[Extended to include the fix from https://gitlab.com/apparmor/apparmor/-/merge_requests/873] From 3a3b49ccd93d00cbc373319b90c6acecdd6f45fa Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 10 Apr 2022 15:03:08 +0200 Subject: [PATCH] Add zgrep and xzgrep profile This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2 (code execution via "funny" filenames) --- profiles/apparmor.d/zgrep | 59 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 profiles/apparmor.d/zgrep diff --git a/profiles/apparmor.d/zgrep b/profiles/apparmor.d/zgrep new file mode 100644 index 000000000..0bf0765d1 --- /dev/null +++ b/profiles/apparmor.d/zgrep @@ -0,0 +1,60 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile zgrep /usr/bin/{x,}zgrep { + include + include + + /dev/tty rw, + /usr/bin/bash ix, + /usr/bin/bzip2 Cx -> helper, + /usr/bin/cat ix, + /usr/bin/expr ix, + /usr/bin/grep Cx -> helper, + /usr/bin/gzip Cx -> helper, + /usr/bin/mktemp ix, + /usr/bin/rm ix, + /usr/bin/sed Cx -> sed, + /usr/bin/xz Cx -> helper, + /usr/bin/xzgrep r, + /usr/bin/zgrep Cx -> helper, + owner /tmp/zgrep* rw, + /usr/bin/zgrep r, + + include if exists + + profile helper { + include + + capability dac_override, + capability dac_read_search, + + /usr/bin/bash ix, + /usr/bin/bzip2 mr, + /usr/bin/grep mr, + /usr/bin/gzip mr, + /usr/bin/xz mr, + /{,**} r, + + } + + profile sed { + include + + /dev/tty rw, + /usr/bin/bash ix, + /usr/bin/sed mr, + + } +}