[pkg-apparmor] Bug#923367: AppArmor: Profile for journald
Jörg Sommer
joerg at jo-so.de
Tue Feb 26 23:48:24 GMT 2019
Package: apparmor-profiles
Version: 2.13.2-9
Severity: normal
Hi,
I've created a profile for journald to restrict the possible capabilities
the process has. But journald starts before the AppArmor profiles get
loaded. I've created a service to run after apparmor.service to restart
all unconfined services having a profile. What do you think about this?
Would you include this in the package?
Bye Jörg
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.20.0-trunk-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apparmor-profiles depends on:
ii apparmor 2.13.2-9
apparmor-profiles recommends no packages.
apparmor-profiles suggests no packages.
-- no debconf information
--
Das Recht, seine Meinung zu wechseln, ist eines der wichtigsten
menschlichen Privilegien.
(Robert Peel)
-------------- next part --------------
include <tunables/global>
profile /lib/systemd/systemd-journald {
include <abstractions/base>
/dev/kmsg rw,
/etc/machine-id r,
/proc/cmdline r,
/proc/sys/kernel/hostname r,
/proc/sys/kernel/random/boot_id r,
/proc/*/{cgroup,cmdline,comm,loginuid,sessionid} r,
/proc/*/attr/current r,
/proc/1/{environ,sched} r,
owner /proc/@{pid}/stat r,
capability setgid setuid sys_admin sys_ptrace syslog,
ptrace (read),
/etc/systemd/journald.conf r,
owner /run/systemd/journal/{,**} rw,
owner /var/log/journal/{,**} rw,
/run/udev/data/* r,
/sys/devices/pci0000:00/**/uevent r,
}
-------------- next part --------------
[Unit]
Description=Restart unconfined services having AppArmor profiles
DefaultDependencies=no
ConditionSecurity=apparmor
Before=dbus.service sysinit.target
After=apparmor.service
Requires=apparmor.service
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/apparmor-systemd-restart-unconfined
[Install]
WantedBy=sysinit.target
-------------- next part --------------
#!/bin/sh
uc_pids=$(aa-status --json | jq -r '.processes[][]
|select(.status == "unconfined") |.pid')
if test -z "$uc_pids"
then
exit
fi
if echo "$uc_pids" |grep -qFx 1
then
uc_pids=$(echo "$uc_pids" |grep -vFx 1)
systemctl daemon-reexec
fi
uc_srv=$(systemctl status -n0 $uc_pids |sed '/^? /!d; s///; s/ .*//' |sort -u)
systemctl restart $uc_srv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20190227/95168219/attachment.sig>
More information about the pkg-apparmor-team
mailing list