felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(abs): glibc: restrict auxv maps and statux to owner.

Browse source
This commit is contained in:
Alexandre Pujol 2025-08-28 21:15:42 +02:00
parent 81d020173d
commit 4db65834a4
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
8 changed files with 14 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

12
apparmor.d/abstractions/glibc
View file

@ -22,9 +22,15 @@
@{PROC}/stat r, @{PROC}/stat r,
# Glibc's *printf protections read the maps file # Glibc's *printf protections read the maps file
@{PROC}/@{pid}/auxv r, owner @{PROC}/@{pid}/auxv r,
@{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/maps r,
@{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/status r,
# @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps,
# but in a format that is simpler to manage, because it doesn't require to
# parse the text data inside a file, but just reading the contents of
# a directory.
owner @{PROC}/@{pid}/map_files/ r,
# Glibc statvfs # Glibc statvfs
@{PROC}/filesystems r, @{PROC}/filesystems r,

1
apparmor.d/groups/apt/apt-overlay
View file

@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} {
/root/ r, /root/ r,
owner @{PROC}/@{pids}/loginuid r, owner @{PROC}/@{pids}/loginuid r,
owner @{PROC}/@{pids}/maps r,
include if exists <local/apt-overlay> include if exists <local/apt-overlay>
} }

3
apparmor.d/groups/polkit/polkitd
View file

@ -65,8 +65,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pids}/fdinfo/@{int} r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/status r,
@{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/cmdline r, @{PROC}/cmdline r,

1
apparmor.d/groups/procps/ps
View file

@ -34,6 +34,7 @@ profile ps @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/loginuid r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r, @{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/status r,
@{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/@{pids}/task/@{tid}/stat r,

1
apparmor.d/groups/systemd/systemd-journald
View file

@ -82,6 +82,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted
@{PROC}/@{pids}/comm r, @{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/loginuid r,
@{PROC}/@{pids}/sessionid r, @{PROC}/@{pids}/sessionid r,
@{PROC}/@{pids}/status r,
@{PROC}/pressure/* r, @{PROC}/pressure/* r,
@{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/hostname r,

2
apparmor.d/groups/virt/libvirtd
View file

@ -284,7 +284,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
/etc/qemu/{,**} r, /etc/qemu/{,**} r,
owner @{PROC}/@{pids}/status r, @{PROC}/@{pids}/status r,
/dev/net/tun rw, /dev/net/tun rw,

2
apparmor.d/profiles-m-r/mdevctl
View file

@ -19,8 +19,6 @@ profile mdevctl @{exec_path} {
@{sys}/class/mdev_bus/ r, @{sys}/class/mdev_bus/ r,
@{sys}/devices/@{pci}/mdev_supported_types/{,**} r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r,
@{PROC}/@{pids}/maps r,
include if exists <local/mdevctl> include if exists <local/mdevctl>
} }

2
apparmor.d/profiles-s-z/syncoid
View file

@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) {
/etc/mbuffer.rc r, /etc/mbuffer.rc r,
@{PROC}/@{pids}/maps r,
include if exists <local/syncoid> include if exists <local/syncoid>
} }