...
 
Commits (45)
......@@ -12,7 +12,7 @@ DIRS=parser \
changehat/pam_apparmor \
tests
REPO_URL?=lp:apparmor
REPO_URL?=lp:apparmor/2.7
# alternate possibilities to export from
#REPO_URL=.
#REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
......
......@@ -158,6 +158,8 @@ $ac_distutils_result])
AC_MSG_CHECKING([consistency of all components of python development environment])
AC_LANG_PUSH([C])
# save current global flags
ac_save_LIBS="$LIBS"
ac_save_CPPFLAGS="$CPPFLAGS"
LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
AC_TRY_LINK([
......
......@@ -3,7 +3,8 @@ INCLUDES = $(all_includes)
BUILT_SOURCES = grammar.h scanner.h af_protos.h
AM_LFLAGS = -v
AM_YFLAGS = -d -p aalogparse_
AM_CFLAGS = @CFLAGS@ -D_GNU_SOURCE -Wall
AM_CFLAGS = -Wall
AM_CPPFLAGS = -D_GNU_SOURCE
scanner.h: scanner.l
$(LEX) -v $<
......
......@@ -141,6 +141,10 @@ typedef struct
char *net_family;
char *net_protocol;
char *net_sock_type;
char *net_local_addr;
unsigned long net_local_port;
char *net_foreign_addr;
unsigned long net_foreign_port;
} aa_log_record;
/**
......
......@@ -83,6 +83,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
%token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
%token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
%token <t_str> TOK_IP_ADDR
%token TOK_EQUALS
%token TOK_COLON
......@@ -133,6 +134,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
%token TOK_KEY_CAPNAME
%token TOK_KEY_OFFSET
%token TOK_KEY_TARGET
%token TOK_KEY_LADDR
%token TOK_KEY_FADDR
%token TOK_KEY_LPORT
%token TOK_KEY_FPORT
%token TOK_SYSLOG_KERNEL
......@@ -268,6 +273,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
{ /* target was always name2 in the past */
ret_record->name2 = $3;
}
| TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
{ ret_record->net_local_addr = $3;}
| TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
{ ret_record->net_foreign_addr = $3;}
| TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
{ ret_record->net_local_port = $3;}
| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
{ ret_record->net_foreign_port = $3;}
| TOK_MSG_REST
{
ret_record->event = AA_RECORD_INVALID;
......
......@@ -133,8 +133,15 @@ key_capability "capability"
key_capname "capname"
key_offset "offset"
key_target "target"
key_laddr "laddr"
key_faddr "faddr"
key_lport "lport"
key_fport "fport"
audit "audit"
/* network addrs */
ip_addr [a-f[:digit:].:]{3,}
/* syslog tokens */
syslog_kernel kernel{colon}
syslog_month Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
......@@ -149,6 +156,7 @@ dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
%x dmesg_timestamp
%x safe_string
%x audit_types
%x ip_addr
%x other_audit
%x unknown_message
......@@ -201,6 +209,12 @@ yy_flex_debug = 0;
. { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
}
<ip_addr>{
{ip_addr} { yylval->t_str = strdup(yytext); yy_pop_state(yyscanner); return(TOK_IP_ADDR); }
{equals} { return(TOK_EQUALS); }
. { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
}
<audit_types>{
{equals} { return(TOK_EQUALS); }
{digits} { yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
......@@ -270,6 +284,10 @@ yy_flex_debug = 0;
{key_capname} { return(TOK_KEY_CAPNAME); }
{key_offset} { return(TOK_KEY_OFFSET); }
{key_target} { return(TOK_KEY_TARGET); }
{key_laddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
{key_faddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
{key_lport} { return(TOK_KEY_LPORT); }
{key_fport} { return(TOK_KEY_FPORT); }
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
......
......@@ -10,7 +10,7 @@ WriteMakefile(
'FIRST_MAKEFILE' => 'Makefile.perl',
'ABSTRACT' => q[Perl interface to AppArmor] ,
'VERSION' => q[@VERSION@],
'INC' => q[-I@top_srcdir@/src @CFLAGS@],
'INC' => q[@CPPFLAGS@ -I@top_srcdir@/src @CFLAGS@],
'LIBS' => q[-L@top_builddir@/src/.libs/ -lapparmor @LIBS@],
'OBJECT' => 'libapparmor_wrap.o', # $(OBJ_EXT)
) ;
......
......@@ -10,8 +10,7 @@ AM_CFLAGS = -Wall
noinst_PROGRAMS = test_multi.multi
test_multi_multi_SOURCES = test_multi.c
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
test_multi_multi_LDFLAGS = $(LDFLAGS)
test_multi_multi_CFLAGS = -Wall
test_multi_multi_LDADD = -L../src/.libs -lapparmor
clean-local:
......
......@@ -51,6 +51,18 @@ int main(int argc, char **argv)
return ret;
}
#define print_string(description, var) \
if ((var) != NULL) { \
printf("%s: %s\n", (description), (var)); \
}
/* unset is the value that the library sets to the var to indicate
that it is unset */
#define print_long(description, var, unset) \
if ((var) != (unsigned long) (unset)) { \
printf("%s: %ld\n", (description), (var)); \
}
int print_results(aa_log_record *record)
{
printf("Event type: ");
......@@ -185,6 +197,11 @@ int print_results(aa_log_record *record)
{
printf("Protocol: %s\n", record->net_protocol);
}
print_string("Local addr", record->net_local_addr);
print_string("Foreign addr", record->net_foreign_addr);
print_long("Local port", record->net_local_port, 0);
print_long("Foreign port", record->net_foreign_port, 0);
printf("Epoch: %lu\n", record->epoch);
printf("Audit subid: %u\n", record->audit_sub_id);
return(0);
......
Apr 5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6
START
File: test_multi/testcase_network_01.in
Event type: AA_RECORD_DENIED
Audit ID: 1308766940.698:3704
Operation: sendmsg
Profile: /usr/bin/evince-thumbnailer
Command: evince-thumbnai
Parent: 24737
PID: 24743
Network family: inet
Socket type: stream
Protocol: tcp
Local addr: 192.168.66.150
Foreign addr: 192.168.66.200
Local port: 765
Foreign port: 2049
Epoch: 1308766940
Audit subid: 3704
Apr 5 19:31:04 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" lport=765 fport=2049 family="inet" sock_type="stream" protocol=6
START
File: test_multi/testcase_network_02.in
Event type: AA_RECORD_DENIED
Audit ID: 1308766940.698:3704
Operation: sendmsg
Profile: /usr/bin/evince-thumbnailer
Command: evince-thumbnai
Parent: 24737
PID: 24743
Network family: inet
Socket type: stream
Protocol: tcp
Local port: 765
Foreign port: 2049
Epoch: 1308766940
Audit subid: 3704
type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6
START
File: test_multi/testcase_network_03.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1333648169.009:11707146
Operation: accept
Profile: /usr/lib/dovecot/imap-login
Command: imap-login
Parent: 25932
PID: 5049
Network family: inet6
Socket type: stream
Protocol: tcp
Local port: 143
Epoch: 1333648169
Audit subid: 11707146
type=AVC msg=audit(1333697181.284:273901): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1056 comm="nc" laddr=::1 lport=2048 faddr=::1 fport=33986 family="inet6" sock_type="stream" protocol=6
START
File: test_multi/testcase_network_04.in
Event type: AA_RECORD_DENIED
Audit ID: 1333697181.284:273901
Operation: recvmsg
Profile: /home/ubuntu/tmp/nc
Command: nc
Parent: 1596
PID: 1056
Network family: inet6
Socket type: stream
Protocol: tcp
Local addr: ::1
Foreign addr: ::1
Local port: 2048
Foreign port: 33986
Epoch: 1333697181
Audit subid: 273901
type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6
START
File: test_multi/testcase_network_05.in
Event type: AA_RECORD_DENIED
Audit ID: 1333698107.128:273917
Operation: recvmsg
Profile: /home/ubuntu/tmp/nc
Command: nc
Parent: 1596
PID: 1875
Network family: inet6
Socket type: stream
Protocol: tcp
Local addr: ::ffff:127.0.0.1
Foreign addr: ::ffff:127.0.0.1
Local port: 2048
Foreign port: 59180
Epoch: 1333698107
Audit subid: 273917
......@@ -56,6 +56,7 @@ install: local
${PROFILES_DEST}/program-chunks \
${PROFILES_DEST}/tunables \
${PROFILES_DEST}/tunables/home.d \
${PROFILES_DEST}/tunables/multiarch.d \
${PROFILES_DEST}/local
install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST}
install -m 644 ${ABSTRACTIONS_TO_COPY} ${PROFILES_DEST}/abstractions
......
......@@ -17,7 +17,7 @@
# .Xauthority files required for X connections, per user
@{HOME}/.Xauthority r,
owner /{,var/}run/gdm/*/database r,
owner /{,var/}run/gdm{,3}/*/database r,
owner /{,var/}run/lightdm/authority/[0-9]* r,
# the unix socket to use to connect to the display
......
# vim:syntax=apparmor
# This file contains basic permissions for Apache and every vHost
#include <abstractions/nameservice>
# Apache
network inet stream,
network inet6 stream,
# apache manual, error pages and icons
/usr/share/apache2/** r,
# changehat itself
/proc/*/attr/current w,
# htaccess files - for what ever it is worth
/**/.htaccess r,
/dev/urandom r,
......@@ -2,7 +2,7 @@
# aspell permissions
# per-user settings and dictionaries
@{HOME}/.aspell.*.{pws,prepl} rk,
owner @{HOME}/.aspell.*.{pws,prepl} rwk,
# system libraries and dictionaries
/usr/lib/aspell/ r,
......
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd
# Copyright (C) 2009-2012 Canonical Ltd
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -47,3 +47,5 @@
# smbpass
#include <abstractions/smbpass>
# p11-kit (PKCS#11 modules configuration)
#include <abstractions/p11-kit>
......@@ -36,8 +36,8 @@
/usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr,
/usr/lib{,32,64}/gconv/gconv-modules* mr,
/usr/lib/@{multiarch}/gconv/*.so mr,
/usr/lib/@{multiarch}/gconv/gconv-modules mr,
/usr/lib/@{multiarch}/gconv/*.so mr,
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
# used by glibc when binding to ephemeral ports
/etc/bindresvport.blacklist r,
......@@ -86,6 +86,7 @@
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/cpuinfo r,
/sys/devices/system/cpu/online r,
# glibc's *printf protections read the maps file
@{PROC}/*/maps r,
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
# Copyright (C) 2009-2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -13,3 +13,6 @@
/etc/cups/client.conf r,
# client should be able to talk the local cupsd
/{,var/}run/cups/cups.sock w,
# client should be able to read user-specified cups configuration
owner @{HOME}/.cups/client.conf r,
owner @{HOME}/.cups/lpoptions r,
......@@ -52,5 +52,5 @@
/usr/share/java/zemberek-tr-[0-9]*.jar r,
# per-user dictionaries
owner @{HOME}/.config/enchant/ r,
owner @{HOME}/.config/enchant/ rw,
owner @{HOME}/.config/enchant/* rwk,
......@@ -39,6 +39,8 @@
@{HOME}/.fonts.cache-2 mr,
@{HOME}/.fontconfig/ r,
@{HOME}/.fontconfig/** mrl,
@{HOME}/.fonts.conf.d/ r,
@{HOME}/.fonts.conf.d/** r,
/usr/local/share/fonts/ r,
/usr/local/share/fonts/** r,
......@@ -25,8 +25,8 @@
@{HOME}/.DCOPserver_* r,
@{HOME}/.ICEauthority r,
@{HOME}/.fonts.* lrw,
@{HOME}/.kde/share/config/kdeglobals rw,
@{HOME}/.kde/share/config/*.lock rwl,
@{HOME}/.kde{,4}/share/config/kdeglobals rw,
@{HOME}/.kde{,4}/share/config/*.lock rwl,
@{HOME}/.qt/** rw,
@{HOME}/.config/Trolltech.conf rwk,
......
# ------------------------------------------------------------------
#
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
/etc/pkcs11/ r,
/etc/pkcs11/pkcs11.conf r,
/etc/pkcs11/modules/ r,
/etc/pkcs11/modules/* r,
/usr/lib{,32,64}/pkcs11/*.so mr,
/usr/lib/@{multiarch}/pkcs11/*.so mr,
# p11-kit also supports reading user configuration from ~/.pkcs11 depending
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
# included in this abstraction.
# vim:syntax=apparmor
# privacy-violations contains rules for common files that you want to explicity
# deny access
# privacy-violations contains rules for common files that you want to
# explicitly deny access
# privacy violations (don't audit files under $HOME otherwise get a
# lot of false positives when reading contents of directories)
......@@ -15,7 +15,9 @@
# special attention to (potentially) executable files
audit deny @{HOME}/bin/** wl,
audit deny @{HOME}/.config/autostart/** wl,
audit deny @{HOME}/.kde/Autostart/** wl,
audit deny @{HOME}/.kde{,4}/Autostart/** wl,
audit deny @{HOME}/.kde{,4}/env/** wl,
audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
# don't allow reading/updating of run control files
deny @{HOME}/.*rc mrk,
......
# vim:syntax=apparmor
# privacy-violations-strict contains additional rules for sensitive
# files that you want to explicity deny access
# files that you want to explicitly deny access
#include <abstractions/private-files>
......@@ -13,6 +13,6 @@
audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
audit deny @{HOME}/.evolution/** mrwkl,
audit deny @{HOME}/.config/evolution/** mrwkl,
audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/** mrwkl,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
......@@ -31,4 +31,7 @@
/usr/lib/wx/python/*.pth r,
# python build configuration and headers
/usr/include/python{2,3}.[0-7]*/pyconfig.h
/usr/include/python{2,3}.[0-7]*/pyconfig.h r,
# python setup script used by apport
/etc/python{2,3}.[0-7]*/sitecustomize.py r,
......@@ -10,4 +10,4 @@
/usr/bin/kget PUxr,
/usr/bin/ktorrent PUxr,
/usr/bin/qbittorrent PUxr,
/usr/bin/transmission PUxr,
/usr/bin/transmission{,-gtk,-qt,-cli} PUxr,
......@@ -28,6 +28,10 @@
# and abrowser)
/usr/lib/firefox-*/firefox.sh PUx,
# Iceweasel
/usr/bin/iceweasel PUx,
/usr/lib/iceweasel/iceweasel PUx,
# some unpackaged, but popular browsers
/usr/lib/icecat-*/icecat PUx,
/usr/bin/opera PUx,
......
......@@ -46,3 +46,11 @@
/opt/google/talkplugin/lib/*.so mr,
/opt/google/talkplugin/GoogleTalkPlugin ixr,
owner @{HOME}/.config/google-googletalkplugin/** rw,
# If we allow the above, nvidia based systems will also need these
/dev/nvidactl rw,
/dev/nvidia0 rw,
@{PROC}/interrupts r,
# Virus scanners
/usr/bin/clamscan PUx,
......@@ -8,3 +8,4 @@
/usr/bin/vim.gnome PUxr,
/usr/bin/leafpad PUxr,
/usr/bin/mousepad PUxr,
/usr/bin/kate PUxr,
......@@ -7,6 +7,7 @@
/usr/bin/apturl PUxr,
/usr/bin/gnome-codec-install PUxr,
/usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
/usr/share/software-center/software-center PUxr,
# Input Methods
/usr/bin/scim PUx,
......@@ -14,10 +15,13 @@
# File managers
/usr/bin/nautilus PUxr,
/usr/bin/thunar PUxr,
/usr/bin/{t,T}hunar PUxr,
# Themes
/usr/bin/gnome-appearance-properties PUxr,
# Kubuntu
/usr/lib/mozilla/kmozillahelper PUxr,
# Exo-aware applications
/usr/bin/exo-open ixr,
......@@ -11,7 +11,7 @@
#include <abstractions/private-files>
audit deny @{HOME}/.ssh/** mrwkl,
audit deny @{HOME}/.gnome2_private/** mrwkl,
audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
# Comment this out if using gpg plugin/addons
audit deny @{HOME}/.gnupg/** mrwkl,
......
......@@ -4,6 +4,7 @@
#
/usr/bin/amarok PUxr,
/usr/bin/audacious2 PUxr,
/usr/bin/audacity PUxr,
/usr/bin/bangarang PUxr,
/usr/bin/banshee PUxr,
/usr/bin/banshee-1 PUxr,
......
......@@ -23,6 +23,7 @@
capability chown,
capability dac_override,
capability dac_read_search,
capability fsetid,
capability fowner,
capability sys_tty_config,
......
......@@ -8,7 +8,11 @@
capability setgid,
capability setuid,
# http://www.postfix.org/SASL_README.html#server_dovecot
/etc/dovecot/dovecot.conf r,
/etc/dovecot/{auth,conf}.d/*.conf r,
/etc/dovecot/dovecot-postfix.conf r,
@{HOME} r,
@{HOME}/Maildir/ rw,
@{HOME}/Maildir/** klrw,
......
......@@ -11,6 +11,7 @@
capability sys_chroot,
network inet stream,
network inet6 stream,
/usr/lib/dovecot/imap-login mr,
/{,var/}run/dovecot/login/ r,
......
......@@ -2,6 +2,7 @@
/usr/sbin/avahi-daemon {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/dbus>
#include <abstractions/nameservice>
capability chown,
......@@ -19,10 +20,10 @@
/proc/*/fd/ r,
/usr/sbin/avahi-daemon mr,
/usr/share/avahi/introspection/*.introspect r,
/usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
/{,var/}run/avahi-daemon/ w,
/{,var/}run/avahi-daemon/pid krw,
/{,var/}run/avahi-daemon/socket w,
/{,var/}run/dbus/system_bus_socket w,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.avahi-daemon>
......
......@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
@{TFTP_DIR}=/var/tftp /srv/tftpboot
#include <tunables/global>
/usr/sbin/dnsmasq {
#include <abstractions/base>
......@@ -36,6 +38,10 @@
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
# for the read-only TFTP server
@{TFTP_DIR}/ r,
@{TFTP_DIR}/** r,
# libvirt lease and hosts files for dnsmasq
/var/lib/libvirt/dnsmasq/ r,
/var/lib/libvirt/dnsmasq/*.leases rw,
......
......@@ -21,12 +21,17 @@
capability sys_tty_config,
/etc/mtab r,
/etc/netgroup r,
/etc/printcap r,
/etc/samba/* rwk,
/proc/*/mounts r,
/proc/sys/kernel/core_pattern r,
/usr/lib*/samba/vfs/*.so mr,
/usr/lib*/samba/charset/*.so mr,
/usr/lib*/samba/auth/script.so mr,
/usr/lib*/samba/{lowercase,upcase,valid}.dat r,
/usr/sbin/smbd mr,
/etc/samba/* rwk,
/usr/sbin/smbldap-useradd Px,
/var/cache/samba/** rwk,
/var/cache/samba/printing/printers.tdb mrw,
/var/lib/samba/** rwk,
......
# Last Modified: Tue Jan 3 00:17:40 2012
#include <tunables/global>
/usr/sbin/smbldap-useradd {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
#include <abstractions/perl>
/dev/tty rw,
/bin/bash ix,
/etc/init.d/nscd Cx,
/etc/shadow r,
/etc/smbldap-tools/smbldap.conf r,
/etc/smbldap-tools/smbldap_bind.conf r,
/usr/sbin/smbldap-useradd r,
/usr/sbin/smbldap_tools.pm r,
/var/log/samba/log.smbd w,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.smbldap-useradd>
profile /etc/init.d/nscd {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_ptrace,
/bin/bash r,
/bin/mountpoint rix,
/bin/systemctl rix,
/dev/tty rw,
/etc/init.d/nscd r,
/etc/rc.status r,
}
}
......@@ -12,6 +12,7 @@
#include <tunables/global>
/usr/sbin/httpd2-prefork {
#include <abstractions/apache2-common>
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/kerberosclient>
......@@ -78,8 +79,6 @@
/usr/local/tomcat/conf/mod_jk.conf r,
/usr/local/tomcat/conf/workers-ajp12.properties r,
/usr/sbin/httpd2-prefork r,
/usr/share/apache2/error/* r,
/usr/share/apache2/error/include/* r,
/usr/share/misc/magic.mime r,
/usr/share/snmp/mibs r,
/usr/share/snmp/mibs/*.{txt,mib} r,
......@@ -125,21 +124,20 @@
/srv/www/icons/*.{gif,jpg,png} r,
/srv/www/vhosts r,
/srv/www/vhosts/** r,
# SuSE location of the apache manual + error pages
/usr/share/apache2/** r,
# php session state
/var/lib/php/sess_* rwl,
^HANDLING_UNTRUSTED_INPUT {
#include <abstractions/nameservice>
#include <abstractions/apache2-common>
/var/log/apache2/* w,
/**.htaccess r,
audit /.htaccess r, # WARNING: .htaccess directly in / will be disallowed in future versions
# (.htaccess in subdirectories is and will stay allowed by abstractions/apache2-common)
}
^DEFAULT_URI {
#include <abstractions/nameservice>
#include <abstractions/apache2-common>
#include <abstractions/base>
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
......@@ -176,8 +174,6 @@
/srv/www/icons/*.{gif,jpg,png} r,
/srv/www/vhosts r,
/srv/www/vhosts/** r,
# SuSE location of the apache manual + error pages
/usr/share/apache2/** r,
# php session state
/var/lib/php/sess_* rwl,
......
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
......@@ -33,6 +34,7 @@
/dev/ptmx rw,
/dev/urandom r,
/etc/default/locale r,
/etc/environment r,
/etc/hosts.allow r,
/etc/hosts.deny r,
......@@ -55,10 +57,12 @@
/bin/bash2 rUx,
/bin/bsh rUx,
/bin/csh rUx,
/bin/dash rUx,
/bin/ksh rUx,
/bin/sh rUx,
/bin/tcsh rUx,
/bin/zsh rUx,
/bin/zsh4 rUx,
/sbin/nologin rUx,
# Call passwd for password change when expired
......@@ -74,6 +78,7 @@
# duplicated from AUTHENTICATED
/etc/motd r,
/{,var/}run/motd r,
/tmp/ssh-*/agent.[0-9]* rwl,
/tmp/ssh-*[0-9]*/ w,
......@@ -89,10 +94,12 @@
/bin/bash2 Ux,
/bin/bsh Ux,
/bin/csh Ux,
/bin/dash Ux,
/bin/ksh Ux,
/bin/sh Ux,
/bin/tcsh Ux,
/bin/zsh Ux,
/bin/zsh4 Ux,
/sbin/nologin Ux,
# for debugging
......@@ -161,6 +168,7 @@
/etc/localtime r,
/etc/login.defs r,
/etc/motd r,
/{,var/}run/motd r,
/tmp/ssh-*/agent.[0-9]* rwl,
/tmp/ssh-*[0-9]*/ w,
......
......@@ -28,7 +28,7 @@
/bin/cat rmix,
/bin/bash rmix,
/dev/log w,
/etc/.pwd.lock rw,
/etc/.pwd.lock rwk,
/etc/cron.deny r,
/etc/default/useradd r,
/etc/group* rwl,
......
......@@ -770,12 +770,18 @@ sub create_new_profile($) {
my $hashbang = head($fqdbin);
if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
my $interpreter = get_full_path($1);
$profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= str_to_mode("r");
$profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 0;
$profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} |= str_to_mode("ix");
$profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} |= 0;
if ($interpreter =~ /perl/) {
$profile->{$fqdbin}{include}->{"abstractions/perl"} = 1;
} elsif ($interpreter =~ m/\/bin\/(bash|sh)/) {
$profile->{$fqdbin}{include}->{"abstractions/bash"} = 1;
} elsif ($interpreter =~ m/python/) {
$profile->{$fqdbin}{include}->{"abstractions/python"} = 1;
} elsif ($interpreter =~ m/ruby/) {
$profile->{$fqdbin}{include}->{"abstractions/ruby"} = 1;
}
handle_binfmt($profile->{$fqdbin}, $interpreter);
} else {
......@@ -4791,13 +4797,9 @@ sub sub_mode_to_str($) {
$str .= "a" if ($mode & $AA_MAY_APPEND);
$str .= "l" if ($mode & $AA_MAY_LINK);
$str .= "k" if ($mode & $AA_MAY_LOCK);
if ($mode & $AA_EXEC_UNCONFINED) {
if ($mode & $AA_EXEC_UNSAFE) {
$str .= "u";
} else {
$str .= "U";
}
}
# modes P and C *must* come before I and U; otherwise syntactically
# invalid profiles result
if ($mode & ($AA_EXEC_PROFILE | $AA_EXEC_NT)) {
if ($mode & $AA_EXEC_UNSAFE) {
$str .= "p";
......@@ -4812,7 +4814,18 @@ sub sub_mode_to_str($) {
$str .= "C";
}
}
# modes P and C *must* come before I and U; otherwise syntactically
# invalid profiles result
if ($mode & $AA_EXEC_UNCONFINED) {
if ($mode & $AA_EXEC_UNSAFE) {
$str .= "u";
} else {
$str .= "U";
}
}
$str .= "i" if ($mode & $AA_EXEC_INHERIT);
$str .= "x" if ($mode & $AA_MAY_EXEC);
return $str;
......