feat(abs): glibc: restrict auxv maps and statux to owner.

2025-08-28 21:15:42 +02:00 · 2025-08-28 21:15:42 +02:00 · 4db65834a4
commit 4db65834a4
parent 81d020173d
8 changed files with 14 additions and 10 deletions
--- a/apparmor.d/abstractions/glibc
+++ b/apparmor.d/abstractions/glibc
@ -22,9 +22,15 @@
  @{PROC}/stat r,

  # Glibc's *printf protections read the maps file
-  @{PROC}/@{pid}/auxv r,
-  @{PROC}/@{pid}/maps r,
-  @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/auxv r,
+  owner @{PROC}/@{pid}/maps r,
+  owner @{PROC}/@{pid}/status r,
+
+  # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps,
+  # but in a format that is simpler to manage, because it doesn't require to
+  # parse the text data inside a file, but just reading the contents of
+  # a directory.
+  owner @{PROC}/@{pid}/map_files/ r,

  # Glibc statvfs
  @{PROC}/filesystems r,
--- a/apparmor.d/groups/apt/apt-overlay
+++ b/apparmor.d/groups/apt/apt-overlay
@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} {
  /root/ r,

  owner @{PROC}/@{pids}/loginuid r,
-  owner @{PROC}/@{pids}/maps r,

  include if exists <local/apt-overlay>
 }
--- a/apparmor.d/groups/polkit/polkitd
+++ b/apparmor.d/groups/polkit/polkitd
@ -65,8 +65,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {

  @{PROC}/@{pids}/cgroup r,
  @{PROC}/@{pids}/cmdline r,
-  @{PROC}/@{pid}/fdinfo/@{int} r,
+  @{PROC}/@{pids}/fdinfo/@{int} r,
  @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/status r,
  @{PROC}/@{pids}/task/@{tid}/stat r,
  @{PROC}/1/environ r,
  @{PROC}/cmdline r,
--- a/apparmor.d/groups/procps/ps
+++ b/apparmor.d/groups/procps/ps
@ -34,6 +34,7 @@ profile ps @{exec_path} flags=(attach_disconnected) {
  @{PROC}/@{pids}/loginuid r,
  @{PROC}/@{pids}/stat r,
  @{PROC}/@{pids}/statm r,
+  @{PROC}/@{pids}/status r,
  @{PROC}/@{pids}/task/ r,
  @{PROC}/@{pids}/task/@{tid}/cmdline r,
  @{PROC}/@{pids}/task/@{tid}/stat r,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -82,6 +82,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted
  @{PROC}/@{pids}/comm r,
  @{PROC}/@{pids}/loginuid r,
  @{PROC}/@{pids}/sessionid r,
+  @{PROC}/@{pids}/status r,
  @{PROC}/pressure/* r,
  @{PROC}/sys/kernel/hostname r,

--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -284,7 +284,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {

    /etc/qemu/{,**} r,

-    owner @{PROC}/@{pids}/status r,
+    @{PROC}/@{pids}/status r,

    /dev/net/tun rw,

--- a/apparmor.d/profiles-m-r/mdevctl
+++ b/apparmor.d/profiles-m-r/mdevctl
@ -19,8 +19,6 @@ profile mdevctl @{exec_path} {
  @{sys}/class/mdev_bus/ r,
  @{sys}/devices/@{pci}/mdev_supported_types/{,**} r,

-  @{PROC}/@{pids}/maps r,
-
  include if exists <local/mdevctl>
 }

--- a/apparmor.d/profiles-s-z/syncoid
+++ b/apparmor.d/profiles-s-z/syncoid
@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) {

  /etc/mbuffer.rc r,

-  @{PROC}/@{pids}/maps r,
-
  include if exists <local/syncoid>
 }