diff options
| author | intrigeri <intrigeri@boum.org> | 2015-06-03 18:29:10 +0000 |
|---|---|---|
| committer | intrigeri <intrigeri@boum.org> | 2015-06-03 18:31:46 +0000 |
| commit | 6e48b6d6c04b63889033d0a0f0433dfaec36cbec (patch) | |
| tree | 98e2c4376a0a0f8e71aac5bd568ed8a707fa85be /config/chroot_local-patches | |
| parent | d3e79b87abe86b82a94861f5a394150a30946596 (diff) | |
Use aliases so that our AppArmor policy applies to /lib/live/mount/overlay/ and /lib/live/mount/rootfs/filesystem.squashfs/ as well as to it applies to /.
That's something I wanted to avoid initially, for various reasons that are
explained already in [[contribute/design/application_isolation]]. However, now
that /lib/live/mount/overlay/ is accessible, I see no better way to protect
files accessed via this path as well as the same files accessed by
"normal" paths.
These changes are likely to increase policy compilation time a bit, benchmarking
will tell. If that's too severe a problem, we have a few potential ways out,
that are already documented in the "Increased policy compilation time" section
of the aforementioned piece of design doc.
Diffstat (limited to 'config/chroot_local-patches')
| -rw-r--r-- | config/chroot_local-patches/apparmor-aliases.diff | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/config/chroot_local-patches/apparmor-aliases.diff b/config/chroot_local-patches/apparmor-aliases.diff new file mode 100644 index 0000000..e606c61 --- /dev/null +++ b/config/chroot_local-patches/apparmor-aliases.diff @@ -0,0 +1,41 @@ +--- a/etc/apparmor.d.orig/abstractions/base 2013-07-10 22:05:57.000000000 +0000 ++++ b/etc/apparmor.d/abstractions/base 2015-06-03 18:11:08.402380000 +0000 +@@ -53,10 +53,11 @@ + /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix, + + # we might as well allow everything to use common libraries +- /lib{,32,64}/** r, ++ /lib{32,64}/** r, ++ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r, + /lib{,32,64}/lib*.so* mr, + /lib{,32,64}/**/lib*.so* mr, +- /lib/@{multiarch}/** r, ++ /lib/@{multiarch}/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r, + /lib/@{multiarch}/lib*.so* mr, + /lib/@{multiarch}/**/lib*.so* mr, + /usr/lib{,32,64}/** r, +diff -Naur '--exclude=cache' /etc/apparmor.d.orig/abstractions/ubuntu-helpers /etc/apparmor.d/abstractions/ubuntu-helpers +--- a/etc/apparmor.d.orig/abstractions/ubuntu-helpers 2013-07-10 22:05:57.000000000 +0000 ++++ b/etc/apparmor.d/abstractions/ubuntu-helpers 2015-06-03 18:16:42.022380000 +0000 +@@ -66,7 +66,8 @@ + # Full access + / r, + /** rwkl, +- /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m, ++ /{,usr/,usr/local/}lib{32,64}/{,**/}*.so{,.*} m, ++ /{,usr/,usr/local/}lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}{,**/}*.so{,.*} m, + + # Dangerous files + audit deny owner /**/* m, # compiled libraries +diff -Naur '--exclude=cache' /etc/apparmor.d.orig/tunables/alias /etc/apparmor.d/tunables/alias +--- a/etc/apparmor.d.orig/tunables/alias 2013-07-10 22:05:57.000000000 +0000 ++++ b/etc/apparmor.d/tunables/alias 2015-06-03 18:12:46.426380000 +0000 +@@ -14,3 +14,7 @@ + # + # Or if mysql databases are stored in /home: + # alias /var/lib/mysql/ -> /home/mysql/, ++ ++alias / -> /lib/live/mount/overlay/, ++alias / -> /lib/live/mount/rootfs/filesystem.squashfs/, ++ + |