| === ChanServ changed the topic of #ubuntu-security to: Twitter: @ubuntu_sec || https://usn.ubuntu.com || https://wiki.ubuntu.com/SecurityTeam || https://wiki.ubuntu.com/Security/Features || Community: leosilva | ||
| ahasenack | hi #security, I have an apparmor question. The path for a profile is incorrect: https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/samba-bgqd?h=ubuntu/jammy-devel | 13:59 |
|---|---|---|
| ahasenack | the samba-bgqd binary is in /usr/lib/*/samba, not /usr/lib*/samba | 14:00 |
| ahasenack | we are working on an sru for this (to fix the actual binary placement, not the profile) | 14:00 |
| ahasenack | but I"m wondering about workarounds users could apply | 14:00 |
| ahasenack | and the question is, is there a way via the "include if exists" line to override this path? | 14:01 |
| ahasenack | I guess in this case no, because the path is in the profile definition as well? | 14:01 |
| ahasenack | via the include, I could add another line to allow "m" on the correct path, like "/usr/lib/*/samba/samba-bgqd m,", (see line 16) | 14:01 |
| ahasenack | but what about the (incorrect) path in line 5? | 14:02 |
| ahasenack | note that this profile is also used in a transition, in which case I think the path in that lint 5 won't matter, because the transition uses the profile name. That transition is in line 40 here: https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/usr.sbin.smbd?h=ubuntu/jammy-devel#n40 | 14:03 |
| ahasenack | so the path in the profile name in the former file would just be used if that binary was ran on its own, from elsewhere | 14:04 |
| ahasenack | which is a case I would still like to keep | 14:04 |
| ahasenack | also, kind of related question (sorry!), is there a better globbing for the arch name other than jusr /usr/lib/*/ ? | 14:05 |
| ahasenack | which would match x86_64-linux-gnu, and all the other arch names | 14:05 |
| rbasak | ahasenack: I think you can use ${DEB_HOST_MULTIARCH} eg. https://salsa.debian.org/pkg-netfilter-team/pkg-libmnl/-/blob/master/debian/libmnl-dev.install | 14:10 |
| rbasak | That presumably needs a new enough debhelper | 14:10 |
| rbasak | Oh, but I'm talking about packaging and you're talking about apparmor. | 14:11 |
| rbasak | Sorry! | 14:11 |
| ahasenack | yeah | 14:11 |
| ahasenack | and apparmor can only do simple globbinb afaiak, there are some hilariously weird globbing rules | 14:12 |
| ahasenack | but I do see this, for example: | 14:12 |
| ahasenack | ./usr.lib.snapd.snap-confine.real: deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr, | 14:12 |
| ahasenack | that @{multiarch} name | 14:12 |
| ahasenack | @{multiarch}=*-linux-gnu* | 14:15 |
| georgiag | ahasenack: yes, there's @{multiarch}, so right now you would need to do something like what snapd is doing. there's an old open MR for introducing @{lib}, though so I'll try to see what we can do to unblock that | 14:18 |
| ahasenack | georgiag: why the x32 and x64 options, for other linux distros? | 14:18 |
| georgiag | ahasenack: I'm not sure but it would make sense | 14:20 |
| ahasenack | that @{multiarch} macro might not match on armhf | 14:25 |
| ahasenack | just checked a jammy armhf host, and it only has /usr/lib/arm-linux-gnueabihf | 14:25 |
| ahasenack | oh, I missed the last *, multiarch would work on armhf too: @{multiarch}=*-linux-gnu* | 14:36 |
| jjohansen | ahasenack: so, /usr/lib*/samba/samba-bgqd m, is only mmapping, a workaround for the user would be just to ignore it, it adds extra permissions to that location, but doesn't stop you from adding a rule through include if exits | 16:55 |
| jjohansen | if you want to remove it via the include if exists, you can drop a | 16:55 |
| jjohansen | deny /usr/lib*/samba/samba-bgqd m, | 16:55 |
| jjohansen | deny rules have higher priority | 16:55 |
| jjohansen | it will effectively room the rule in the main profile when compiled | 16:56 |
| jjohansen | and of course you would drop the correct rule into the include if exists as well | 16:56 |
| jjohansen | the line 5 profile definition can't be fixed by an include | 16:57 |
| jjohansen | so no simple drop in with editing the base profile file :( | 16:58 |
| ahasenack | ok, thanks | 17:42 |
| === JanC_ is now known as JanC | ||
| === mbuhl6 is now known as mbuhl | ||
| === eb3095-Vultr_ is now known as eb3095-Vultr | ||
| === codingkoopa6 is now known as codingkoopa | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!