Hello, Am Mittwoch, 4. November 2015 schrieb Johannes Meixner:
On Nov 3 19:43 Christian Boltz wrote (excerpt):
Well, in theory, you could create an AppArmor profile for rpm.
Unfortunately, you'll need to allow it writing files everywhere and also to override traditional file access permissions (capability dac_override) because, well, writing files everywhere is rpm's job, and also installing files which are only readable by a daemon user. You'll also need to allow executing basically everything because of %post etc. scripts.
Is it possible to have an AppArmor profile for rpm so that rpm cannot change already existing files?
w (write) permissions always allow creating and changing a file. In theory, a (append) might work - it allows creating a file and appending to it (so not exactly what you want, the typical usecase for 'a' permissions are logfiles). However it could be problematic if rpm also needs to change the file permissions or owner afterwards because that will need w permissions.
Such an AppArmor profile could be enabled before one installs third party software (e.g. additional application programs) where one does not want that any existing stuff is changed.
If you really want that, it might be possible to create a profile based on the rpm -qpl output, but that won't help much for %post scripts. Well, except if your goal is not to let %post change anything that is not related to the new package, ... ;-)
For a nice example where such an AppArmor profile for rpm would have helped Google for "linux printer driver setuid root" (without quotation marks) and you find things like http://it.slashdot.org/story/07/07/18/0319203/major-security-hole-in-s amsung-linux-drivers that reads (excerpt):
Posted by ... on Wednesday July 18, 2007 ... It appears that Samsung unified drivers change rights on some parts of the system: After installing the drivers, applications may launch using root rights, without asking any password.
If I remember correctly in particular OpenOffice executables had been changed at that time to run setuid root when installing that third party printer driver software to "make everything just work" for the user.
Oh, nice! Speaking about printer drivers - do you think having a profile for cups would be possible? Would you be willing to test it? (I "only" have a boring setup with one printer at the other end of the network cable ;-) so I can only do some tests for this type of setup.)
In contrast when installing openSUSE maintenance updates such an AppArmor profile would have to be disabled before.
Obviously ;-) BTW: aa-exec allows you to invoke a program with a specific profile. That's probably easier than switching profiles on and off.
The only thing you could try is to deny access to /home/**
- assuming that packages typically should not touch anything there.
A long time ago an experienced SUSE developer told me:
"/home/* is sacrosanct."
This means in particular that package installation must not change any user's own files.
Probably it is really a good idea to create an AppArmor profile for rpm to deny access to /home/* and see how a default openSUSE installation behaves.
Perhaps this could reveal "interesting" results ;-)
OK, challenge accepted. Note that the profile is a bit quick&dirty - if I'd want to use it for more than this "because we can" mail, I'd do some things in more clean ways, for example avoiding some of the wildcard usage and putting rpm into a subprofile. # cat /etc/apparmor.d/shm-install # Last Modified: Wed Nov 4 21:49:59 2015 #include <tunables/global> profile shm-install { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/openssl> #include <abstractions/perl> capability audit_write, capability chown, capability dac_override, capability fowner, capability fsetid, capability mknod, capability net_admin, capability setgid, capability setuid, capability sys_admin, capability sys_chroot, capability sys_resource, network inet dgram, / r, /bin/* rix, /bin/bash ix, /bin/rpm rix, /dev/ r, /dev/shm/ r, /dev/shm/install/ r, /dev/shm/install/*/ rwlk, # includes creating the directory /dev/shm/install/home/ /dev/shm/install/bin/** mrwlk, /dev/shm/install/bin/rpm rix, /dev/shm/install/boot/** mrwlk, /dev/shm/install/dev/lp0 w, /dev/shm/install/dev/lp1 w, /dev/shm/install/dev/lp2 w, /dev/shm/install/dev/lp3 w, /dev/shm/install/dev/null rw, /dev/shm/install/dev/stderr w, /dev/shm/install/etc/** mrwlk, /dev/shm/install/etc/init.d/boot.apparmor rix, /dev/shm/install/lib/** mrwlk, /dev/shm/install/lib64/** mrwlk, /dev/shm/install/mnt/** mrwlk, /dev/shm/install/opt/** mrwlk, /dev/shm/install/root/** mrwlk, /dev/shm/install/run/cups/ w, /dev/shm/install/run/cups/certs/ w, /dev/shm/install/run/mcelog/ w, /dev/shm/install/run/nfs/ w, /dev/shm/install/run/nscd/ w, /dev/shm/install/run/openvpn/ rw, /dev/shm/install/run/regenerate-initrd/ rw, /dev/shm/install/run/regenerate-initrd/all w, /dev/shm/install/run/screens/ rw, /dev/shm/install/run/tuned/ w, /dev/shm/install/run/uscreens/ rw, /dev/shm/install/run/utmp w, /dev/shm/install/sbin/** mrwlk, /dev/shm/install/sbin/ldconfig rix, /dev/shm/install/selinux/** mrwlk, /dev/shm/install/srv/** mrwlk, /dev/shm/install/tmp/** mrwlk, /dev/shm/install/usr/** mrwlk, /dev/shm/install/usr/lib/ca-certificates/update.d/* rix, /dev/shm/install/usr/lib/man-db/mandb rix, /dev/shm/install/usr/lib/plymouth/plymouth-update-initrd rix, /dev/shm/install/usr/lib/smartmontools/generate_smartd_opts rix, /dev/shm/install/usr/lib/systemd/systemd-random-seed rix, /dev/shm/install/usr/lib/words/update rix, /dev/shm/install/usr/share/btrfsmaintenance/btrfsmaintenance-refresh-cron.sh rix, /dev/shm/install/usr/share/grub2/themes/openSUSE/activate-theme rix, /dev/shm/install/usr/{s,}bin/* rix, /dev/shm/install/var/** mrwlk, /dev/shm/install/var/adm/update-scripts/* rix, /dev/shm/install/var/adm/update-scripts/posttrans** rix, /dev/shm/install/{s,}bin/* rix, /dev/tty rw, /etc/lesskey.bin r, /etc/magic r, /etc/resolv.conf r, /etc/rpm/ r, /etc/rpm/** r, /etc/sysconfig/storage r, /etc/zypp/systemCheck.d/ r, /etc/zypp/zypp.conf r, /etc/zypp/zypper.conf r, /home/*/.inputrc r, /mnt/ r, /mnt/suse/ r, /mnt/suse/** r, /proc/*/cmdline r, /proc/filesystems r, /proc/meminfo r, /proc/sys/kernel/random/uuid r, /root/ r, /root/.lesshst r, /sys/ r, /sys/**/ r, /sys/devices/** r, /tmp/less.* rw, /usr/bin/cp rix, /usr/bin/diff rix, /usr/bin/file rix, /usr/bin/find rix, /usr/bin/grep rix, /usr/bin/less rix, /usr/bin/lessopen.sh rix, /usr/bin/mktemp rix, /usr/bin/perl ix, /usr/bin/repo2solv.sh rix, /usr/bin/rm rix, /usr/bin/rpmdb2solv rix, /usr/bin/rpms2solv rix, /usr/lib{,32,64}/** mr, /usr/share/misc/magic.mgc r, /usr/share/rpm/** r, /usr/share/terminfo/ r, /usr/share/zypper/ r, /usr/share/zypper/** r, /var/log/zypper.log w, /var/run/nscd/* r, /var/tmp/ r, /var/tmp/TmpDir.*/ rw, /var/tmp/TmpFile.* rw, /var/tmp/zypp.** rw, } Now load the profile and install openSUSE into /dev/shm/install/ # rcapparmor reload # mkdir /dev/shm/install # aa-exec -p shm-install -- zypper --root /dev/shm/install/ ar -G /mnt/suse/ dvd-image # change as needed # aa-exec -p shm-install -- zypper --root /dev/shm/install/ in --download-as-needed patterns-openSUSE-kde_utilities patterns-openSUSE-multimedia patterns-openSUSE-office_opt patterns-openSUSE-kde_plasma patterns-openSUSE-yast2_basis patterns-openSUSE-non_oss patterns-openSUSE-enhanced_base patterns-openSUSE-games patterns-openSUSE-fonts_opt patterns-openSUSE-non_oss_opt patterns-openSUSE-base patterns-openSUSE-kde_multimedia patterns-openSUSE-x11 patterns-openSUSE-kde_utilities_opt patterns-openSUSE-yast2_install_wf patterns-openSUSE-multimedia_opt patterns-openSUSE-kde_imaging patterns-openSUSE-sw_management_kde patterns-openSUSE-fonts patterns-openSUSE-imaging patterns-openSUSE-kde_internet patterns-openSUSE-apparmor_opt patterns-openSUSE-x11_opt patterns-openSUSE-sw_management patterns-openSUSE-apparmor patterns-openSUSE-kde_yast patterns-openSUSE-enhanced_base_opt patterns-openSUSE-imaging_opt patterns-openSUSE-kde_games patterns-openSUSE-minimal_base patterns-openSUSE-kde_office patterns-openSUSE-kde patterns-openSUSE-laptop patterns-openSUSE-office (that's basically a default install with KDE) Note that with --root /dev/shm/install/, zypper still uses some parts of the main system (for example less to display notifications at the end, and it also writes to /var/log/zypper.log), so the profile contains some permissions outside the given --root. Doing a similar test from an installation system will probably give you a more clean profile, but basically with the same result: A default tumbleweed install with KDE does not touch anything inside /home :-) A funny detail is that some %post script creates /dev/lp* - any idea why that might be needed? For bonus points, tell me which package does that, and why /dev/lp* are needed on a laptop that doesn't have a parallel port ;-) /dev/null and /dev/stderr make more sense and are probably used by various %post scripts. BTW: Is it expected that the GPG signature check fails for every package when installing with --root into an empty directory? I had to use "zypper ar -G" to disable the checks, but that's not something I like. Some final notes: - if you want to re-create this profile from scratch, note that you'll get *lots of* entries in your audit.log. It might even rotate away faster than you can use aa-genprof or aa-logprof, so you also need to check the rotated-away logs. - installing to /dev/shm/install obviously needs some ;-) RAM Regards, Christian Boltz -- In the beginning was the word, and the word was content-type: text/plain -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org