1. 13 Jul, 2021 2 commits
  2. 25 Aug, 2020 1 commit
  3. 23 Jul, 2020 1 commit
  4. 30 May, 2020 1 commit
  5. 29 May, 2020 1 commit
  6. 13 Feb, 2020 1 commit
  7. 03 Feb, 2020 1 commit
  8. 17 Dec, 2019 2 commits
    • Jamie Strandboge's avatar
      abstractions/base: allow read access to /run/uuidd/request · 45fffc12
      Jamie Strandboge authored
      /run/uuidd/request is hardcoded in libuuid from util-linux and uuidd
      listens on this socket to provide random and time-based UUIDs in a
      secure manner (man 8 uuidd). Some applications (eg, python's uuid)
      prefer to use this socket, falling back to getrandom(), /dev/urandom,
      etc. Eg:
      $ strace -f aa-exec -p test -- \
        python3 -c 'import uuid ; print("%s\n" % str(uuid.uuid1()))'
      socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = -1 EACCES (Permission denied)
      getrandom("\x8e\x89\xa5\xe7\x39\x1b", 6, GRND_NONBLOCK) = 6
      uuidd itself produces random numbers using getrandom() and
      /dev/{,u}random (falling back to time-based if not), which are already
      allowed in the base abstraction. The uuidd daemon, when available, runs
      unprivileged under a dedicated user, so allowing read-only access to
      /run/uuidd/request is reasonable.
    • Jamie Strandboge's avatar
  9. 24 Mar, 2019 1 commit
    • intrigeri's avatar
      base abstraction: allow mr on *.so* in common library paths. · 5cbb7df9
      intrigeri authored
      For example, VirtualBox guests have /usr/lib/VBoxOGL.so.
      Without this changes, in a VirtualBox VM with VBoxVGA graphics,
      at least one Qt5 application (OnionShare) won't start and display:
        ImportError: libGL.so.1: failed to map segment from shared object
      … and the system logs have:
        apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
      While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.
      So let's not assume all libraries have a name that starts with "lib".
  10. 24 Jan, 2019 1 commit
  11. 08 Nov, 2018 1 commit
  12. 26 Jan, 2018 1 commit
  13. 03 May, 2017 1 commit
  14. 27 Apr, 2017 1 commit
    • Jamie Strandboge's avatar
      The base abstraction already allows write access to · 0699034d
      Jamie Strandboge authored
      /run/systemd/journal/dev-log but journald offers both:
      - a native journal API at /run/systemd/journal/socket (see sd_journal_print(4))
      - /run/systemd/journal/stdout for connecting a program's output to the journal
        (see systemd-cat(1)).
      In addition to systemd-cat, the stdout access is required for nested container
      (eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
      containers require 'r' in addtion to 'w' to work. journald does not allow
      reading log entries from this socket so the access is deemed safe.
      Signed-off-by: default avatarJamie Strandboge <jamie@canonical.com>
  15. 12 Apr, 2017 1 commit
  16. 21 Jan, 2017 1 commit
  17. 03 Dec, 2016 6 commits
    • intrigeri's avatar
      abstractions/base: drop 'ix' for ld-*.so and friends. · 2d3c95ef
      intrigeri authored
      This should solve the "overlapping rules with conflicting 'x'
      modifiers" problem (introduced with r3594) entirely.
      The other options I could think of were:
       * ix → Pix, adjust all profiles that do 'ix' accordingly, and leave
         alone those that do Pix already; downsides: requires updating quite
         a few profiles all around the place, and breaks a mere "file," rule;
       * ix → Pix, adjust all profiles that do 'ix' accordingly, and change
         the "file," rule semantics to imply Pix; downside: very intrusive,
         and likely to break random existing policy in ways that are hard
         to predict;
       * stick to ix, and adjust all profiles that do anything else with
         overlapping rules, to do ix instead; downside: in some cases this means
         removing the 'P' modifier, which can cause regressions in how we confine
      I've looked up in the bzr history to understand why execution rights
      would be needed, and… the answer predates the move to bzr.
      Looking into the SVN history, if it's even available anywhere, is
      a bit too much for me, so I've tested this change and the few
      applications I've tried did not complain. Of course, more testing will
      be needed.
    • intrigeri's avatar
      abstractions/base: revert ix→Pix. · b6aeae70
      intrigeri authored
      It simply breaks too much stuff, such as a mere "file," rule.
    • intrigeri's avatar
      abstractions/base: turn remaining ix rules into Pix. · a8ac2b4c
      intrigeri authored
      Having consistent x modifiers in this abstraction is needed
      to allow profiles including abstractions/base to apply x rules
      overlapping with several of the rules from the base abstraction.
      E.g. one may need to have rules applying to /**, for example because
      a mere "file," conflicts with the ix→Pix change I did in r3596.
    • intrigeri's avatar
      abstractions/base: turn merged-/usr-enabled ix rules into Pix, to avoid... · b3768dce
      intrigeri authored
      abstractions/base: turn merged-/usr-enabled ix rules into Pix, to avoid conflicts with other profiles.
      Example conflicts that are solved by this commit include:
        /usr/{,local/}lib*/{,**/}* Pixr,
    • intrigeri's avatar
      abstractions/base: drop obsolete rule, supersede by @{multiarch} a while ago. · d73143db
      intrigeri authored
      It causes conflicts in x modifiers when compiling usr.sbin.cupsd.
    • intrigeri's avatar
      Make policy compatible with merged-/usr. · f9ca24c2
      intrigeri authored
  18. 29 Jul, 2016 1 commit
  19. 23 Aug, 2015 1 commit
  20. 21 Jan, 2015 1 commit
  21. 08 Oct, 2014 1 commit
  22. 05 Sep, 2014 1 commit
  23. 03 Sep, 2014 1 commit
    • Jamie Strandboge's avatar
      abstraction updates for abstract, anonymous and netlink · 1f003c01
      Jamie Strandboge authored
      - the base abstraction for common abstract and anonymous rules (comments
        included per rule)
      - dbus-session-strict to add a rule for connecting to the dbus session
        socket. I used 'peer=(label=unconfined)' here, but I could probably lose the
        explicit label if people preferred that
      - X to add a rule for connecting to the X abstract socket. Same as for
      - nameservice to add a rule for connecting to a netlink raw. This change could
        possibly be excluded, but applications using networking (at least on Ubuntu)
        all seem to need it. Excluding it would mean systems using nscd would need to
        add this and ones not using it would have a noisy denial
      Acked-By: default avatarJamie Strandboge <jamie@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
  24. 23 Jun, 2014 1 commit
  25. 09 Apr, 2013 1 commit
  26. 02 Jan, 2013 1 commit
  27. 10 Feb, 2012 1 commit
  28. 03 Jan, 2012 1 commit
  29. 23 Mar, 2011 1 commit
  30. 05 Jun, 2010 1 commit
  31. 03 Jan, 2010 1 commit
  32. 11 Nov, 2009 1 commit
  33. 04 Nov, 2009 1 commit