AppArmor

Merge lp:~sdeziel/apparmor/wireshark-refresh into lp:apparmor/2.12

  1. wireshark-refresh
  2. Merge into master
Proposed by Simon Déziel
Status: Merged
Merged at revision: 3728
Proposed branch: lp:~sdeziel/apparmor/wireshark-refresh
Merge into: lp:apparmor/2.12
Diff against target: 76 lines (+43/-6)
1 file modified
profiles/apparmor/profiles/extras/usr.bin.wireshark (+43/-6)
To merge this branch: bzr merge lp:~sdeziel/apparmor/wireshark-refresh
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+291820@code.launchpad.net

Description of the change

This refreshed profile was tested with Wireshark 2.0.2 (from Xenial). I only tested reading from pcaps. No capture testing was done because I feel this is best done with tcpdump that is well protected by Apparmor anyways.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

It feels like the accessibility dbus rules may be better suited in an #include. What else will require these?

Otherwise looks good to me.

Thanks

Revision history for this message
Simon Déziel (sdeziel) wrote :

On 2016-04-13 05:50 PM, Seth Arnold wrote:
> It feels like the accessibility dbus rules may be better suited in an #include.

Or maybe abstractions/dbus-accessibility-strict is just too strict?

> What else will require these?

I copied it from Firefox. Locally I have the following profiles using
the "a11y" rules:

 usr.bin.firefox
 usr.bin.keepassx
 usr.bin.pidgin
 usr.bin.remmina
 usr.bin.vlc
 usr.bin.wireshark

Revision history for this message
Tyler Hicks (tyhicks) wrote :

On 2016-04-14 14:03:27, Simon Déziel wrote:
> On 2016-04-13 05:50 PM, Seth Arnold wrote:
> > It feels like the accessibility dbus rules may be better suited in an #include.
>
> Or maybe abstractions/dbus-accessibility-strict is just too strict?

dbus-accessibility-strict is for talking to dbus-daemon itself on the
accessibility bus.

dbus-accessibility is for doing any action on the accessibility bus.

Note that the rules you have are for talking to a service on the session
bus. I'm thinking that there should be an "accessibility-services" (or
maybe just "accessibility") abstraction which has the a11y rules and
also includes dbus-accessibility-strict?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@Tyler, this makes sense to me. The accessibility rules are not well defined at all and could use a lot of love.

Revision history for this message
intrigeri (intrigeri) wrote :

Seth, Jamie, Tyler: thanks for the reviews and the forward looking thinking. It's not clear to me what's a blocker or not. Are you blocking on a big refactoring of the accessibility rules before this MR gets merged? I'm not sure it would be fair to expect Simon to do this work right now :) How about we track the refactoring proposal on a new bug and not block on it here?

Revision history for this message
Steve Beattie (sbeattie) wrote :

intrigeri: I agree, we should probably not block this merge request on an accessibility abstraction cleanup. I have filed https://bugs.launchpad.net/apparmor/+bug/1727887 to capture that request.

Otherwise, LGTM. I'll merge it in.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.wireshark'
--- profiles/apparmor/profiles/extras/usr.bin.wireshark 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.wireshark 2016-04-13 20:56:30 +0000
@@ -16,29 +16,66 @@
16 #include <abstractions/base>16 #include <abstractions/base>
17 #include <abstractions/bash>17 #include <abstractions/bash>
18 #include <abstractions/consoles>18 #include <abstractions/consoles>
19 #include <abstractions/dconf>
20 #include <abstractions/dbus-session-strict>
21 #include <abstractions/ibus>
19 #include <abstractions/kde>22 #include <abstractions/kde>
20 #include <abstractions/nameservice>23 #include <abstractions/nameservice>
21 #include <abstractions/gnome>24 #include <abstractions/gnome>
22 #include <abstractions/user-write>25 #include <abstractions/user-write>
23 #include <abstractions/X>26 #include <abstractions/X>
2427
28 #include <abstractions/dbus-accessibility-strict>
29 dbus (send)
30 bus=session
31 peer=(name=org.a11y.Bus),
32 dbus (receive)
33 bus=session
34 interface=org.a11y.atspi**,
35 dbus (receive, send)
36 bus=accessibility,
37
25 capability net_raw,38 capability net_raw,
2639
40 # From abstractions/evince
41 deny /run/udev/data/** r,
42
27 /etc/ethers r,43 /etc/ethers r,
2844 /etc/udev/udev.conf r,
29 @{HOME}/.wireshark/* rw,45 /etc/wireshark/** r,
30 @{HOME}/.fonts.cache-* r,46
47 owner @{HOME}/.wireshark/* rw,
48 owner @{HOME}/.config/wireshark/* rw,
49 owner @{HOME}/.config/QtProject.conf rw,
50 owner @{HOME}/.config/QtProject.conf.lock rw,
51 owner @{HOME}/.fonts.cache-* r,
52
53 owner @{HOME}/.config/dconf/user w,
54 owner /{,var/}run/user/*/dconf/user w,
55 owner @{PROC}/@{pid}/cmdline r,
56 owner @{PROC}/@{pid}/fd/ r,
57 @{PROC}/@{pid}/net/dev r,
58 /sys/devices/pci[0-9]*/**/uevent r,
3159
32 /etc/pango/pango.modules r,60 /etc/pango/pango.modules r,
33 /usr/lib/gtk-*/*/loaders/* mr,61 /usr/lib/gtk-*/*/loaders/* mr,
34 /usr/share/* r,62 /usr/share/icons/ r,
35 /usr/share/icons/** r,63 /usr/share/icons/** rk,
64 /usr/share/glib-2.0/schemas/gschemas.compiled r,
36 /usr/share/mime/* r,65 /usr/share/mime/* r,
37 /usr/lib/firefox/firefox.sh rPx,66 /usr/lib/firefox/firefox.sh rPx,
38 /usr/bin/wireshark mixr,67 /usr/bin/wireshark mixr,
39 /usr/share/icons r,
40 /usr/share/mime/* r,68 /usr/share/mime/* r,
41 /usr/share/snmp/mibs r,69 /usr/share/snmp/mibs r,
42 /usr/share/snmp/mibs/* r,70 /usr/share/snmp/mibs/* r,
43 /usr/share/snmp/mibs/.index rw,71 /usr/share/snmp/mibs/.index rw,
72 /usr/share/wireshark/** r,
73 /usr/share/GeoIP/ r,
74 /usr/share/GeoIP/** r,
75 /usr/lib/@{multiarch}/wireshark/extcap/* ix,
76 /usr/lib/@{multiarch}/wireshark/plugins/**/ r,
77 /usr/lib/@{multiarch}/wireshark/plugins/**.so mr,
78
79 # for reading pcaps
80 /**.pcap r,
44}81}

Subscribers

People subscribed via source and target branches