[pkg-aa-profiles-team] a bunch of improvements i don't know where to throw

anarcat anarcat at debian.org
Thu Jun 19 14:28:09 UTC 2014 

Hi,

I started using apparmor in Jessie recently, and I have hit a bunch of
warnings that were not in the already vast inventory of profiles.

I have installed apparmor-profiles and dumped all the "extras" into
/etc/apparmor.d (yes, i'm like that).

First off, one thing that is totally broken is the "chromium"
abstraction from lightdm: that just needs to go, otherwise we get silly
warnings that make aa-logprof basically unusable. I lost the error
message, but removing

   apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser

and fixing apparmor.d/lightdm-guest-session so it doesn't include it
fixed it for me. (Also note that for chromium to be confined, #742829 is
required, but that's another story.)

The second thing is that aa-logprof really makes it difficult to review
changes to apparmor.d with versionning tools. Part of this is because
the apparmor.d files use arbitrary order for the file flags, so we get
stuff like:

- /etc/krb5.keytab kr,
+ /etc/krb5.keytab rk,
- /bin/true mixr,
+ /bin/true mrix,
- /tmp/logrot* wlr,
+ /tmp/logrot* rwl,

etc, etc. I strongly suggest sorting all those flags the same way
aa-logprof does it. I would try those, short of doing a real sort:

sed -i "s/mixr/mrix/;s/rmix/mrix/;s/wlr/rwl/;s/wr/rw/;s/kr/rk/;s/lrw/rwl/" *

That's probably not all of them, and it's really silly: we should
probably just sanitise those files to the same format as outputted by
aa-logprof using some tool before they are committed to the package.

Finally, we use dash. Everywhere. Almost every package out there I could
find, I had to do:

   /bin/bash mixr,
+  /bin/dash mixr,

grah. It seems to me this should be in an abstraction somehow, but then
abstractions/bash doesn't allow bash execution, so it's not the right
place to fix this, most likely.

(it's also terrifying to see the number of things that call bash...)

So here's my gigantic patch of messed up improvements. I'm sorry that I
can't submit this in a more piecemeal fashion, but I hope that can be
picked up and factored in at some point. I did try to do a significant
amount of work to avoid noise in the diff, so it should still be pretty
readable.

Outline:

 * enforce man
 * fix a bunch of issues with postfix, mostly re. locking (in progress)
 * expand sshd's permissions
 * fix less
 * fix logrotate
 * fix p11-kit for cups

I'll keep on trying to improve on this as I go along, but really, it's
annoyingly difficult to do so when there's so much noise in the diff.
Fixing the order of the flags in apparmor-profiles seems like a must if
we want this maintainable in the long term.

A.


-- 
Si Dieu existe, j'espère qu'Il a une excuse valable
                        - Daniel Pennac
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apparmor-improvements.patch
Type: text/x-diff
Size: 10419 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-aa-profiles-team/attachments/20140619/77315ee8/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-aa-profiles-team/attachments/20140619/77315ee8/attachment.sig>

More information about the Pkg-aa-profiles-team mailing list