touch-packages team mailing list archive

Thread
Date
[Bug 1089242] Re: apparmor RBAC kill command issue

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Wed, 08 Oct 2014 23:04:51 -0000
Reply-to: Bug 1089242 <1089242@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
AppArmor now mediates signals as of 14.04.

** Changed in: apparmor (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1089242

Title:
  apparmor RBAC kill command issue

Status in “apparmor” package in Ubuntu:
  Fix Released

Bug description:
  Hi All,

  I would like to use Apparmor to confine a user that just has the
  permission to restart apache2 accroding to
  http://wiki.apparmor.net/index.php/RBAC_2_0#How_can_AppArmor_be_combined_with_sudo_to_provide_RBAC.3F

  I created a hard link of SHELL and used aa-genprof /bin/ashell and
  updated it using aa-logprof.

  Then edited the sudo file.

  user ALL=(ALL:ALL) /bin/ashell

  Everything worked fine.

  But later I found a problem that the user can kill processes whose
  owner are root eg. ssh  (can't kill ntp process because its owner is
  ntp)

  Bellow is the profile:

  #include <tunables/global>

  /bin/ashell{
  #include <abstractions/apache2-common>
  #include <abstractions/base>
  #include <abstractions/ubuntu-konsole>

  capability dac_override,
  capability setgid,
  capability setuid,
  capability sys_ptrace,
  capability sys_resource,


  /bin/cat rix,
  /bin/grep rix,
  /bin/lesspipe rix,
  /bin/ls rix,
  /bin/mkdir rix,
  /bin/plymouth rix,
  /bin/rm rix,
  /bin/sed rix,
  /bin/sleep rix,
  /bin/songbash mr,
  /bin/uname rix,
  /etc/apache2/apache2.conf r,
  /etc/apache2/conf.d/ r,
  /etc/apache2/conf.d/* r,
  /etc/apache2/envvars r,
  /etc/apache2/httpd.conf r,
  /etc/apache2/mods-available/* r,
  /etc/apache2/mods-enabled/ r,
  /etc/apache2/ports.conf r,
  /etc/apache2/sites-available/default r,
  /etc/apache2/sites-enabled/ r,
  /etc/bash.bashrc r,
  /etc/bash_completion r,
  /etc/bash_completion.d/ r,
  /etc/default/apache2 r,
  /etc/default/rcS r,
  /etc/init.d/apache2 rix,
  /etc/inputrc r,
  /etc/lsb-base-logging.sh r,
  /etc/mime.types r,
  /home/*/.bash_history rw,
  /home/*/.bashrc r,
  /proc/ r,
  /proc/*/cmdline r,
  /proc/*/stat r,
  /proc/cmdline r,
  /run/apache2.pid rw,
  /run/apache2/ r,
  /run/apache2/cgisock.14207 w,
  /run/apache2/cgisock.14258 w,
  /run/apache2/cgisock.14300 w,
  /run/lock/apache2/ r,
  /sbin/killall5 rix,
  /usr/bin/basename rix,
  /usr/bin/dircolors rix,
  /usr/bin/dirname rix,
  /usr/bin/env rix,
  /usr/bin/expr rix,
  /usr/bin/groups rix,
  /usr/bin/install rix,
  /usr/bin/tput rix,
  /usr/bin/tr rix,
  /usr/lib/apache2/mpm-worker/apache2 rix,
  /usr/lib{,32,64}/** mr,
  /usr/sbin/apache2ctl rix,
  /usr/sbin/service rix,
  /usr/share/GeoIP/GeoIP.dat r,
  /var/log/apache2/access.log w,
  /var/log/apache2/error.log w,
  /var/log/apache2/other_vhosts_access.log w,
  /var/log/apache2/write.log w,

  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1089242/+subscriptions