Commit aae8683b authored by André Magalhães's avatar André Magalhães

Make obsolete chaiwala-apparmor-session-lockdown a transitional package

Also remove the corresponding apparmor abstractions/profiles that were shipped by it.

Apertis: https://phabricator.apertis.org/T3604Signed-off-by: André Magalhães's avatarAndre Moreira Magalhaes (andrunko) <andre.magalhaes@collabora.co.uk>
Reviewed-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D6683
parent 3fc8752c
# vim:syntax=apparmor
#
# Copyright (C) 2012-2015 Collabora Ltd.
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This package is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Author: Cosimo Alfarano <cosimo.alfarano@collabora.co.uk>
#include <tunables/global>
profile /usr/bin/X flags=(complain) {
#include <abstractions/chaiwala-base>
#include <abstractions/X>
#include <abstractions/authentication>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/wutmp>
#include <abstractions/consoles>
capability setuid,
capability sys_admin,
capability sys_rawio,
/etc/X11/ r,
/etc/X11/** r,
/run/udev/data/ r,
/run/udev/data/** r,
/etc/udev/udev.conf r,
/var/log/Xorg.* rw,
/dev/vga_arbiter rw,
/dev/tty* rw,
/dev/input/* rw,
/dev/fb0 rw,
owner /proc/*/auxv r,
/sys/bus/ r,
/sys/bus/pci/devices/ r,
/sys/class/ r,
/sys/class/tty/ r,
/sys/class/input/ r,
/sys/class/drm/ r,
/sys/devices/** r,
@{PROC}/mtrr rw,
@{PROC}/*/cmdline r,
/var/lib/xkb/** r,
/usr/lib/xorg/modules/** rm,
/usr/bin/X rixm,
/usr/bin/Xorg rmPx,
}
# vim:syntax=apparmor
#
# Copyright (C) 2012-2015 Collabora Ltd.
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This package is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Author: Cosimo Alfarano <cosimo.alfarano@collabora.co.uk>
#include <tunables/global>
profile /usr/bin/Xorg flags=(complain) {
#include <abstractions/chaiwala-base>
#include <abstractions/dbus-strict>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/authentication>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/wutmp>
#include <abstractions/consoles>
capability setuid,
capability setgid,
capability sys_rawio,
capability sys_admin,
capability sys_tty_config,
capability ipc_owner,
/usr/bin/Xorg mr,
# xkbcomp is invoked using /bin/sh
/bin/dash ixr,
/usr/bin/xkbcomp ixr,
# In newer versions, /usr/bin/Xorg is a shell script and the real X server
# is /usr/lib/xorg/Xorg
/usr/lib/xorg/Xorg ixr,
@{PROC}/ r,
@{PROC}/** r,
@{PROC}/mtrr w,
/dev/ r,
/dev/** rw,
/etc/udev/udev.conf r,
/sys/ r,
/sys/** r,
/sys/devices/** rw,
/usr/lib/xorg/ r,
/usr/lib/xorg/** rwmk,
/run/udev/data/ r,
/run/udev/data/** r,
# temporary files
/tmp/*.xkm rw,
/tmp/file* rw,
/var/lib/xkb/*.xkm rw,
/var/lib/xkb/file* rw,
/var/log/ wr,
/var/log/Xorg.* rw,
unix (send, receive, accept, listen, bind) type=stream addr="@/tmp/.X11-unix/X[0-9]*",
dbus (send, receive) peer=(label="/lib/systemd/systemd-logind"),
signal receive set=(term) peer="/usr/bin/xorg-launch-helper",
# Sent to our parent when we are ready to accept connections
signal send set=(usr1) peer="/usr/bin/xorg-launch-helper",
}
# vim:syntax=apparmor
#
# Copyright (C) 2015 Collabora Ltd.
# This process would normally be unconfined - it is system infrastructure
# and doesn't do enough to have any significant attack surface - but giving
# it a profile lets us identify it in other profiles. As a result, this
# profile is in complain mode.
#include <tunables/global>
profile /usr/bin/xorg-launch-helper flags=(complain) {
#include <abstractions/base>
/run/user/*/systemd/notify w,
/usr/bin/X rpx,
/usr/bin/Xorg rpx,
signal send set=(term) peer="/usr/bin/Xorg",
# Sent when Xorg is ready to accept connections
signal receive set=(usr1) peer="/usr/bin/Xorg",
}
# vim:syntax=apparmor
#
# Copyright (C) 2012-2015 Collabora Ltd.
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This package is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Author: Cosimo Alfarano <cosimo.alfarano@collabora.co.uk>
# NOTE: DEPRECATED. Remove when SDK starts using systemd for the user session.
#
# /usr/sbin/nodm
# \_ /usr/bin/X :0 -nolisten tcp vt8
# \_ /usr/sbin/nodm
# \_ /usr/bin/dbus-launch --exit-with-session bash -c xclock&x-window-manager
# \_ /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session bash -c xclock&x-window-manager
# \_ bash -c xclock&x-window-manager
# \_ xclock
# \_ x-window-manager
#include <tunables/global>
/usr/sbin/nodm flags=(complain) {
#include <abstractions/chaiwala-base>
#include <abstractions/xdg-desktop>
#include <abstractions/dbus-session>
#include <abstractions/audio>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/authentication>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
#include <abstractions/user-tmp>
#include <abstractions/consoles>
capability sys_tty_config,
capability kill,
capability setgid,
capability setuid,
capability dac_override,
capability audit_control,
capability audit_write,
capability sys_resource,
@{PROC}/ r,
@{PROC}/** r,
owner @{PROC}/*/loginuid w,
@{PROC}/mtrr w,
/dev/tty* rw,
/etc/environment r,
/etc/default/locale r,
/etc/security/ r,
/etc/security/** r,
/etc/profile r,
/etc/profile.d/ r,
/etc/X11/Xsession Px,
@{HOME}/.profile r,
/run/systemd/users/* r,
/usr/bin/X rmPx,
/usr/bin/Xorg rmPx,
# nodm needs to exec() some binaries which does not need their own profile,
# some are utilities (/bin/id). One of them is /bin/dash (called as /bin/sh
# for XSession), let's not give it (and locally used utils) more privs than
# nodm has
/{,usr/}{,s}bin/* rmix,
}
/etc/X11/Xsession flags=(complain) {
#include <abstractions/chaiwala-base>
#include <abstractions/user-tmp>
#include <abstractions/dbus-session>
#include <abstractions/nameservice>
#include <abstractions/consoles>
#include <abstractions/gsettings>
#include <abstractions/gnome>
#include <abstractions/X>
#include <abstractions/chaiwala-helpers>
capability setgid,
capability setuid,
# XSession is run as a shell script, which will acess dash (implicitely
# inheriting from this profile) which will need to access the Xsession*
# files
/etc/X11/app-defaults/ r,
/etc/X11/app-defaults/** r,
/etc/X11/Xsession{,.options} r,
# run-parts in Xsession
/etc/X11/Xsession.d/ r,
# FIXME: finally it will be necessary to have a list of files instead of
# enabling everything
/etc/X11/Xsession.d/** r,
/etc/X11/Xresources/ r,
/etc/X11/Xresources/** r,
# Read by pam_systemd.so
/run/systemd/users/* r,
@{PROC}/*/cmdline r,
owner @{PROC}/*/fd/ r,
# ssh-agent
/etc/ssl/openssl.cnf r,
# dash (XSession is run with #!/bin/sh -l)
/etc/profile r,
/etc/profile.d/ r,
# x-window-manager
# Depends: X, gnome
# x-terminal-emulator
/dev/ptmx rw,
owner @{PROC}/*/loginuid rw,
# Used by dbus-launch
/etc/dbus-1/ r,
/etc/dbus-1/** r,
/usr/share/dbus-1/** r,
@{HOME}/.dbus/ rw,
@{HOME}/.dbus/** rw,
/bin/dbus-daemon Cx,
# execute inheriting from this profile, so everything executed by
# Xsession needs to be defined within its profile unless a more
# specific rule is defined and needed above (see dbus-daemon)
/usr/bin/** Pixr,
/usr/sbin/** Pixr,
/bin/** Pixr,
/sbin/** Pixr,
# FIXME: this is not good, but XSession will eventually be removed, so it's no harm so far.
# Important is to not Uncontain anything, especially a shell, with its replacement.
/bin/sh rmUx,
/usr/bin/x-terminal-emulator Ux,
/usr/bin/xterm mrUx,
/etc/bash.bashrc r,
/etc/inputrc r,
# Having a child profile allows the session bus to be detected as a
# transition from the Xsession profile (launched by dbus-launch), while
# leaving the system bus on its own
#include <abstractions/dbus-daemon>
}
# vim:syntax=apparmor
#
# Copyright (C) 2012-2015 Collabora Ltd.
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This package is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Author: Nirbheek Chauhan <nirbheek.chauhan@collabora.co.uk>
#include <tunables/global>
profile /usr/bin/lxterm flags=(complain) {
#include <abstractions/chaiwala-base>
/bin/* mrUx,
/usr/bin/* mrUx,
/usr/lib/** mrUx,
/usr/share/** mr,
}
# TODO: Create a new profile for dbus-daemon that contains both session and
# system buses. I can't think of a way to only contain the session bus.
# See: abstractions/dbus-daemon for existing work.
#
# profile /bin/dbus-daemon {
#
# }
profile /usr/lib/at-spi2-core/at-spi-bus-launcher flags=(complain) {
#include <abstractions/chaiwala-base>
#include <abstractions/nameservice>
owner @{HOME}/.Xauthority r,
/usr/lib/*/libatspi.so.0.0.1 rmix,
/usr/lib/at-spi2-core/at-spi-bus-launcher rm,
/usr/lib/at-spi2-core/at-spi2-registryd rmPx,
owner @{PROC}/*/fd/ r,
/bin/dbus-daemon Cx,
# Having a child profile allows the a11y bus to be detected as a transition
# from this profile, while leaving the other buses on their own
#include <abstractions/dbus-daemon>
}
profile /usr/lib/at-spi2-core/at-spi2-registryd flags=(complain) {
#include <abstractions/chaiwala-base>
#include <abstractions/nameservice>
/usr/lib/*/libatspi.so.0.0.1 rmix,
/usr/lib/at-spi2-core/at-spi-bus-launcher rmPx,
/usr/lib/at-spi2-core/at-spi2-registryd rm,
}
etc/apparmor.d/usr.bin.X
etc/apparmor.d/usr.bin.Xorg
etc/apparmor.d/usr.bin.xorg-launch-helper
etc/apparmor.d/usr.sbin.nodm
etc/apparmor.d/usr.session-startup
rm_conffile /etc/apparmor.d/usr.session-startup UNRELEASED chaiwala-apparmor-session-lockdown
rm_conffile /etc/apparmor.d/usr.sbin.nodm UNRELEASED chaiwala-apparmor-session-lockdown
rm_conffile /etc/apparmor.d/usr.bin.xorg-launch-helper UNRELEASED chaiwala-apparmor-session-lockdown
rm_conffile /etc/apparmor.d/usr.bin.Xorg UNRELEASED chaiwala-apparmor-session-lockdown
rm_conffile /etc/apparmor.d/usr.bin.X UNRELEASED chaiwala-apparmor-session-lockdown
......@@ -26,10 +26,12 @@ Description: miscellaneous Apertis-specific "drop-in" configuration
Package: chaiwala-apparmor-session-lockdown
Architecture: all
Depends: ${misc:Depends}
Depends:
${misc:Depends},
chaiwala-apparmor-profiles (>= UNRELEASED)
Recommends: apparmor, apparmor-profiles, chaiwala-apparmor-profiles
Description: nodm apparmor secured session
This package secures nodm using AppArmor.
Description: Transitional package
Transitional package.
Package: chaiwala-apparmor-profiles
Architecture: all
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment