[pkg-apparmor] Bug#810888: bin.ping: does not let iputils-ping read /etc/libnl-3 or @{PROC}/@{pid}/net/psched
Simon McVittie
smcv at debian.org
Wed Jan 13 11:41:52 UTC 2016
Package: apparmor-profiles
Version: 2.10-2
Severity: minor
Tags: patch
Please consider these new rules for /{usr/,}bin/ping:
/etc/libnl*/** r,
@{PROC}/@{pid}/net/psched r,
which address these AppArmor complaints:
Jan 13 11:18:03 perpetual kernel: [377675.445075] audit: type=1400 audit(1452683883.352:67): apparmor="ALLOWED" operation="open" profile="/{usr/,}bin/ping" name="/proc/2576/net/psched" pid=2576 comm="ping" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jan 13 11:18:03 perpetual kernel: [377675.445218] audit: type=1400 audit(1452683883.352:68): apparmor="ALLOWED" operation="open" profile="/{usr/,}bin/ping" name="/etc/libnl-3/classid" pid=2576 comm="ping" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
(I'm assuming that subsequent versions of libnl, a netlink library,
won't put sensitive information in /etc/libnl* either.)
The rule for psched can't use "owner" because fsuid != ouid.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apparmor-profiles depends on:
ii apparmor 2.10-2+b2
apparmor-profiles recommends no packages.
apparmor-profiles suggests no packages.
-- no debconf information
More information about the pkg-apparmor-team
mailing list