Commit 06fbf62b authored by André Magalhães's avatar André Magalhães

Remove obsolete AppArmor abstraction chaiwala-helpers

Apertis: https://phabricator.apertis.org/T3628Signed-off-by: André Magalhães's avatarAndre Moreira Magalhaes (andrunko) <andre.magalhaes@collabora.co.uk>
Reviewed-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D6685
parent 8842d3cf
# vim:syntax=apparmor
#
# Copyright (C) 2012-2015 Collabora Ltd.
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This package is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
###
# <abstractions/chaiwala-helpers>
#
# Allow the including profile to run any executable that has its own profile.
#
# This appears to be a simplified version of upstream's
# <abstractions/ubuntu-helpers>, which was a workaround for
# <https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/851986>.
#
# It is essentially a stopgap solution for confining programs that were
# not originally designed to be confined, and directly launch programs
# that cannot usefully be confined (such as the Nautilus file manager)
# as child processes. The Firefox web browser and the Evince document
# viewer are good examples. Ubuntu is forced to do this because
# as a general-purpose desktop operating system they cannot avoid it,
# but in a purpose-designed secure, app-oriented operating system
# we can do better.
#
# We should not be allowing more-privileged processes to be run as children
# of less-privileged processes unless the more-privileged process is
# specifically designed to be safe for use as a trust boundary in this way
# (with precautions similar to those that would be taken by
# a setuid executable).
#
# The use cases for which this profile was intended are:
#
# - Generic execution
# e.g. use this profile rather than directly /usr/bin/* Pix
#
# - Shells/Interpreters direct executions
# for scripts run as "bash /path/to/script" or "python /path/to/script"
# it's the intepreter (bash, python, etc) to be locked down, rather than the
# script itself. Since it's not possible to provide a per-script profile, so
# far the solution is to run the interpreter code within this profile
#
# Both seem likely to lead to privilege escalation and should be removed.
# See https://phabricator.apertis.org/T3628
#
# Status: Apertis-specific, deprecated, candidate for removal
# Privilege level: dangerous
# Known users: /usr/sbin/nodm (disabled)
# Dependencies: <tunables/global>
###
profile chaiwala_sanitized_helper {
# Allow all networking
network inet,
network inet6,
# Allow exec of anything, but under this profile. Allow transition
# to other profiles if they exist.
/bin/* Pixr,
/sbin/* Pixr,
/usr/bin/* Pixr,
/usr/sbin/* Pixr,
# Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
/usr/lib*/{,**/}* Pixr,
# Dangerous files
audit deny owner /**/* m, # compiled libraries
audit deny owner /**/*.py* r, # python imports
}
rm_conffile /etc/apparmor.d/abstractions/chaiwala-execution UNRELEASED chaiwala-apparmor-profiles
rm_conffile /etc/apparmor.d/abstractions/chaiwala-helpers UNRELEASED chaiwala-apparmor-profiles
rm_conffile /etc/apparmor.d/abstractions/chaiwala-user-read UNRELEASED chaiwala-apparmor-profiles
rm_conffile /etc/apparmor.d/abstractions/chaiwala-user-write UNRELEASED chaiwala-apparmor-profiles
rm_conffile /etc/apparmor.d/abstractions/dbus-daemon UNRELEASED chaiwala-apparmor-profiles
......
......@@ -41,6 +41,7 @@ Depends:
${misc:Depends},
Breaks:
apparmor (<< 2.9.1-0ubuntu9co2~),
pulseaudio (<< 1:8.0-0ubuntu3co4~),
Replaces:
apparmor (<< 2.9.1-0ubuntu9co2~),
Description: Apertis-specific AppArmor profiles
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment