Closed HorlogeSkynet closed 5 months ago
Hi, only seeing your mastodon message now.
Here are my comments on your profile:
aa-*
tools. (Yes, I do it in apparmor.d
... do what I say, not what I do...)rix
, not with PUx
: ls
, free
, uptime
, getent
/{,usr/}sbin
-> /{,usr/}{s,}bin/
network inet stream
(unless you get a no-new-priv error)Regarding the abi/3.0
. This is not supported in Debian, but you can safely remove it on Debian. It is mostly here for future proofing as with they will be a abi/4.0
with AppArmor 4.x that may add features.
Hey @ingrinder ! Could you take a look to this PR ? Even if you don't actually have AppArmor on your system, I'd love hearing one more comment on the restrictions and/or the packaging.
Bye, thanks again :wave:
I'm a touch busy at the moment, but I can certainly take a proper look in a few weeks (unless you want to push this soon?) Just let me know.
It's okay to postpone this a bit, we are ready for a new release 😉
Hi @HorlogeSkynet!
Finally I have taken a look over this PR, for now just manually reading through the code. I have left a few inline comments, some other thoughts:
* We need to add `Distributions` file access permissions - e.g. the `/etc/*release` files (and maybe anything `distro` accesses?) * Also need to add the screenshot tools in `Screenshot`. Is there an established way in AppArmor to get permission to write to a file to somewhere sensible, e.g. a screenshots folder in the home directory (or at least create one in cwd?) or does it have to be hard-coded like `@{HOME}/specific/path`? * We should probably add a `README.md` notice for the `Custom` entries for anyone running AA instructing them to make an additional profile for their command.
I'll test it out for real soon on my system - when I get around to finally rebooting 😜
See you!
Thanks for this complete review Michael !
I've not tested everything (yet), keep me posted, bye :pray:
It's me again !
So about the remaining points :
/usr/bin/import
resolves to /usr/bin/import-im6.q16
, thus /{,usr/}bin/import PUx
does not allow its execution). Also see upstream issue ;Bye, many thanks :wave:
Hey @ingrinder, do you think we could/should include this in the next release ? 🙂
@HorlogeSkynet sure! I think there might be a couple of additions to make first.
Here's what I noticed from aa-logprof
now I have AA set up on my system:
/usr/bin
read access -- unsure where this one is coming from, but I haven't noticed anything broken without it in enforce mode...urllib
:
/etc/ssl/openssl.conf
and/or /etc/ssl/openssl.cnf
(probably use abstractions/openssl
)/etc/nsswitch.conf
/etc/host.conf
/run/systemd/resolve/stub-resolv.conf
(from the symlink at /etc/resolv.conf
)./etc/hosts
Did you find a solution to the symlinks e.g. with import on your system? I'm not sure how you could account for them aside from adding all the known locations manually!
@HorlogeSkynet sure! I think there might be a couple of additions to make first.
Thanks again for this feedback !
Here's what I noticed from
aa-logprof
now I have AA set up on my system:1. `/usr/bin` read access -- unsure where this one is coming from, but I haven't noticed anything broken without it in enforce mode...
Indeed, maybe an oversight of the tool itself ?
2. Networking stuff -- I think this is because I have the WAN_IP DNS config option turned off, so read access to these are required for `urllib`: * `/etc/ssl/openssl.conf` and/or `/etc/ssl/openssl.cnf` (probably use `abstractions/openssl`) * `/etc/nsswitch.conf` * `/etc/host.conf` * `/run/systemd/resolve/stub-resolv.conf` (from the symlink at `/etc/resolv.conf`). * `/etc/hosts`
You're absolutely right, 'just (rebased and) added openssl
and nameservices
abstractions.
Did you find a solution to the symlinks e.g. with import on your system? I'm not sure how you could account for them aside from adding all the known locations manually!
None ! Upstream issue is still opened, and it doesn't appear there is an easy way to deal with it.
A "dirty" way though would be to prepare an IMPORT_SYMLINK
placeholder and dynamically resolve it during install (in after_install
for instance)...
Maybe a cleaner approach would be to specify a wildcard for "known" import
symlink targets :upside_down_face:
Bye :wave:
@HorlogeSkynet
You're absolutely right, 'just (rebased and) added
openssl
andnameservices
abstractions.
Is it called nameservices
on Debian? Here on Arch it appears to be just nameservice
:-)
Other than that those changes seem to make it work great for me!
Is it called
nameservices
on Debian? Here on Arch it appears to be justnameservice
:-)
Nice catch, sorry for the typo.
I've just force-pushed again to fix this issue and opted for a relatively simple wildcard for import
(regular and high resolution) targets.
Bye, thanks again :wave:
You were right about /usr/bin/
opened for reading ! I wasn't able to completely figure it out but it looks related to Python internals. I've added the corresponding permission to profile and edited changelog ; Merging here !
Thanks again :wave:
:warning: TODO :
dh_apparmor
for Debian (see here) ?/etc/apparmor.d/usr.bin.archey4
marked as a configuration file ?dig
opens UDP sockets (under its own profile) : removenetwork
related permissionsWarning from /etc/apparmor.d (/etc/apparmor.d/usr.bin.archey4 line 7): /sbin/apparmor_parser: Profile abi not supported, falling back to system abi.
Description
This patch provides a first AppArmor profile candidate to be included in Archey GNU/Linux distribution packages.
Reason and / or context
See https://apparmor.net/.
How has this been tested ?
Debian 11.
Types of changes :
Checklist :