0789b32d69
- update zgrep-profile-mr870.diff: allow zgrep to execute egrep and fgrep (poo#113108) OBS-URL: https://build.opensuse.org/request/show/985681 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=338
88 lines
2.3 KiB
Diff
88 lines
2.3 KiB
Diff
[Extended to include the fix from https://gitlab.com/apparmor/apparmor/-/merge_requests/873]
|
|
[Extended to include the fix from https://gitlab.com/apparmor/apparmor/-/merge_requests/892]
|
|
|
|
|
|
From 3a3b49ccd93d00cbc373319b90c6acecdd6f45fa Mon Sep 17 00:00:00 2001
|
|
From: Christian Boltz <apparmor@cboltz.de>
|
|
Date: Sun, 10 Apr 2022 15:03:08 +0200
|
|
Subject: [PATCH] Add zgrep and xzgrep profile
|
|
|
|
This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2
|
|
(code execution via "funny" filenames)
|
|
---
|
|
profiles/apparmor.d/zgrep | 59 +++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 59 insertions(+)
|
|
create mode 100644 profiles/apparmor.d/zgrep
|
|
|
|
Index: apparmor-3.0.4/profiles/apparmor.d/zgrep
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ apparmor-3.0.4/profiles/apparmor.d/zgrep
|
|
@@ -0,0 +1,66 @@
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2022 Christian Boltz
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+
|
|
+abi <abi/3.0>,
|
|
+
|
|
+include <tunables/global>
|
|
+
|
|
+profile zgrep /usr/bin/{x,}zgrep {
|
|
+ include <abstractions/base>
|
|
+ include <abstractions/bash>
|
|
+
|
|
+ /dev/tty rw,
|
|
+ /usr/bin/{ba,da,}sh ix,
|
|
+ /usr/bin/bzip2 Cx -> helper,
|
|
+ /usr/bin/cat ix,
|
|
+ /usr/bin/egrep Cx -> helper,
|
|
+ /usr/bin/expr ix,
|
|
+ /usr/bin/fgrep Cx -> helper,
|
|
+ /usr/bin/grep Cx -> helper,
|
|
+ /usr/bin/gzip Cx -> helper,
|
|
+ /usr/bin/mktemp ix,
|
|
+ /usr/bin/rm ix,
|
|
+ /usr/bin/sed Cx -> sed,
|
|
+ /usr/bin/xz Cx -> helper,
|
|
+ /usr/bin/xzgrep r,
|
|
+ /usr/bin/zgrep Cx -> helper,
|
|
+ /usr/bin/zstd Cx -> helper,
|
|
+ owner /tmp/zgrep* rw,
|
|
+ /usr/bin/zgrep r,
|
|
+
|
|
+ include if exists <local/zgrep>
|
|
+
|
|
+ profile helper {
|
|
+ include <abstractions/base>
|
|
+
|
|
+ capability dac_override,
|
|
+ capability dac_read_search,
|
|
+
|
|
+ /dev/tty w,
|
|
+
|
|
+ /usr/bin/{ba,da,}sh ix,
|
|
+ /usr/bin/bzip2 mr,
|
|
+ /usr/bin/grep mrix,
|
|
+ /usr/bin/gzip mr,
|
|
+ /usr/bin/xz mr,
|
|
+ /usr/bin/zstd mr,
|
|
+ /{,**} r,
|
|
+
|
|
+ }
|
|
+
|
|
+ profile sed {
|
|
+ include <abstractions/base>
|
|
+
|
|
+ /dev/tty rw,
|
|
+ /usr/bin/{ba,da,}sh ix,
|
|
+ /usr/bin/sed mr,
|
|
+
|
|
+ }
|
|
+}
|