5958c64a3e
added the temporary fix to profiles abstractions/nameservice OBS-URL: https://build.opensuse.org/request/show/530988 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=185
40 lines
1.4 KiB
Diff
40 lines
1.4 KiB
Diff
Subject: [PATCH] Temporarily fix socket mediation in nameservice
|
|
References: bsc#1061195
|
|
|
|
|
|
As per the conversation on IRC:
|
|
cboltz: ah yes, the upstreamed version fixes a couple
|
|
holes in the old patch suse carried
|
|
|
|
One of these "holes" were unix events, which explains the denials you noticed (and that I also see now after installing 4.14rc2).
|
|
|
|
The final solution will be to add some "unix" rules - but that's hard at the moment because 4.14 doesn't log all details needed for unix rules.
|
|
|
|
Instead, I'll add a temporary patch for abstractions/nameservice that adds
|
|
network unix dgram,
|
|
network unix stream,
|
|
|
|
(including a TODO note to replace it as soon as support for unix rules
|
|
was upstreamed, probably 4.15). These rules are broader than needed,
|
|
but should avoid user-visible breakage - and at least with 4.14, unix
|
|
rules would get downgraded to network unix anyway ;-)
|
|
|
|
---
|
|
profiles/apparmor.d/abstractions/nameservice | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
--- a/profiles/apparmor.d/abstractions/nameservice
|
|
+++ b/profiles/apparmor.d/abstractions/nameservice
|
|
@@ -92,5 +92,11 @@
|
|
# Netlink raw needed for nscd
|
|
network netlink raw,
|
|
|
|
+ # This is a temporary fix for nameservices with the new socket
|
|
+ # mediations in 4.14-rc2
|
|
+ # TODO: To be replaced once unix rules are upstreamed
|
|
+ network unix dgram,
|
|
+ network unix stream,
|
|
+
|
|
# interface details
|
|
@{PROC}/@{pid}/net/route r,
|