summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-patches/apparmor-aliases.diff
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2015-06-03 18:29:10 +0000
committerintrigeri <intrigeri@boum.org>2015-06-03 18:31:46 +0000
commit6e48b6d6c04b63889033d0a0f0433dfaec36cbec (patch)
tree98e2c4376a0a0f8e71aac5bd568ed8a707fa85be /config/chroot_local-patches/apparmor-aliases.diff
parentd3e79b87abe86b82a94861f5a394150a30946596 (diff)
Use aliases so that our AppArmor policy applies to /lib/live/mount/overlay/ and /lib/live/mount/rootfs/filesystem.squashfs/ as well as to it applies to /.
That's something I wanted to avoid initially, for various reasons that are explained already in [[contribute/design/application_isolation]]. However, now that /lib/live/mount/overlay/ is accessible, I see no better way to protect files accessed via this path as well as the same files accessed by "normal" paths. These changes are likely to increase policy compilation time a bit, benchmarking will tell. If that's too severe a problem, we have a few potential ways out, that are already documented in the "Increased policy compilation time" section of the aforementioned piece of design doc.
Diffstat (limited to 'config/chroot_local-patches/apparmor-aliases.diff')
-rw-r--r--config/chroot_local-patches/apparmor-aliases.diff41
1 files changed, 41 insertions, 0 deletions
diff --git a/config/chroot_local-patches/apparmor-aliases.diff b/config/chroot_local-patches/apparmor-aliases.diff
new file mode 100644
index 0000000..e606c61
--- /dev/null
+++ b/config/chroot_local-patches/apparmor-aliases.diff
@@ -0,0 +1,41 @@
+--- a/etc/apparmor.d.orig/abstractions/base 2013-07-10 22:05:57.000000000 +0000
++++ b/etc/apparmor.d/abstractions/base 2015-06-03 18:11:08.402380000 +0000
+@@ -53,10 +53,11 @@
+ /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
+
+ # we might as well allow everything to use common libraries
+- /lib{,32,64}/** r,
++ /lib{32,64}/** r,
++ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
+ /lib{,32,64}/lib*.so* mr,
+ /lib{,32,64}/**/lib*.so* mr,
+- /lib/@{multiarch}/** r,
++ /lib/@{multiarch}/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
+ /lib/@{multiarch}/lib*.so* mr,
+ /lib/@{multiarch}/**/lib*.so* mr,
+ /usr/lib{,32,64}/** r,
+diff -Naur '--exclude=cache' /etc/apparmor.d.orig/abstractions/ubuntu-helpers /etc/apparmor.d/abstractions/ubuntu-helpers
+--- a/etc/apparmor.d.orig/abstractions/ubuntu-helpers 2013-07-10 22:05:57.000000000 +0000
++++ b/etc/apparmor.d/abstractions/ubuntu-helpers 2015-06-03 18:16:42.022380000 +0000
+@@ -66,7 +66,8 @@
+ # Full access
+ / r,
+ /** rwkl,
+- /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
++ /{,usr/,usr/local/}lib{32,64}/{,**/}*.so{,.*} m,
++ /{,usr/,usr/local/}lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}{,**/}*.so{,.*} m,
+
+ # Dangerous files
+ audit deny owner /**/* m, # compiled libraries
+diff -Naur '--exclude=cache' /etc/apparmor.d.orig/tunables/alias /etc/apparmor.d/tunables/alias
+--- a/etc/apparmor.d.orig/tunables/alias 2013-07-10 22:05:57.000000000 +0000
++++ b/etc/apparmor.d/tunables/alias 2015-06-03 18:12:46.426380000 +0000
+@@ -14,3 +14,7 @@
+ #
+ # Or if mysql databases are stored in /home:
+ # alias /var/lib/mysql/ -> /home/mysql/,
++
++alias / -> /lib/live/mount/overlay/,
++alias / -> /lib/live/mount/rootfs/filesystem.squashfs/,
++
+