv_bwrap flags=(attach_disconnected,mediate_deleted) {
|
||||
# not allow all, to allow for pix stack
|
||||
allow file rwlkm /{**,},
|
||||
allow network,
|
||||
allow unix,
|
||||
allow ptrace,
|
||||
allow signal,
|
||||
allow mqueue,
|
||||
allow io_uring,
|
||||
allow userns,
|
||||
allow mount,
|
||||
allow umount,
|
||||
allow pivot_root,
|
||||
allow dbus,
|
||||
|
||||
allow pix /** -> &unpriv_bwrap,
|
||||
|
||||
audit deny capability,
|
||||
|
||||
# the local include should not be used without understanding the userns
|
||||
# restriction.
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/unpriv_bwrap>
|
||||
}
|
@@ -12,9 +12,9 @@
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
@{chromium} = chromium{,-browser}
|
||||
@{chromium} = {,ungoogled-}chromium{,-browser}
|
||||
|
||||
# We need 'flags=(attach_disconnected)' in newer chromium versions
|
||||
profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconnected) {
|
||||
@@ -22,10 +22,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/dbus-session>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/ibus>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-tmp>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
# This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
|
||||
# you want access to productivity applications, adjust the following file
|
||||
@@ -57,14 +60,48 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
member={EnumerateDevices,GetDisplayDevice}
|
||||
peer=(label=unconfined),
|
||||
|
||||
# ???
|
||||
deny dbus (send)
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/org/freedesktop/hostname1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(label=unconfined),
|
||||
|
||||
dbus (receive)
|
||||
bus=system
|
||||
path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={SessionNew,SessionRemoved}
|
||||
peer=(label=unconfined),
|
||||
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={AddMatch,GetNameOwner,Hello,NameHasOwner,RemoveMatch,StartServiceByName}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.freedesktop.portal.Desktop),
|
||||
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.Notifications
|
||||
member={GetCapabilities,GetServerInformation}
|
||||
peer=(name=org.freedesktop.Notifications),
|
||||
|
||||
dbus (send)
|
||||
bus=session
|
||||
path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=ListMountableInfo
|
||||
peer=(label=unconfined),
|
||||
|
||||
# Networking
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
@@ -72,30 +109,35 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
@{PROC}/@{pid}/net/ipv6_route r,
|
||||
|
||||
# Should maybe be in abstractions
|
||||
/etc/fstab r,
|
||||
/etc/mime.types r,
|
||||
/etc/mailcap r,
|
||||
/etc/mtab r,
|
||||
/etc/xdg/xubuntu/applications/defaults.list r,
|
||||
owner @{HOME}/.cache/thumbnails/** r,
|
||||
owner @{HOME}/.local/share/applications/defaults.list r,
|
||||
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
|
||||
/tmp/.X[0-9]*-lock r,
|
||||
|
||||
@{PROC}/self/exe ixr,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/filesystems r,
|
||||
@{PROC}/pressure/{cpu,io,memory} r,
|
||||
@{PROC}/vmstat r,
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
owner @{PROC}/@{pid}/clear_refs w,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/io r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/setgroups w,
|
||||
owner @{PROC}/@{pid}/{uid,gid}_map w,
|
||||
@{PROC}/@{pid}/smaps r,
|
||||
owner @{PROC}/@{pid}/smaps r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/@{pid}/statm r,
|
||||
@{PROC}/@{pid}/status r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/status r,
|
||||
deny @{PROC}/@{pid}/oom_{,score_}adj w,
|
||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||
@{PROC}/sys/net/ipv4/tcp_fastopen r,
|
||||
|
||||
@@ -105,13 +147,24 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
/sys/devices/**/uevent r,
|
||||
/sys/devices/system/cpu/cpufreq/policy*/cpuinfo_max_freq r,
|
||||
/sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
|
||||
/sys/devices/system/cpu/kernel_max r,
|
||||
/sys/devices/system/cpu/possible r,
|
||||
/sys/devices/system/cpu/present r,
|
||||
/sys/devices/system/node/node*/meminfo r,
|
||||
/sys/devices/pci[0-9]*/**/bConfigurationValue r,
|
||||
/sys/devices/pci[0-9]*/**/boot_vga r,
|
||||
/sys/devices/pci[0-9]*/**/busnum r,
|
||||
/sys/devices/pci[0-9]*/**/class r,
|
||||
/sys/devices/pci[0-9]*/**/config r,
|
||||
/sys/devices/pci[0-9]*/**/descriptors r,
|
||||
/sys/devices/pci[0-9]*/**/device r,
|
||||
/sys/devices/pci[0-9]*/**/devnum r,
|
||||
/sys/devices/pci[0-9]*/**/irq r,
|
||||
/sys/devices/pci[0-9]*/**/manufacturer r,
|
||||
/sys/devices/pci[0-9]*/**/product r,
|
||||
/sys/devices/pci[0-9]*/**/resource r,
|
||||
/sys/devices/pci[0-9]*/**/revision r,
|
||||
/sys/devices/pci[0-9]*/**/serial r,
|
||||
/sys/devices/pci[0-9]*/**/subsystem_device r,
|
||||
/sys/devices/pci[0-9]*/**/subsystem_vendor r,
|
||||
/sys/devices/pci[0-9]*/**/vendor r,
|
||||
@@ -122,6 +175,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
/sys/devices/virtual/tty/tty*/active r,
|
||||
# This is requested, but doesn't seem to actually be needed so deny for now
|
||||
deny /run/udev/data/** r,
|
||||
deny /sys/devices/virtual/dmi/id/* r,
|
||||
|
||||
# Needed for the crash reporter
|
||||
owner @{PROC}/@{pid}/auxv r,
|
||||
@@ -132,13 +186,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
/usr/share/fonts/**/*.pfb m,
|
||||
/usr/share/mime/mime.cache m,
|
||||
/usr/share/icons/**/*.cache m,
|
||||
owner /{dev,run}/shm/pulse-shm* m,
|
||||
owner /{dev,run,var/run}/shm/pulse-shm* m,
|
||||
owner @{HOME}/.local/share/mime/mime.cache m,
|
||||
owner /tmp/** m,
|
||||
|
||||
@{PROC}/sys/kernel/shmmax r,
|
||||
owner /{dev,run}/shm/{,.}org.chromium.* mrw,
|
||||
owner /{,var/}run/shm/shmfd-* mrw,
|
||||
owner /{dev,run,var/run}/shm/{,.}org.chromium.* mrw,
|
||||
owner /{dev,run,var/run}/shm/shmfd-* mrw,
|
||||
|
||||
/usr/lib/@{chromium}/*.pak mr,
|
||||
/usr/lib/@{chromium}/locales/* mr,
|
||||
@@ -149,8 +203,8 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
|
||||
# Allow ptracing ourselves and our helpers
|
||||
ptrace (trace) peer=@{profile_name},
|
||||
ptrace (trace) peer=@{profile_name}//xdgsettings,
|
||||
ptrace (trace) peer=lsb_release,
|
||||
ptrace (read, trace) peer=@{profile_name}//xdgsettings,
|
||||
ptrace (read, trace) peer=lsb_release,
|
||||
|
||||
# Make browsing directories work
|
||||
/ r,
|
||||
@@ -183,10 +237,9 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
/etc/firefox/profile/bookmarks.html r,
|
||||
owner @{HOME}/.mozilla/** k,
|
||||
|
||||
# Chromium Policies
|
||||
/etc/@{chromium}/policies/** r,
|
||||
|
||||
# Chromium configuration
|
||||
/etc/@{chromium}/** r,
|
||||
# Note: "~/.pki/{,nssdb/} w" is denied by private-files abstraction
|
||||
owner @{HOME}/.pki/nssdb/* rwk,
|
||||
owner @{HOME}/.cache/chromium/ rw,
|
||||
owner @{HOME}/.cache/chromium/** rw,
|
||||
@@ -197,12 +250,18 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
|
||||
owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
|
||||
|
||||
# Allow transitions to ourself and our sandbox
|
||||
# Widevine CDM plugin
|
||||
owner @{HOME}/.config/chromium/WidevineCdm/*/_platform_specific/*/libwidevinecdm.so mr,
|
||||
|
||||
# Allow transitions to ourself, our sandbox, and crash handler
|
||||
/usr/lib/@{chromium}/@{chromium} ix,
|
||||
/usr/lib/@{chromium}/chrome-sandbox cx -> sandbox,
|
||||
/usr/lib/@{chromium}/chrome_crashpad_handler Cxr -> crashpad_handler,
|
||||
|
||||
# Allow communicating with sandbox
|
||||
# Allow communicating with sandbox and crash handler
|
||||
unix (receive, send) peer=(label=@{profile_name}//sandbox),
|
||||
unix (receive, send) peer=(label=@{profile_name}//crashpad_handler),
|
||||
signal (receive) set=(cont) peer=@{profile_name}//crashpad_handler,
|
||||
|
||||
/{usr/,}bin/ps Uxr,
|
||||
/usr/lib/@{chromium}/xdg-settings Cxr -> xdgsettings,
|
||||
@@ -210,10 +269,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
/usr/bin/lsb_release Pxr -> lsb_release,
|
||||
|
||||
# GSettings
|
||||
owner /{,var/}run/user/*/dconf/ rw,
|
||||
owner /{,var/}run/user/*/dconf/user rw,
|
||||
owner @{run}/user/[0-9]*/dconf/ rw,
|
||||
owner @{run}/user/[0-9]*/dconf/user rw,
|
||||
owner @{HOME}/.config/dconf/user r,
|
||||
|
||||
# GVfs
|
||||
owner @{run}/user/[0-9]*/gvfsd/socket-* rw,
|
||||
|
||||
# Magnet links
|
||||
/usr/bin/gio ixr,
|
||||
|
||||
@@ -230,7 +292,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
/etc/ld.so.cache r,
|
||||
/etc/xdg/** r,
|
||||
/usr/bin/xdg-settings r,
|
||||
/{usr/,}lib{,32,64}/@{chromium}/xdg-settings r,
|
||||
/usr/lib/@{chromium}/xdg-settings r,
|
||||
/usr/share/applications/*.desktop r,
|
||||
/usr/share/applications/*.list r,
|
||||
|
||||
@@ -266,6 +328,8 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
/{usr/,}lib/@{multiarch}/libpthread-*.so* mr,
|
||||
/{usr/,}lib{,32,64}/libatomic.so* mr,
|
||||
/{usr/,}lib/@{multiarch}/libatomic.so* mr,
|
||||
/{usr/,}lib{,32,64}/libc.so.* mr,
|
||||
/{usr/,}lib/@{multiarch}/libc.so.* mr,
|
||||
/{usr/,}lib{,32,64}/libc-*.so* mr,
|
||||
/{usr/,}lib/@{multiarch}/libc-*.so* mr,
|
||||
/{usr/,}lib{,32,64}/libdl-*.so* mr,
|
||||
@@ -326,6 +390,32 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
|
||||
owner /tmp/** rw,
|
||||
}
|
||||
|
||||
profile crashpad_handler {
|
||||
include <abstractions/base>
|
||||
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read, trace) peer=chromium_browser,
|
||||
|
||||
signal (send) set=(cont) peer=chromium_browser,
|
||||
|
||||
unix (receive, send) peer=(label=chromium_browser),
|
||||
|
||||
/usr/lib/@{chromium}/chrome_crashpad_handler ixr,
|
||||
|
||||
/sys/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,max}_freq r,
|
||||
|
||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mem r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm r,
|
||||
|
||||
owner @{HOME}/.config/chromium/Crash?Reports/** rwk,
|
||||
}
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/chromium_browser>
|
||||
}
|
||||
|
@@ -139,7 +139,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
|
||||
interface=org.gtk.gio.DesktopAppInfo
|
||||
member=Launched,
|
||||
|
||||
/etc/timezone r,
|
||||
/etc/{,writable/}timezone r,
|
||||
/etc/wildmidi/wildmidi.cfg r,
|
||||
|
||||
# firefox specific
|
||||
@@ -241,7 +241,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
|
||||
owner @{HOME}/.gnome2/firefox* rwk,
|
||||
owner @{HOME}/.cache/mozilla/{,@{MOZ_APP_NAME}/} rw,
|
||||
owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/** rw,
|
||||
owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite k,
|
||||
owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite{,-shm} k,
|
||||
owner @{HOME}/.config/gtk-3.0/bookmarks r,
|
||||
owner @{HOME}/.config/dconf/user w,
|
||||
owner @{run}/user/[0-9]*/dconf/ w,
|
||||
@@ -416,14 +416,17 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
|
||||
bus=system
|
||||
path=/org/freedesktop/UPower
|
||||
interface=org.freedesktop.UPower
|
||||
member=EnumerateDevices
|
||||
peer=(name=org.freedesktop.UPower),
|
||||
member=EnumerateDevices,
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/org/freedesktop/UPower
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/org/freedesktop/UPower/devices/*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.UPower),
|
||||
member=GetAll,
|
||||
|
||||
# File browser
|
||||
dbus (send)
|
||||
|
@@ -17,7 +17,6 @@ include <tunables/global>
|
||||
profile postfix-proxymap /usr/lib/postfix/{bin/,sbin/,}proxymap {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/etc/my.cnf r,
|
||||
|
@@ -18,7 +18,6 @@ profile postfix-smtp /usr/lib/postfix/{bin/,sbin/,}smtp {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
@@ -18,7 +18,6 @@ profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/ssl_keys>
|
||||
|
||||
|
@@ -17,7 +17,6 @@ include <tunables/global>
|
||||
profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix,
|
||||
|
@@ -26,7 +26,6 @@ include <tunables/global>
|
||||
profile dhclient /{usr/,}sbin/dhclient {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability net_raw,
|
||||
|
65
profiles/apparmor/profiles/extras/unshare-userns-restrict
Normal file
65
profiles/apparmor/profiles/extras/unshare-userns-restrict
Normal file
@@ -0,0 +1,65 @@
|
||||
# This profile allows almost everything and only exists to allow
|
||||
# unshare to work on a system with user namespace restrictions
|
||||
# being enforced.
|
||||
# unshare is allowed access to user namespaces and capabilities
|
||||
# within the user namespace, but its children do not have
|
||||
# capabilities, blocking unshare from being able to be used to
|
||||
# arbitrarily by-pass the user namespace restrictions.
|
||||
# We restrict x mapping of any code that is unknown while unshare
|
||||
# has privilige within the namespace. To help ensure unshare can't
|
||||
# be used to attack the kernel.
|
||||
#
|
||||
# disabled by default as it can break some use cases on a system that
|
||||
# doesn't have or has disable user namespace restrictions for unconfined
|
||||
# use aa-enforce to enable it
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile unshare /usr/bin/unshare flags=(attach_disconnected) {
|
||||
# not allow all, to allow for cix transition
|
||||
# and to limit executable mapping to just unshare
|
||||
allow capability,
|
||||
allow file rwlk /{**,},
|
||||
allow network,
|
||||
allow unix,
|
||||
allow ptrace,
|
||||
allow signal,
|
||||
allow mqueue,
|
||||
allow io_uring,
|
||||
allow userns,
|
||||
allow mount,
|
||||
allow umount,
|
||||
allow pivot_root,
|
||||
allow dbus,
|
||||
audit allow cx /** -> unpriv,
|
||||
|
||||
allow file m /usr/lib/@{multiarch}/libc.so.6,
|
||||
allow file m /usr/bin/unshare,
|
||||
|
||||
# the local include should not be used without understanding the userns
|
||||
# restriction.
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/unshare-userns-restrict>
|
||||
|
||||
profile unpriv flags=(attach_disconnected) {
|
||||
# not allow all, to allow for pix stack
|
||||
allow file rwlkm /{**,},
|
||||
allow network,
|
||||
allow unix,
|
||||
allow ptrace,
|
||||
allow signal,
|
||||
allow mqueue,
|
||||
allow io_uring,
|
||||
allow userns,
|
||||
allow mount,
|
||||
allow umount,
|
||||
allow pivot_root,
|
||||
allow dbus,
|
||||
|
||||
allow pix /** -> &unshare//unpriv,
|
||||
|
||||
audit deny capability,
|
||||
}
|
||||
}
|
@@ -17,7 +17,6 @@ include <tunables/global>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
@@ -13,7 +13,6 @@ include <tunables/global>
|
||||
profile clamd /usr/sbin/clamd {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
@@ -13,7 +13,6 @@ include <tunables/global>
|
||||
profile haproxy /usr/sbin/haproxy {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
capability net_admin,
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
|
@@ -20,7 +20,6 @@ include <tunables/global>
|
||||
include <abstractions/kerberosclient>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability kill,
|
||||
capability net_bind_service,
|
||||
|
@@ -17,7 +17,6 @@ include <tunables/global>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/user-mail>
|
||||
include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r,
|
||||
/tmp/* rwl,
|
||||
|
@@ -17,7 +17,6 @@ include <tunables/global>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/user-mail>
|
||||
include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r ,
|
||||
/tmp/.* rwl ,
|
||||
|
@@ -17,7 +17,6 @@ include <tunables/global>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/user-mail>
|
||||
include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r ,
|
||||
/tmp/.* rwl ,
|
||||
|
@@ -50,6 +50,15 @@ include <tunables/global>
|
||||
# needed when /proc is mounted with hidepid>=1
|
||||
ptrace (read,trace) peer="unconfined",
|
||||
|
||||
unix (bind) type=stream addr="@*/bus/sshd/system",
|
||||
|
||||
dbus (send)
|
||||
bus=system
|
||||
path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member=CreateSessionWithPIDFD
|
||||
peer=(label=unconfined),
|
||||
|
||||
/dev/ptmx rw,
|
||||
/dev/pts/[0-9]* rw,
|
||||
/dev/urandom r,
|
||||
|
@@ -111,8 +111,8 @@ SRC=access.c \
|
||||
mount.c \
|
||||
move_mount.c \
|
||||
named_pipe.c \
|
||||
net_finegrained_rcv.c \
|
||||
net_finegrained_snd.c \
|
||||
net_inet_rcv.c \
|
||||
net_inet_snd.c \
|
||||
net_raw.c \
|
||||
open.c \
|
||||
openat.c \
|
||||
@@ -364,10 +364,10 @@ unix_fd_client: unix_fd_client.c unix_fd_common.o
|
||||
attach_disconnected: attach_disconnected.c unix_fd_common.o
|
||||
${CC} ${CFLAGS} ${LDFLAGS} $^ -o $@ ${LDLIBS}
|
||||
|
||||
userns: userns.c userns.h
|
||||
userns: userns.c pipe_helper.h
|
||||
${CC} ${CFLAGS} ${LDFLAGS} $^ -o $@ ${LDLIBS}
|
||||
|
||||
userns_setns: userns_setns.c userns.h
|
||||
userns_setns: userns_setns.c pipe_helper.h
|
||||
${CC} ${CFLAGS} ${LDFLAGS} $^ -o $@ ${LDLIBS}
|
||||
|
||||
mount: mount.c
|
||||
|
@@ -79,3 +79,16 @@ runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$te
|
||||
|
||||
genprofile_aa_exec "$test" 0
|
||||
runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile --stdin <<EOF
|
||||
$test {
|
||||
all,
|
||||
}
|
||||
|
||||
:${ns}:${test} {
|
||||
all,
|
||||
}
|
||||
EOF
|
||||
runchecktest "allow all" pass "$aa_exec -p $test" "$test (enforce)"
|
||||
fi
|
||||
|
@@ -28,7 +28,14 @@ wxperm=wix
|
||||
touch $file
|
||||
chmod 777 $file # full perms so discretionary access checks succeed
|
||||
|
||||
# PASS TEST
|
||||
# PASS TEST
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile "all"
|
||||
runchecktest "ACCESS allow all r (rwx)" pass $file r
|
||||
runchecktest "ACCESS allow all rx (rwx)" pass $file rx
|
||||
runchecktest "ACCESS allow all rwx (rwx)" pass $file rwx
|
||||
fi
|
||||
|
||||
genprofile $file:$rwxperm
|
||||
runchecktest "ACCESS file r (rwx)" pass $file r
|
||||
runchecktest "ACCESS file rx (rwx)" pass $file rx
|
||||
|
@@ -105,6 +105,15 @@ do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $n
|
||||
|
||||
# TODO: adding attach_disconnected.path to a replaced unconfined
|
||||
|
||||
# ALLOW ALL does not include attach_disconnected
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile "all" flag:attach_disconnected -- image=$att_dis_client "all"
|
||||
do_test "attach_disconnected allow all" pass $file $att_dis_client $socket $loop_device $new_root $put_old
|
||||
|
||||
genprofile "all" -- image=$att_dis_client "all"
|
||||
do_test "attach_disconnected allow all no flag" fail $file $att_dis_client $socket $loop_device $new_root $put_old
|
||||
fi
|
||||
|
||||
genprofile $file_perm unix:create $socket_perm $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket_perm $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:attach_disconnected
|
||||
|
||||
do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $new_root $put_old
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user