Merge lp:~ssweeny/bluez/snappy-interface into lp:~bluetooth/bluez/snap-core-rolling
- snappy-interface
- Merge into snap-core-rolling
Proposed by
Scott Sweeny
Status: | Merged |
---|---|
Approved by: | Simon Fels |
Approved revision: | 48 |
Merged at revision: | 41 |
Proposed branch: | lp:~ssweeny/bluez/snappy-interface |
Merge into: | lp:~bluetooth/bluez/snap-core-rolling |
Prerequisite: | lp:~morphis/bluez/fix-snapcraft-source |
Diff against target: |
1457 lines (+13/-1384) 6 files modified
bluez.apparmor (+0/-222) bluez.seccomp (+0/-457) obex.apparmor (+0/-225) obex.seccomp (+0/-457) parts/plugins/x-autotools.py (+3/-3) snapcraft.yaml (+10/-20) |
To merge this branch: | bzr merge lp:~ssweeny/bluez/snappy-interface |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Simon Fels | Approve | ||
Tony Espy | Pending | ||
Bluetooth | Pending | ||
Review via email: mp+292304@code.launchpad.net |
Commit message
Use the new bluez interface in ubuntu-core
Description of the change
This branch contains the updated snapcraft config to use the new bluez interface in ubuntu-core.
Tested against a fixes branch[1] that will hopefully soon be merged into ubuntu-core.
To post a comment you must log in.
- 47. By Scott Sweeny
-
Actually remove unused policy files
- 48. By Scott Sweeny
-
Rename slot/plug to service/client respectively
Revision history for this message
Scott Sweeny (ssweeny) wrote : | # |
> Left one naming related comment inline but otherwise LGTM
Well-spotted. Done.
Should this naming scheme be part of our guidelines doc?
Revision history for this message
Simon Fels (morphis) wrote : | # |
@Scott: That would be awesome if you can add a chapter for a interface naming convention.
Revision history for this message
Simon Fels (morphis) : | # |
review:
Approve
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === removed file 'bluez.apparmor' | |||
2 | --- bluez.apparmor 2016-02-01 18:56:49 +0000 | |||
3 | +++ bluez.apparmor 1970-01-01 00:00:00 +0000 | |||
4 | @@ -1,222 +0,0 @@ | |||
5 | 1 | # | ||
6 | 2 | # AppArmor confinement for bluez's bluetoothd | ||
7 | 3 | # | ||
8 | 4 | |||
9 | 5 | #include <tunables/global> | ||
10 | 6 | |||
11 | 7 | # Specified profile variables | ||
12 | 8 | ###VAR### | ||
13 | 9 | |||
14 | 10 | ###PROFILEATTACH### (attach_disconnected) { | ||
15 | 11 | #include <abstractions/base> | ||
16 | 12 | #include <abstractions/openssl> | ||
17 | 13 | |||
18 | 14 | # Explicitly deny ptrace for now since it can be abused to break out of the | ||
19 | 15 | # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 | ||
20 | 16 | audit deny ptrace (trace), | ||
21 | 17 | |||
22 | 18 | # Explicitly deny mount, remount and umount | ||
23 | 19 | audit deny mount, | ||
24 | 20 | audit deny remount, | ||
25 | 21 | audit deny umount, | ||
26 | 22 | |||
27 | 23 | # Read-only for the install directory | ||
28 | 24 | @{CLICK_DIR}/@{APP_PKGNAME}/ r, | ||
29 | 25 | @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r, | ||
30 | 26 | @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix, | ||
31 | 27 | |||
32 | 28 | # Read-only home area for other versions | ||
33 | 29 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/ r, | ||
34 | 30 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ r, | ||
35 | 31 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix, | ||
36 | 32 | |||
37 | 33 | # Writable home area for this version. | ||
38 | 34 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ w, | ||
39 | 35 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl, | ||
40 | 36 | |||
41 | 37 | # Read-only system area for other versions | ||
42 | 38 | /var/lib/snaps/@{APP_PKGNAME}/ r, | ||
43 | 39 | /var/lib/snaps/@{APP_PKGNAME}/** mrkix, | ||
44 | 40 | |||
45 | 41 | # Writable system area only for this version | ||
46 | 42 | /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ w, | ||
47 | 43 | /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl, | ||
48 | 44 | |||
49 | 45 | # The ubuntu-core-launcher creates an app-specific private restricted /tmp | ||
50 | 46 | # and will fail to launch the app if something goes wrong. As such, we can | ||
51 | 47 | # simply allow full access to /tmp. | ||
52 | 48 | /tmp/ r, | ||
53 | 49 | /tmp/** mrwlkix, | ||
54 | 50 | |||
55 | 51 | # Miscellaneous accesses | ||
56 | 52 | /etc/mime.types r, | ||
57 | 53 | @{PROC}/ r, | ||
58 | 54 | /etc/{,writable/}hostname r, | ||
59 | 55 | /etc/{,writable/}localtime r, | ||
60 | 56 | /etc/{,writable/}timezone r, | ||
61 | 57 | @{PROC}/sys/kernel/hostname r, | ||
62 | 58 | @{PROC}/sys/kernel/osrelease r, | ||
63 | 59 | @{PROC}/sys/fs/file-max r, | ||
64 | 60 | @{PROC}/sys/kernel/pid_max r, | ||
65 | 61 | # this leaks interface names and stats, but not in a way that is traceable | ||
66 | 62 | # to the user/device | ||
67 | 63 | @{PROC}/net/dev r, | ||
68 | 64 | |||
69 | 65 | # | ||
70 | 66 | # Various accesses that may or may not be required for your framework. | ||
71 | 67 | # Adjust as necessary for your services. | ||
72 | 68 | # | ||
73 | 69 | |||
74 | 70 | # Shell (do not usually need abstractions/bash) | ||
75 | 71 | #include <abstractions/consoles> | ||
76 | 72 | /bin/bash ixr, | ||
77 | 73 | /bin/dash ixr, | ||
78 | 74 | /etc/bash.bashrc r, | ||
79 | 75 | /usr/share/terminfo/** r, | ||
80 | 76 | /etc/inputrc r, | ||
81 | 77 | deny @{HOME}/.inputrc r, | ||
82 | 78 | # Common utilities for shell scripts | ||
83 | 79 | /{,usr/}bin/{,g,m}awk ixr, | ||
84 | 80 | /{,usr/}bin/basename ixr, | ||
85 | 81 | /{,usr/}bin/bunzip2 ixr, | ||
86 | 82 | /{,usr/}bin/bzcat ixr, | ||
87 | 83 | /{,usr/}bin/bzdiff ixr, | ||
88 | 84 | /{,usr/}bin/bzgrep ixr, | ||
89 | 85 | /{,usr/}bin/bzip2 ixr, | ||
90 | 86 | /{,usr/}bin/cat ixr, | ||
91 | 87 | /{,usr/}bin/chmod ixr, | ||
92 | 88 | /{,usr/}bin/cmp ixr, | ||
93 | 89 | /{,usr/}bin/cp ixr, | ||
94 | 90 | /{,usr/}bin/cpio ixr, | ||
95 | 91 | /{,usr/}bin/cut ixr, | ||
96 | 92 | /{,usr/}bin/date ixr, | ||
97 | 93 | /{,usr/}bin/dd ixr, | ||
98 | 94 | /{,usr/}bin/diff{,3} ixr, | ||
99 | 95 | /{,usr/}bin/dir ixr, | ||
100 | 96 | /{,usr/}bin/dirname ixr, | ||
101 | 97 | /{,usr/}bin/echo ixr, | ||
102 | 98 | /{,usr/}bin/{,e,f,r}grep ixr, | ||
103 | 99 | /{,usr/}bin/env ixr, | ||
104 | 100 | /{,usr/}bin/expr ixr, | ||
105 | 101 | /{,usr/}bin/false ixr, | ||
106 | 102 | /{,usr/}bin/find ixr, | ||
107 | 103 | /{,usr/}bin/fmt ixr, | ||
108 | 104 | /{,usr/}bin/getopt ixr, | ||
109 | 105 | /{,usr/}bin/head ixr, | ||
110 | 106 | /{,usr/}bin/hostname ixr, | ||
111 | 107 | /{,usr/}bin/id ixr, | ||
112 | 108 | /{,usr/}bin/igawk ixr, | ||
113 | 109 | /{,usr/}bin/kill ixr, | ||
114 | 110 | /{,usr/}bin/ldd ixr, | ||
115 | 111 | /{,usr/}bin/ln ixr, | ||
116 | 112 | /{,usr/}bin/line ixr, | ||
117 | 113 | /{,usr/}bin/link ixr, | ||
118 | 114 | /{,usr/}bin/logger ixr, | ||
119 | 115 | /{,usr/}bin/ls ixr, | ||
120 | 116 | /{,usr/}bin/md5sum ixr, | ||
121 | 117 | /{,usr/}bin/mkdir ixr, | ||
122 | 118 | /{,usr/}bin/mktemp ixr, | ||
123 | 119 | /{,usr/}bin/mv ixr, | ||
124 | 120 | /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial | ||
125 | 121 | /{,usr/}bin/pgrep ixr, | ||
126 | 122 | /{,usr/}bin/printenv ixr, | ||
127 | 123 | /{,usr/}bin/printf ixr, | ||
128 | 124 | /{,usr/}bin/ps ixr, | ||
129 | 125 | /{,usr/}bin/pwd ixr, | ||
130 | 126 | /{,usr/}bin/readlink ixr, | ||
131 | 127 | /{,usr/}bin/realpath ixr, | ||
132 | 128 | /{,usr/}bin/rev ixr, | ||
133 | 129 | /{,usr/}bin/rm ixr, | ||
134 | 130 | /{,usr/}bin/rmdir ixr, | ||
135 | 131 | /{,usr/}bin/sed ixr, | ||
136 | 132 | /{,usr/}bin/seq ixr, | ||
137 | 133 | /{,usr/}bin/sleep ixr, | ||
138 | 134 | /{,usr/}bin/sort ixr, | ||
139 | 135 | /{,usr/}bin/stat ixr, | ||
140 | 136 | /{,usr/}bin/tac ixr, | ||
141 | 137 | /{,usr/}bin/tail ixr, | ||
142 | 138 | /{,usr/}bin/tar ixr, | ||
143 | 139 | /{,usr/}bin/tee ixr, | ||
144 | 140 | /{,usr/}bin/test ixr, | ||
145 | 141 | /{,usr/}bin/tempfile ixr, | ||
146 | 142 | /{,usr/}bin/touch ixr, | ||
147 | 143 | /{,usr/}bin/tr ixr, | ||
148 | 144 | /{,usr/}bin/true ixr, | ||
149 | 145 | /{,usr/}bin/uname ixr, | ||
150 | 146 | /{,usr/}bin/uniq ixr, | ||
151 | 147 | /{,usr/}bin/unlink ixr, | ||
152 | 148 | /{,usr/}bin/unxz ixr, | ||
153 | 149 | /{,usr/}bin/unzip ixr, | ||
154 | 150 | /{,usr/}bin/vdir ixr, | ||
155 | 151 | /{,usr/}bin/wc ixr, | ||
156 | 152 | /{,usr/}bin/which ixr, | ||
157 | 153 | /{,usr/}bin/xargs ixr, | ||
158 | 154 | /{,usr/}bin/xz ixr, | ||
159 | 155 | /{,usr/}bin/yes ixr, | ||
160 | 156 | /{,usr/}bin/zcat ixr, | ||
161 | 157 | /{,usr/}bin/z{,e,f}grep ixr, | ||
162 | 158 | /{,usr/}bin/zip ixr, | ||
163 | 159 | /{,usr/}bin/zipgrep ixr, | ||
164 | 160 | /{,usr/}bin/uptime ixr, | ||
165 | 161 | @{PROC}/uptime r, | ||
166 | 162 | @{PROC}/loadavg r, | ||
167 | 163 | |||
168 | 164 | # | ||
169 | 165 | # Framework service/binary specific rules below here | ||
170 | 166 | # | ||
171 | 167 | network bluetooth, | ||
172 | 168 | |||
173 | 169 | capability net_admin, | ||
174 | 170 | capability net_bind_service, | ||
175 | 171 | |||
176 | 172 | # File accesses | ||
177 | 173 | /sys/bus/usb/drivers/btusb/ r, | ||
178 | 174 | /sys/bus/usb/drivers/btusb/** r, | ||
179 | 175 | /sys/class/bluetooth/ r, | ||
180 | 176 | /sys/devices/**/bluetooth/ rw, | ||
181 | 177 | /sys/devices/**/bluetooth/** rw, | ||
182 | 178 | /sys/devices/**/id/chassis_type r, | ||
183 | 179 | |||
184 | 180 | # TODO: use snappy hardware assignment for this once LP: #1498917 is fixed | ||
185 | 181 | /dev/rfkill rw, | ||
186 | 182 | |||
187 | 183 | # DBus accesses | ||
188 | 184 | #include <abstractions/dbus-strict> | ||
189 | 185 | dbus (send) | ||
190 | 186 | bus=system | ||
191 | 187 | path=/org/freedesktop/DBus | ||
192 | 188 | interface=org.freedesktop.DBus | ||
193 | 189 | member={Request,Release}Name | ||
194 | 190 | peer=(name=org.freedesktop.DBus), | ||
195 | 191 | |||
196 | 192 | dbus (send) | ||
197 | 193 | bus=system | ||
198 | 194 | path=/org/freedesktop/* | ||
199 | 195 | interface=org.freedesktop.DBus.Properties | ||
200 | 196 | peer=(label=unconfined), | ||
201 | 197 | |||
202 | 198 | # Allow binding the service to the requested connection name | ||
203 | 199 | dbus (bind) | ||
204 | 200 | bus=system | ||
205 | 201 | name="org.bluez", | ||
206 | 202 | |||
207 | 203 | # Allow traffic to/from our path and interface with any method | ||
208 | 204 | dbus (receive, send) | ||
209 | 205 | bus=system | ||
210 | 206 | path=/org/bluez{,/**} | ||
211 | 207 | interface=org.bluez.*, | ||
212 | 208 | |||
213 | 209 | # Allow traffic to/from org.freedesktop.DBus for bluez service | ||
214 | 210 | dbus (receive, send) | ||
215 | 211 | bus=system | ||
216 | 212 | path=/ | ||
217 | 213 | interface=org.freedesktop.DBus.**, | ||
218 | 214 | dbus (receive, send) | ||
219 | 215 | bus=system | ||
220 | 216 | path=/org/bluez{,/**} | ||
221 | 217 | interface=org.freedesktop.DBus.**, | ||
222 | 218 | |||
223 | 219 | # Allow replacing our dbus policy configuration file until | ||
224 | 220 | # snappy has a better way to do this. | ||
225 | 221 | /etc/dbus-1/system.d/bluez_* rw, | ||
226 | 222 | } | ||
227 | 223 | 0 | ||
228 | === removed file 'bluez.seccomp' | |||
229 | --- bluez.seccomp 2016-01-26 00:25:18 +0000 | |||
230 | +++ bluez.seccomp 1970-01-01 00:00:00 +0000 | |||
231 | @@ -1,457 +0,0 @@ | |||
232 | 1 | # | ||
233 | 2 | # Seccomp policy for bluez | ||
234 | 3 | # | ||
235 | 4 | |||
236 | 5 | # Dangerous syscalls that we don't ever want to allow | ||
237 | 6 | |||
238 | 7 | # kexec | ||
239 | 8 | # EXPLICITLY DENY kexec_load | ||
240 | 9 | |||
241 | 10 | # kernel modules | ||
242 | 11 | # EXPLICITLY DENY create_module | ||
243 | 12 | # EXPLICITLY DENY init_module | ||
244 | 13 | # EXPLICITLY DENY finit_module | ||
245 | 14 | # EXPLICITLY DENY delete_module | ||
246 | 15 | |||
247 | 16 | # these have a history of vulnerabilities, are not widely used, and | ||
248 | 17 | # open_by_handle_at has been used to break out of docker containers by brute | ||
249 | 18 | # forcing the handle value: http://stealth.openwall.net/xSports/shocker.c | ||
250 | 19 | # EXPLICITLY DENY name_to_handle_at | ||
251 | 20 | # EXPLICITLY DENY open_by_handle_at | ||
252 | 21 | |||
253 | 22 | # Explicitly deny ptrace since it can be abused to break out of the seccomp | ||
254 | 23 | # sandbox | ||
255 | 24 | # EXPLICITLY DENY ptrace | ||
256 | 25 | |||
257 | 26 | # Explicitly deny capability mknod so apps can't create devices | ||
258 | 27 | # EXPLICITLY DENY mknod | ||
259 | 28 | # EXPLICITLY DENY mknodat | ||
260 | 29 | |||
261 | 30 | # Explicitly deny (u)mount so apps can't change mounts in their namespace | ||
262 | 31 | # EXPLICITLY DENY mount | ||
263 | 32 | # EXPLICITLY DENY umount | ||
264 | 33 | # EXPLICITLY DENY umount2 | ||
265 | 34 | |||
266 | 35 | # Explicitly deny kernel keyring access | ||
267 | 36 | # EXPLICITLY DENY add_key | ||
268 | 37 | # EXPLICITLY DENY keyctl | ||
269 | 38 | # EXPLICITLY DENY request_key | ||
270 | 39 | |||
271 | 40 | # end dangerous syscalls | ||
272 | 41 | |||
273 | 42 | access | ||
274 | 43 | faccessat | ||
275 | 44 | |||
276 | 45 | alarm | ||
277 | 46 | brk | ||
278 | 47 | |||
279 | 48 | # ARM private syscalls | ||
280 | 49 | breakpoint | ||
281 | 50 | cacheflush | ||
282 | 51 | set_tls | ||
283 | 52 | usr26 | ||
284 | 53 | usr32 | ||
285 | 54 | |||
286 | 55 | capget | ||
287 | 56 | |||
288 | 57 | chdir | ||
289 | 58 | fchdir | ||
290 | 59 | |||
291 | 60 | # We can't effectively block file perms due to open() with O_CREAT, so allow | ||
292 | 61 | # chmod until we have syscall arg filtering (LP: #1446748) | ||
293 | 62 | chmod | ||
294 | 63 | fchmod | ||
295 | 64 | fchmodat | ||
296 | 65 | |||
297 | 66 | # snappy doesn't currently support per-app UID/GIDs so don't allow chown. To | ||
298 | 67 | # properly support chown, we need to have syscall arg filtering (LP: #1446748) | ||
299 | 68 | # and per-app UID/GIDs. | ||
300 | 69 | #chown | ||
301 | 70 | #chown32 | ||
302 | 71 | #fchown | ||
303 | 72 | #fchown32 | ||
304 | 73 | #fchownat | ||
305 | 74 | #lchown | ||
306 | 75 | #lchown32 | ||
307 | 76 | |||
308 | 77 | clock_getres | ||
309 | 78 | clock_gettime | ||
310 | 79 | clock_nanosleep | ||
311 | 80 | clone | ||
312 | 81 | close | ||
313 | 82 | creat | ||
314 | 83 | dup | ||
315 | 84 | dup2 | ||
316 | 85 | dup3 | ||
317 | 86 | epoll_create | ||
318 | 87 | epoll_create1 | ||
319 | 88 | epoll_ctl | ||
320 | 89 | epoll_ctl_old | ||
321 | 90 | epoll_pwait | ||
322 | 91 | epoll_wait | ||
323 | 92 | epoll_wait_old | ||
324 | 93 | eventfd | ||
325 | 94 | eventfd2 | ||
326 | 95 | execve | ||
327 | 96 | execveat | ||
328 | 97 | _exit | ||
329 | 98 | exit | ||
330 | 99 | exit_group | ||
331 | 100 | fallocate | ||
332 | 101 | |||
333 | 102 | # requires CAP_SYS_ADMIN | ||
334 | 103 | #fanotify_init | ||
335 | 104 | #fanotify_mark | ||
336 | 105 | |||
337 | 106 | fcntl | ||
338 | 107 | fcntl64 | ||
339 | 108 | flock | ||
340 | 109 | fork | ||
341 | 110 | ftime | ||
342 | 111 | futex | ||
343 | 112 | get_mempolicy | ||
344 | 113 | get_robust_list | ||
345 | 114 | get_thread_area | ||
346 | 115 | getcpu | ||
347 | 116 | getcwd | ||
348 | 117 | getdents | ||
349 | 118 | getdents64 | ||
350 | 119 | getegid | ||
351 | 120 | getegid32 | ||
352 | 121 | geteuid | ||
353 | 122 | geteuid32 | ||
354 | 123 | getgid | ||
355 | 124 | getgid32 | ||
356 | 125 | getgroups | ||
357 | 126 | getgroups32 | ||
358 | 127 | getitimer | ||
359 | 128 | getpgid | ||
360 | 129 | getpgrp | ||
361 | 130 | getpid | ||
362 | 131 | getppid | ||
363 | 132 | getpriority | ||
364 | 133 | getrandom | ||
365 | 134 | getresgid | ||
366 | 135 | getresgid32 | ||
367 | 136 | getresuid | ||
368 | 137 | getresuid32 | ||
369 | 138 | |||
370 | 139 | getrlimit | ||
371 | 140 | ugetrlimit | ||
372 | 141 | |||
373 | 142 | getrusage | ||
374 | 143 | getsid | ||
375 | 144 | gettid | ||
376 | 145 | gettimeofday | ||
377 | 146 | getuid | ||
378 | 147 | getuid32 | ||
379 | 148 | |||
380 | 149 | getxattr | ||
381 | 150 | fgetxattr | ||
382 | 151 | lgetxattr | ||
383 | 152 | |||
384 | 153 | inotify_add_watch | ||
385 | 154 | inotify_init | ||
386 | 155 | inotify_init1 | ||
387 | 156 | inotify_rm_watch | ||
388 | 157 | |||
389 | 158 | # Needed by shell | ||
390 | 159 | ioctl | ||
391 | 160 | |||
392 | 161 | io_cancel | ||
393 | 162 | io_destroy | ||
394 | 163 | io_getevents | ||
395 | 164 | io_setup | ||
396 | 165 | io_submit | ||
397 | 166 | ioprio_get | ||
398 | 167 | # affects other processes, requires CAP_SYS_ADMIN. Potentially allow with | ||
399 | 168 | # syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748) | ||
400 | 169 | #ioprio_set | ||
401 | 170 | |||
402 | 171 | ipc | ||
403 | 172 | kill | ||
404 | 173 | link | ||
405 | 174 | linkat | ||
406 | 175 | |||
407 | 176 | listxattr | ||
408 | 177 | llistxattr | ||
409 | 178 | flistxattr | ||
410 | 179 | |||
411 | 180 | lseek | ||
412 | 181 | llseek | ||
413 | 182 | _llseek | ||
414 | 183 | lstat | ||
415 | 184 | lstat64 | ||
416 | 185 | |||
417 | 186 | madvise | ||
418 | 187 | fadvise64 | ||
419 | 188 | fadvise64_64 | ||
420 | 189 | arm_fadvise64_64 | ||
421 | 190 | |||
422 | 191 | mbind | ||
423 | 192 | mincore | ||
424 | 193 | mkdir | ||
425 | 194 | mkdirat | ||
426 | 195 | mlock | ||
427 | 196 | mlockall | ||
428 | 197 | mmap | ||
429 | 198 | mmap2 | ||
430 | 199 | mprotect | ||
431 | 200 | |||
432 | 201 | # LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now | ||
433 | 202 | #mq_getsetattr | ||
434 | 203 | #mq_notify | ||
435 | 204 | #mq_open | ||
436 | 205 | #mq_timedreceive | ||
437 | 206 | #mq_timedsend | ||
438 | 207 | #mq_unlink | ||
439 | 208 | |||
440 | 209 | mremap | ||
441 | 210 | msgctl | ||
442 | 211 | msgget | ||
443 | 212 | msgrcv | ||
444 | 213 | msgsnd | ||
445 | 214 | msync | ||
446 | 215 | munlock | ||
447 | 216 | munlockall | ||
448 | 217 | munmap | ||
449 | 218 | |||
450 | 219 | nanosleep | ||
451 | 220 | |||
452 | 221 | # LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set | ||
453 | 222 | # RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value | ||
454 | 223 | # and allow this call | ||
455 | 224 | #nice | ||
456 | 225 | |||
457 | 226 | # LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT | ||
458 | 227 | open | ||
459 | 228 | |||
460 | 229 | openat | ||
461 | 230 | pause | ||
462 | 231 | pipe | ||
463 | 232 | pipe2 | ||
464 | 233 | poll | ||
465 | 234 | ppoll | ||
466 | 235 | |||
467 | 236 | # LP: #1446748 - support syscall arg filtering | ||
468 | 237 | prctl | ||
469 | 238 | arch_prctl | ||
470 | 239 | |||
471 | 240 | read | ||
472 | 241 | pread | ||
473 | 242 | pread64 | ||
474 | 243 | preadv | ||
475 | 244 | readv | ||
476 | 245 | |||
477 | 246 | readahead | ||
478 | 247 | readdir | ||
479 | 248 | readlink | ||
480 | 249 | readlinkat | ||
481 | 250 | remap_file_pages | ||
482 | 251 | |||
483 | 252 | removexattr | ||
484 | 253 | fremovexattr | ||
485 | 254 | lremovexattr | ||
486 | 255 | |||
487 | 256 | rename | ||
488 | 257 | renameat | ||
489 | 258 | renameat2 | ||
490 | 259 | |||
491 | 260 | # The man page says this shouldn't be needed, but we've seen denials for it | ||
492 | 261 | # in the wild | ||
493 | 262 | restart_syscall | ||
494 | 263 | |||
495 | 264 | rmdir | ||
496 | 265 | rt_sigaction | ||
497 | 266 | rt_sigpending | ||
498 | 267 | rt_sigprocmask | ||
499 | 268 | rt_sigqueueinfo | ||
500 | 269 | rt_sigreturn | ||
501 | 270 | rt_sigsuspend | ||
502 | 271 | rt_sigtimedwait | ||
503 | 272 | rt_tgsigqueueinfo | ||
504 | 273 | sched_getaffinity | ||
505 | 274 | sched_getattr | ||
506 | 275 | sched_getparam | ||
507 | 276 | sched_get_priority_max | ||
508 | 277 | sched_get_priority_min | ||
509 | 278 | sched_getscheduler | ||
510 | 279 | sched_rr_get_interval | ||
511 | 280 | # LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the | ||
512 | 281 | # app may only change its own scheduler | ||
513 | 282 | sched_setscheduler | ||
514 | 283 | |||
515 | 284 | sched_yield | ||
516 | 285 | |||
517 | 286 | select | ||
518 | 287 | _newselect | ||
519 | 288 | pselect | ||
520 | 289 | pselect6 | ||
521 | 290 | |||
522 | 291 | semctl | ||
523 | 292 | semget | ||
524 | 293 | semop | ||
525 | 294 | semtimedop | ||
526 | 295 | sendfile | ||
527 | 296 | sendfile64 | ||
528 | 297 | |||
529 | 298 | # snappy doesn't currently support per-app UID/GIDs so don't allow this family | ||
530 | 299 | # of syscalls. To properly support these, we need to have syscall arg filtering | ||
531 | 300 | # (LP: #1446748) and per-app UID/GIDs. | ||
532 | 301 | #setgid | ||
533 | 302 | #setgid32 | ||
534 | 303 | #setgroups | ||
535 | 304 | #setgroups32 | ||
536 | 305 | #setregid | ||
537 | 306 | #setregid32 | ||
538 | 307 | #setresgid | ||
539 | 308 | #setresgid32 | ||
540 | 309 | #setresuid | ||
541 | 310 | #setresuid32 | ||
542 | 311 | #setreuid | ||
543 | 312 | #setreuid32 | ||
544 | 313 | #setuid | ||
545 | 314 | #setuid32 | ||
546 | 315 | |||
547 | 316 | # These break isolation but are common and can't be mediated at the seccomp | ||
548 | 317 | # level with arg filtering | ||
549 | 318 | setpgid | ||
550 | 319 | setpgrp | ||
551 | 320 | |||
552 | 321 | set_thread_area | ||
553 | 322 | setitimer | ||
554 | 323 | |||
555 | 324 | # apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard | ||
556 | 325 | # limits | ||
557 | 326 | setrlimit | ||
558 | 327 | prlimit64 | ||
559 | 328 | |||
560 | 329 | set_mempolicy | ||
561 | 330 | set_robust_list | ||
562 | 331 | setsid | ||
563 | 332 | set_tid_address | ||
564 | 333 | |||
565 | 334 | setxattr | ||
566 | 335 | fsetxattr | ||
567 | 336 | lsetxattr | ||
568 | 337 | |||
569 | 338 | shmat | ||
570 | 339 | shmctl | ||
571 | 340 | shmdt | ||
572 | 341 | shmget | ||
573 | 342 | signal | ||
574 | 343 | sigaction | ||
575 | 344 | signalfd | ||
576 | 345 | signalfd4 | ||
577 | 346 | sigaltstack | ||
578 | 347 | sigpending | ||
579 | 348 | sigprocmask | ||
580 | 349 | sigreturn | ||
581 | 350 | sigsuspend | ||
582 | 351 | sigtimedwait | ||
583 | 352 | sigwaitinfo | ||
584 | 353 | |||
585 | 354 | # Per man page, on Linux this is limited to only AF_UNIX so it is ok to have | ||
586 | 355 | # in the default template | ||
587 | 356 | socketpair | ||
588 | 357 | |||
589 | 358 | splice | ||
590 | 359 | |||
591 | 360 | stat | ||
592 | 361 | stat64 | ||
593 | 362 | fstat | ||
594 | 363 | fstat64 | ||
595 | 364 | fstatat64 | ||
596 | 365 | lstat | ||
597 | 366 | newfstatat | ||
598 | 367 | oldfstat | ||
599 | 368 | oldlstat | ||
600 | 369 | oldstat | ||
601 | 370 | |||
602 | 371 | statfs | ||
603 | 372 | statfs64 | ||
604 | 373 | fstatfs | ||
605 | 374 | fstatfs64 | ||
606 | 375 | statvfs | ||
607 | 376 | fstatvfs | ||
608 | 377 | ustat | ||
609 | 378 | |||
610 | 379 | symlink | ||
611 | 380 | symlinkat | ||
612 | 381 | |||
613 | 382 | sync | ||
614 | 383 | sync_file_range | ||
615 | 384 | sync_file_range2 | ||
616 | 385 | arm_sync_file_range | ||
617 | 386 | fdatasync | ||
618 | 387 | fsync | ||
619 | 388 | syncfs | ||
620 | 389 | sysinfo | ||
621 | 390 | syslog | ||
622 | 391 | tee | ||
623 | 392 | tgkill | ||
624 | 393 | time | ||
625 | 394 | timer_create | ||
626 | 395 | timer_delete | ||
627 | 396 | timer_getoverrun | ||
628 | 397 | timer_gettime | ||
629 | 398 | timer_settime | ||
630 | 399 | timerfd_create | ||
631 | 400 | timerfd_gettime | ||
632 | 401 | timerfd_settime | ||
633 | 402 | times | ||
634 | 403 | tkill | ||
635 | 404 | |||
636 | 405 | truncate | ||
637 | 406 | truncate64 | ||
638 | 407 | ftruncate | ||
639 | 408 | ftruncate64 | ||
640 | 409 | |||
641 | 410 | umask | ||
642 | 411 | |||
643 | 412 | uname | ||
644 | 413 | olduname | ||
645 | 414 | oldolduname | ||
646 | 415 | |||
647 | 416 | unlink | ||
648 | 417 | unlinkat | ||
649 | 418 | |||
650 | 419 | utime | ||
651 | 420 | utimensat | ||
652 | 421 | utimes | ||
653 | 422 | futimesat | ||
654 | 423 | |||
655 | 424 | vfork | ||
656 | 425 | vmsplice | ||
657 | 426 | wait4 | ||
658 | 427 | oldwait4 | ||
659 | 428 | waitpid | ||
660 | 429 | waitid | ||
661 | 430 | |||
662 | 431 | write | ||
663 | 432 | writev | ||
664 | 433 | pwrite | ||
665 | 434 | pwrite64 | ||
666 | 435 | pwritev | ||
667 | 436 | |||
668 | 437 | # Can communicate with DBus system service | ||
669 | 438 | accept | ||
670 | 439 | accept4 | ||
671 | 440 | bind | ||
672 | 441 | connect | ||
673 | 442 | getpeername | ||
674 | 443 | getsockname | ||
675 | 444 | getsockopt | ||
676 | 445 | listen | ||
677 | 446 | recv | ||
678 | 447 | recvfrom | ||
679 | 448 | recvmmsg | ||
680 | 449 | recvmsg | ||
681 | 450 | send | ||
682 | 451 | sendmmsg | ||
683 | 452 | sendmsg | ||
684 | 453 | sendto | ||
685 | 454 | setsockopt | ||
686 | 455 | shutdown | ||
687 | 456 | socketpair | ||
688 | 457 | socket | ||
689 | 458 | 0 | ||
690 | === removed file 'obex.apparmor' | |||
691 | --- obex.apparmor 2016-02-01 18:56:32 +0000 | |||
692 | +++ obex.apparmor 1970-01-01 00:00:00 +0000 | |||
693 | @@ -1,225 +0,0 @@ | |||
694 | 1 | # | ||
695 | 2 | # AppArmor confinement for bluez obexd | ||
696 | 3 | # | ||
697 | 4 | |||
698 | 5 | #include <tunables/global> | ||
699 | 6 | |||
700 | 7 | # Specified profile variables | ||
701 | 8 | ###VAR### | ||
702 | 9 | |||
703 | 10 | ###PROFILEATTACH### (attach_disconnected) { | ||
704 | 11 | #include <abstractions/base> | ||
705 | 12 | #include <abstractions/nameservice> | ||
706 | 13 | #include <abstractions/openssl> | ||
707 | 14 | |||
708 | 15 | # Explicitly deny ptrace for now since it can be abused to break out of the | ||
709 | 16 | # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 | ||
710 | 17 | audit deny ptrace (trace), | ||
711 | 18 | |||
712 | 19 | # Explicitly deny mount, remount and umount | ||
713 | 20 | audit deny mount, | ||
714 | 21 | audit deny remount, | ||
715 | 22 | audit deny umount, | ||
716 | 23 | |||
717 | 24 | # Read-only for the install directory | ||
718 | 25 | @{CLICK_DIR}/@{APP_PKGNAME}/ r, | ||
719 | 26 | @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r, | ||
720 | 27 | @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix, | ||
721 | 28 | |||
722 | 29 | # Read-only home area for other versions | ||
723 | 30 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/ r, | ||
724 | 31 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ r, | ||
725 | 32 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix, | ||
726 | 33 | |||
727 | 34 | # Writable home area for this version. | ||
728 | 35 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ w, | ||
729 | 36 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl, | ||
730 | 37 | |||
731 | 38 | # Read-only system area for other versions | ||
732 | 39 | /var/lib/snaps/@{APP_PKGNAME}/ r, | ||
733 | 40 | /var/lib/snaps/@{APP_PKGNAME}/** mrkix, | ||
734 | 41 | |||
735 | 42 | # Writable system area only for this version | ||
736 | 43 | /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ w, | ||
737 | 44 | /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl, | ||
738 | 45 | |||
739 | 46 | # The ubuntu-core-launcher creates an app-specific private restricted /tmp | ||
740 | 47 | # and will fail to launch the app if something goes wrong. As such, we can | ||
741 | 48 | # simply allow full access to /tmp. | ||
742 | 49 | /tmp/ r, | ||
743 | 50 | /tmp/** mrwlkix, | ||
744 | 51 | |||
745 | 52 | # Miscellaneous accesses | ||
746 | 53 | /etc/mime.types r, | ||
747 | 54 | @{PROC}/ r, | ||
748 | 55 | /etc/{,writable/}hostname r, | ||
749 | 56 | /etc/{,writable/}localtime r, | ||
750 | 57 | /etc/{,writable/}timezone r, | ||
751 | 58 | @{PROC}/sys/kernel/hostname r, | ||
752 | 59 | @{PROC}/sys/kernel/osrelease r, | ||
753 | 60 | @{PROC}/sys/fs/file-max r, | ||
754 | 61 | @{PROC}/sys/kernel/pid_max r, | ||
755 | 62 | # this leaks interface names and stats, but not in a way that is traceable | ||
756 | 63 | # to the user/device | ||
757 | 64 | @{PROC}/net/dev r, | ||
758 | 65 | |||
759 | 66 | # | ||
760 | 67 | # Various accesses that may or may not be required for your framework. | ||
761 | 68 | # Adjust as necessary for your services. | ||
762 | 69 | # | ||
763 | 70 | |||
764 | 71 | # Shell (do not usually need abstractions/bash) | ||
765 | 72 | #include <abstractions/consoles> | ||
766 | 73 | /bin/bash ixr, | ||
767 | 74 | /bin/dash ixr, | ||
768 | 75 | /etc/bash.bashrc r, | ||
769 | 76 | /usr/share/terminfo/** r, | ||
770 | 77 | /etc/inputrc r, | ||
771 | 78 | deny @{HOME}/.inputrc r, | ||
772 | 79 | # Common utilities for shell scripts | ||
773 | 80 | /{,usr/}bin/{,g,m}awk ixr, | ||
774 | 81 | /{,usr/}bin/basename ixr, | ||
775 | 82 | /{,usr/}bin/bunzip2 ixr, | ||
776 | 83 | /{,usr/}bin/bzcat ixr, | ||
777 | 84 | /{,usr/}bin/bzdiff ixr, | ||
778 | 85 | /{,usr/}bin/bzgrep ixr, | ||
779 | 86 | /{,usr/}bin/bzip2 ixr, | ||
780 | 87 | /{,usr/}bin/cat ixr, | ||
781 | 88 | /{,usr/}bin/chmod ixr, | ||
782 | 89 | /{,usr/}bin/cmp ixr, | ||
783 | 90 | /{,usr/}bin/cp ixr, | ||
784 | 91 | /{,usr/}bin/cpio ixr, | ||
785 | 92 | /{,usr/}bin/cut ixr, | ||
786 | 93 | /{,usr/}bin/date ixr, | ||
787 | 94 | /{,usr/}bin/dd ixr, | ||
788 | 95 | /{,usr/}bin/diff{,3} ixr, | ||
789 | 96 | /{,usr/}bin/dir ixr, | ||
790 | 97 | /{,usr/}bin/dirname ixr, | ||
791 | 98 | /{,usr/}bin/echo ixr, | ||
792 | 99 | /{,usr/}bin/{,e,f,r}grep ixr, | ||
793 | 100 | /{,usr/}bin/env ixr, | ||
794 | 101 | /{,usr/}bin/expr ixr, | ||
795 | 102 | /{,usr/}bin/false ixr, | ||
796 | 103 | /{,usr/}bin/find ixr, | ||
797 | 104 | /{,usr/}bin/fmt ixr, | ||
798 | 105 | /{,usr/}bin/getopt ixr, | ||
799 | 106 | /{,usr/}bin/head ixr, | ||
800 | 107 | /{,usr/}bin/hostname ixr, | ||
801 | 108 | /{,usr/}bin/id ixr, | ||
802 | 109 | /{,usr/}bin/igawk ixr, | ||
803 | 110 | /{,usr/}bin/kill ixr, | ||
804 | 111 | /{,usr/}bin/ldd ixr, | ||
805 | 112 | /{,usr/}bin/ln ixr, | ||
806 | 113 | /{,usr/}bin/line ixr, | ||
807 | 114 | /{,usr/}bin/link ixr, | ||
808 | 115 | /{,usr/}bin/logger ixr, | ||
809 | 116 | /{,usr/}bin/ls ixr, | ||
810 | 117 | /{,usr/}bin/md5sum ixr, | ||
811 | 118 | /{,usr/}bin/mkdir ixr, | ||
812 | 119 | /{,usr/}bin/mktemp ixr, | ||
813 | 120 | /{,usr/}bin/mv ixr, | ||
814 | 121 | /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial | ||
815 | 122 | /{,usr/}bin/pgrep ixr, | ||
816 | 123 | /{,usr/}bin/printenv ixr, | ||
817 | 124 | /{,usr/}bin/printf ixr, | ||
818 | 125 | /{,usr/}bin/ps ixr, | ||
819 | 126 | /{,usr/}bin/pwd ixr, | ||
820 | 127 | /{,usr/}bin/readlink ixr, | ||
821 | 128 | /{,usr/}bin/realpath ixr, | ||
822 | 129 | /{,usr/}bin/rev ixr, | ||
823 | 130 | /{,usr/}bin/rm ixr, | ||
824 | 131 | /{,usr/}bin/rmdir ixr, | ||
825 | 132 | /{,usr/}bin/sed ixr, | ||
826 | 133 | /{,usr/}bin/seq ixr, | ||
827 | 134 | /{,usr/}bin/sleep ixr, | ||
828 | 135 | /{,usr/}bin/sort ixr, | ||
829 | 136 | /{,usr/}bin/stat ixr, | ||
830 | 137 | /{,usr/}bin/tac ixr, | ||
831 | 138 | /{,usr/}bin/tail ixr, | ||
832 | 139 | /{,usr/}bin/tar ixr, | ||
833 | 140 | /{,usr/}bin/tee ixr, | ||
834 | 141 | /{,usr/}bin/test ixr, | ||
835 | 142 | /{,usr/}bin/tempfile ixr, | ||
836 | 143 | /{,usr/}bin/touch ixr, | ||
837 | 144 | /{,usr/}bin/tr ixr, | ||
838 | 145 | /{,usr/}bin/true ixr, | ||
839 | 146 | /{,usr/}bin/uname ixr, | ||
840 | 147 | /{,usr/}bin/uniq ixr, | ||
841 | 148 | /{,usr/}bin/unlink ixr, | ||
842 | 149 | /{,usr/}bin/unxz ixr, | ||
843 | 150 | /{,usr/}bin/unzip ixr, | ||
844 | 151 | /{,usr/}bin/vdir ixr, | ||
845 | 152 | /{,usr/}bin/wc ixr, | ||
846 | 153 | /{,usr/}bin/which ixr, | ||
847 | 154 | /{,usr/}bin/xargs ixr, | ||
848 | 155 | /{,usr/}bin/xz ixr, | ||
849 | 156 | /{,usr/}bin/yes ixr, | ||
850 | 157 | /{,usr/}bin/zcat ixr, | ||
851 | 158 | /{,usr/}bin/z{,e,f}grep ixr, | ||
852 | 159 | /{,usr/}bin/zip ixr, | ||
853 | 160 | /{,usr/}bin/zipgrep ixr, | ||
854 | 161 | /{,usr/}bin/uptime ixr, | ||
855 | 162 | @{PROC}/uptime r, | ||
856 | 163 | @{PROC}/loadavg r, | ||
857 | 164 | |||
858 | 165 | # | ||
859 | 166 | # Framework service/binary specific rules below here | ||
860 | 167 | # | ||
861 | 168 | network bluetooth, | ||
862 | 169 | |||
863 | 170 | capability net_admin, | ||
864 | 171 | capability net_bind_service, | ||
865 | 172 | |||
866 | 173 | # File accesses | ||
867 | 174 | /sys/bus/usb/drivers/btusb/ r, | ||
868 | 175 | /sys/bus/usb/drivers/btusb/** r, | ||
869 | 176 | /sys/class/bluetooth/ r, | ||
870 | 177 | /sys/devices/**/bluetooth/ rw, | ||
871 | 178 | /sys/devices/**/bluetooth/** rw, | ||
872 | 179 | /sys/devices/**/id/chassis_type r, | ||
873 | 180 | |||
874 | 181 | # TODO: use snappy hardware assignment for this once LP: #1498917 is fixed | ||
875 | 182 | /dev/rfkill rw, | ||
876 | 183 | |||
877 | 184 | # DBus accesses | ||
878 | 185 | #include <abstractions/dbus-strict> | ||
879 | 186 | dbus (send) | ||
880 | 187 | bus=system | ||
881 | 188 | path=/org/freedesktop/DBus | ||
882 | 189 | interface=org.freedesktop.DBus | ||
883 | 190 | member={Request,Release}Name | ||
884 | 191 | peer=(name=org.freedesktop.DBus), | ||
885 | 192 | |||
886 | 193 | dbus (send) | ||
887 | 194 | bus=system | ||
888 | 195 | path=/org/freedesktop/* | ||
889 | 196 | interface=org.freedesktop.DBus.Properties | ||
890 | 197 | peer=(label=unconfined), | ||
891 | 198 | |||
892 | 199 | dbus (send) | ||
893 | 200 | bus=system | ||
894 | 201 | path=/org/freedesktop/* | ||
895 | 202 | interface=org.freedesktop.DBus.ObjectManager | ||
896 | 203 | peer=(label=unconfined), | ||
897 | 204 | |||
898 | 205 | # Allow binding the service to the requested connection name | ||
899 | 206 | dbus (bind) | ||
900 | 207 | bus=system | ||
901 | 208 | name="org.bluez.obex", | ||
902 | 209 | |||
903 | 210 | # Allow traffic to/from our path and interface with any method | ||
904 | 211 | dbus (receive, send) | ||
905 | 212 | bus=system | ||
906 | 213 | path=/org/bluez{,/**} | ||
907 | 214 | interface=org.bluez.*, | ||
908 | 215 | |||
909 | 216 | # Allow traffic to/from org.freedesktop.DBus for bluez service | ||
910 | 217 | dbus (receive, send) | ||
911 | 218 | bus=system | ||
912 | 219 | path=/ | ||
913 | 220 | interface=org.freedesktop.DBus.**, | ||
914 | 221 | dbus (receive, send) | ||
915 | 222 | bus=system | ||
916 | 223 | path=/org/bluez{,/**} | ||
917 | 224 | interface=org.freedesktop.DBus.**, | ||
918 | 225 | } | ||
919 | 226 | 0 | ||
920 | === removed file 'obex.seccomp' | |||
921 | --- obex.seccomp 2016-01-28 01:28:49 +0000 | |||
922 | +++ obex.seccomp 1970-01-01 00:00:00 +0000 | |||
923 | @@ -1,457 +0,0 @@ | |||
924 | 1 | # | ||
925 | 2 | # Seccomp policy for bluez | ||
926 | 3 | # | ||
927 | 4 | |||
928 | 5 | # Dangerous syscalls that we don't ever want to allow | ||
929 | 6 | |||
930 | 7 | # kexec | ||
931 | 8 | # EXPLICITLY DENY kexec_load | ||
932 | 9 | |||
933 | 10 | # kernel modules | ||
934 | 11 | # EXPLICITLY DENY create_module | ||
935 | 12 | # EXPLICITLY DENY init_module | ||
936 | 13 | # EXPLICITLY DENY finit_module | ||
937 | 14 | # EXPLICITLY DENY delete_module | ||
938 | 15 | |||
939 | 16 | # these have a history of vulnerabilities, are not widely used, and | ||
940 | 17 | # open_by_handle_at has been used to break out of docker containers by brute | ||
941 | 18 | # forcing the handle value: http://stealth.openwall.net/xSports/shocker.c | ||
942 | 19 | # EXPLICITLY DENY name_to_handle_at | ||
943 | 20 | # EXPLICITLY DENY open_by_handle_at | ||
944 | 21 | |||
945 | 22 | # Explicitly deny ptrace since it can be abused to break out of the seccomp | ||
946 | 23 | # sandbox | ||
947 | 24 | # EXPLICITLY DENY ptrace | ||
948 | 25 | |||
949 | 26 | # Explicitly deny capability mknod so apps can't create devices | ||
950 | 27 | # EXPLICITLY DENY mknod | ||
951 | 28 | # EXPLICITLY DENY mknodat | ||
952 | 29 | |||
953 | 30 | # Explicitly deny (u)mount so apps can't change mounts in their namespace | ||
954 | 31 | # EXPLICITLY DENY mount | ||
955 | 32 | # EXPLICITLY DENY umount | ||
956 | 33 | # EXPLICITLY DENY umount2 | ||
957 | 34 | |||
958 | 35 | # Explicitly deny kernel keyring access | ||
959 | 36 | # EXPLICITLY DENY add_key | ||
960 | 37 | # EXPLICITLY DENY keyctl | ||
961 | 38 | # EXPLICITLY DENY request_key | ||
962 | 39 | |||
963 | 40 | # end dangerous syscalls | ||
964 | 41 | |||
965 | 42 | access | ||
966 | 43 | faccessat | ||
967 | 44 | |||
968 | 45 | alarm | ||
969 | 46 | brk | ||
970 | 47 | |||
971 | 48 | # ARM private syscalls | ||
972 | 49 | breakpoint | ||
973 | 50 | cacheflush | ||
974 | 51 | set_tls | ||
975 | 52 | usr26 | ||
976 | 53 | usr32 | ||
977 | 54 | |||
978 | 55 | capget | ||
979 | 56 | |||
980 | 57 | chdir | ||
981 | 58 | fchdir | ||
982 | 59 | |||
983 | 60 | # We can't effectively block file perms due to open() with O_CREAT, so allow | ||
984 | 61 | # chmod until we have syscall arg filtering (LP: #1446748) | ||
985 | 62 | chmod | ||
986 | 63 | fchmod | ||
987 | 64 | fchmodat | ||
988 | 65 | |||
989 | 66 | # snappy doesn't currently support per-app UID/GIDs so don't allow chown. To | ||
990 | 67 | # properly support chown, we need to have syscall arg filtering (LP: #1446748) | ||
991 | 68 | # and per-app UID/GIDs. | ||
992 | 69 | #chown | ||
993 | 70 | #chown32 | ||
994 | 71 | #fchown | ||
995 | 72 | #fchown32 | ||
996 | 73 | #fchownat | ||
997 | 74 | #lchown | ||
998 | 75 | #lchown32 | ||
999 | 76 | |||
1000 | 77 | clock_getres | ||
1001 | 78 | clock_gettime | ||
1002 | 79 | clock_nanosleep | ||
1003 | 80 | clone | ||
1004 | 81 | close | ||
1005 | 82 | creat | ||
1006 | 83 | dup | ||
1007 | 84 | dup2 | ||
1008 | 85 | dup3 | ||
1009 | 86 | epoll_create | ||
1010 | 87 | epoll_create1 | ||
1011 | 88 | epoll_ctl | ||
1012 | 89 | epoll_ctl_old | ||
1013 | 90 | epoll_pwait | ||
1014 | 91 | epoll_wait | ||
1015 | 92 | epoll_wait_old | ||
1016 | 93 | eventfd | ||
1017 | 94 | eventfd2 | ||
1018 | 95 | execve | ||
1019 | 96 | execveat | ||
1020 | 97 | _exit | ||
1021 | 98 | exit | ||
1022 | 99 | exit_group | ||
1023 | 100 | fallocate | ||
1024 | 101 | |||
1025 | 102 | # requires CAP_SYS_ADMIN | ||
1026 | 103 | #fanotify_init | ||
1027 | 104 | #fanotify_mark | ||
1028 | 105 | |||
1029 | 106 | fcntl | ||
1030 | 107 | fcntl64 | ||
1031 | 108 | flock | ||
1032 | 109 | fork | ||
1033 | 110 | ftime | ||
1034 | 111 | futex | ||
1035 | 112 | get_mempolicy | ||
1036 | 113 | get_robust_list | ||
1037 | 114 | get_thread_area | ||
1038 | 115 | getcpu | ||
1039 | 116 | getcwd | ||
1040 | 117 | getdents | ||
1041 | 118 | getdents64 | ||
1042 | 119 | getegid | ||
1043 | 120 | getegid32 | ||
1044 | 121 | geteuid | ||
1045 | 122 | geteuid32 | ||
1046 | 123 | getgid | ||
1047 | 124 | getgid32 | ||
1048 | 125 | getgroups | ||
1049 | 126 | getgroups32 | ||
1050 | 127 | getitimer | ||
1051 | 128 | getpgid | ||
1052 | 129 | getpgrp | ||
1053 | 130 | getpid | ||
1054 | 131 | getppid | ||
1055 | 132 | getpriority | ||
1056 | 133 | getrandom | ||
1057 | 134 | getresgid | ||
1058 | 135 | getresgid32 | ||
1059 | 136 | getresuid | ||
1060 | 137 | getresuid32 | ||
1061 | 138 | |||
1062 | 139 | getrlimit | ||
1063 | 140 | ugetrlimit | ||
1064 | 141 | |||
1065 | 142 | getrusage | ||
1066 | 143 | getsid | ||
1067 | 144 | gettid | ||
1068 | 145 | gettimeofday | ||
1069 | 146 | getuid | ||
1070 | 147 | getuid32 | ||
1071 | 148 | |||
1072 | 149 | getxattr | ||
1073 | 150 | fgetxattr | ||
1074 | 151 | lgetxattr | ||
1075 | 152 | |||
1076 | 153 | inotify_add_watch | ||
1077 | 154 | inotify_init | ||
1078 | 155 | inotify_init1 | ||
1079 | 156 | inotify_rm_watch | ||
1080 | 157 | |||
1081 | 158 | # Needed by shell | ||
1082 | 159 | ioctl | ||
1083 | 160 | |||
1084 | 161 | io_cancel | ||
1085 | 162 | io_destroy | ||
1086 | 163 | io_getevents | ||
1087 | 164 | io_setup | ||
1088 | 165 | io_submit | ||
1089 | 166 | ioprio_get | ||
1090 | 167 | # affects other processes, requires CAP_SYS_ADMIN. Potentially allow with | ||
1091 | 168 | # syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748) | ||
1092 | 169 | #ioprio_set | ||
1093 | 170 | |||
1094 | 171 | ipc | ||
1095 | 172 | kill | ||
1096 | 173 | link | ||
1097 | 174 | linkat | ||
1098 | 175 | |||
1099 | 176 | listxattr | ||
1100 | 177 | llistxattr | ||
1101 | 178 | flistxattr | ||
1102 | 179 | |||
1103 | 180 | lseek | ||
1104 | 181 | llseek | ||
1105 | 182 | _llseek | ||
1106 | 183 | lstat | ||
1107 | 184 | lstat64 | ||
1108 | 185 | |||
1109 | 186 | madvise | ||
1110 | 187 | fadvise64 | ||
1111 | 188 | fadvise64_64 | ||
1112 | 189 | arm_fadvise64_64 | ||
1113 | 190 | |||
1114 | 191 | mbind | ||
1115 | 192 | mincore | ||
1116 | 193 | mkdir | ||
1117 | 194 | mkdirat | ||
1118 | 195 | mlock | ||
1119 | 196 | mlockall | ||
1120 | 197 | mmap | ||
1121 | 198 | mmap2 | ||
1122 | 199 | mprotect | ||
1123 | 200 | |||
1124 | 201 | # LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now | ||
1125 | 202 | #mq_getsetattr | ||
1126 | 203 | #mq_notify | ||
1127 | 204 | #mq_open | ||
1128 | 205 | #mq_timedreceive | ||
1129 | 206 | #mq_timedsend | ||
1130 | 207 | #mq_unlink | ||
1131 | 208 | |||
1132 | 209 | mremap | ||
1133 | 210 | msgctl | ||
1134 | 211 | msgget | ||
1135 | 212 | msgrcv | ||
1136 | 213 | msgsnd | ||
1137 | 214 | msync | ||
1138 | 215 | munlock | ||
1139 | 216 | munlockall | ||
1140 | 217 | munmap | ||
1141 | 218 | |||
1142 | 219 | nanosleep | ||
1143 | 220 | |||
1144 | 221 | # LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set | ||
1145 | 222 | # RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value | ||
1146 | 223 | # and allow this call | ||
1147 | 224 | #nice | ||
1148 | 225 | |||
1149 | 226 | # LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT | ||
1150 | 227 | open | ||
1151 | 228 | |||
1152 | 229 | openat | ||
1153 | 230 | pause | ||
1154 | 231 | pipe | ||
1155 | 232 | pipe2 | ||
1156 | 233 | poll | ||
1157 | 234 | ppoll | ||
1158 | 235 | |||
1159 | 236 | # LP: #1446748 - support syscall arg filtering | ||
1160 | 237 | prctl | ||
1161 | 238 | arch_prctl | ||
1162 | 239 | |||
1163 | 240 | read | ||
1164 | 241 | pread | ||
1165 | 242 | pread64 | ||
1166 | 243 | preadv | ||
1167 | 244 | readv | ||
1168 | 245 | |||
1169 | 246 | readahead | ||
1170 | 247 | readdir | ||
1171 | 248 | readlink | ||
1172 | 249 | readlinkat | ||
1173 | 250 | remap_file_pages | ||
1174 | 251 | |||
1175 | 252 | removexattr | ||
1176 | 253 | fremovexattr | ||
1177 | 254 | lremovexattr | ||
1178 | 255 | |||
1179 | 256 | rename | ||
1180 | 257 | renameat | ||
1181 | 258 | renameat2 | ||
1182 | 259 | |||
1183 | 260 | # The man page says this shouldn't be needed, but we've seen denials for it | ||
1184 | 261 | # in the wild | ||
1185 | 262 | restart_syscall | ||
1186 | 263 | |||
1187 | 264 | rmdir | ||
1188 | 265 | rt_sigaction | ||
1189 | 266 | rt_sigpending | ||
1190 | 267 | rt_sigprocmask | ||
1191 | 268 | rt_sigqueueinfo | ||
1192 | 269 | rt_sigreturn | ||
1193 | 270 | rt_sigsuspend | ||
1194 | 271 | rt_sigtimedwait | ||
1195 | 272 | rt_tgsigqueueinfo | ||
1196 | 273 | sched_getaffinity | ||
1197 | 274 | sched_getattr | ||
1198 | 275 | sched_getparam | ||
1199 | 276 | sched_get_priority_max | ||
1200 | 277 | sched_get_priority_min | ||
1201 | 278 | sched_getscheduler | ||
1202 | 279 | sched_rr_get_interval | ||
1203 | 280 | # LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the | ||
1204 | 281 | # app may only change its own scheduler | ||
1205 | 282 | sched_setscheduler | ||
1206 | 283 | |||
1207 | 284 | sched_yield | ||
1208 | 285 | |||
1209 | 286 | select | ||
1210 | 287 | _newselect | ||
1211 | 288 | pselect | ||
1212 | 289 | pselect6 | ||
1213 | 290 | |||
1214 | 291 | semctl | ||
1215 | 292 | semget | ||
1216 | 293 | semop | ||
1217 | 294 | semtimedop | ||
1218 | 295 | sendfile | ||
1219 | 296 | sendfile64 | ||
1220 | 297 | |||
1221 | 298 | # snappy doesn't currently support per-app UID/GIDs so don't allow this family | ||
1222 | 299 | # of syscalls. To properly support these, we need to have syscall arg filtering | ||
1223 | 300 | # (LP: #1446748) and per-app UID/GIDs. | ||
1224 | 301 | #setgid | ||
1225 | 302 | #setgid32 | ||
1226 | 303 | #setgroups | ||
1227 | 304 | #setgroups32 | ||
1228 | 305 | #setregid | ||
1229 | 306 | #setregid32 | ||
1230 | 307 | #setresgid | ||
1231 | 308 | #setresgid32 | ||
1232 | 309 | #setresuid | ||
1233 | 310 | #setresuid32 | ||
1234 | 311 | #setreuid | ||
1235 | 312 | #setreuid32 | ||
1236 | 313 | #setuid | ||
1237 | 314 | #setuid32 | ||
1238 | 315 | |||
1239 | 316 | # These break isolation but are common and can't be mediated at the seccomp | ||
1240 | 317 | # level with arg filtering | ||
1241 | 318 | setpgid | ||
1242 | 319 | setpgrp | ||
1243 | 320 | |||
1244 | 321 | set_thread_area | ||
1245 | 322 | setitimer | ||
1246 | 323 | |||
1247 | 324 | # apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard | ||
1248 | 325 | # limits | ||
1249 | 326 | setrlimit | ||
1250 | 327 | prlimit64 | ||
1251 | 328 | |||
1252 | 329 | set_mempolicy | ||
1253 | 330 | set_robust_list | ||
1254 | 331 | setsid | ||
1255 | 332 | set_tid_address | ||
1256 | 333 | |||
1257 | 334 | setxattr | ||
1258 | 335 | fsetxattr | ||
1259 | 336 | lsetxattr | ||
1260 | 337 | |||
1261 | 338 | shmat | ||
1262 | 339 | shmctl | ||
1263 | 340 | shmdt | ||
1264 | 341 | shmget | ||
1265 | 342 | signal | ||
1266 | 343 | sigaction | ||
1267 | 344 | signalfd | ||
1268 | 345 | signalfd4 | ||
1269 | 346 | sigaltstack | ||
1270 | 347 | sigpending | ||
1271 | 348 | sigprocmask | ||
1272 | 349 | sigreturn | ||
1273 | 350 | sigsuspend | ||
1274 | 351 | sigtimedwait | ||
1275 | 352 | sigwaitinfo | ||
1276 | 353 | |||
1277 | 354 | # Per man page, on Linux this is limited to only AF_UNIX so it is ok to have | ||
1278 | 355 | # in the default template | ||
1279 | 356 | socketpair | ||
1280 | 357 | |||
1281 | 358 | splice | ||
1282 | 359 | |||
1283 | 360 | stat | ||
1284 | 361 | stat64 | ||
1285 | 362 | fstat | ||
1286 | 363 | fstat64 | ||
1287 | 364 | fstatat64 | ||
1288 | 365 | lstat | ||
1289 | 366 | newfstatat | ||
1290 | 367 | oldfstat | ||
1291 | 368 | oldlstat | ||
1292 | 369 | oldstat | ||
1293 | 370 | |||
1294 | 371 | statfs | ||
1295 | 372 | statfs64 | ||
1296 | 373 | fstatfs | ||
1297 | 374 | fstatfs64 | ||
1298 | 375 | statvfs | ||
1299 | 376 | fstatvfs | ||
1300 | 377 | ustat | ||
1301 | 378 | |||
1302 | 379 | symlink | ||
1303 | 380 | symlinkat | ||
1304 | 381 | |||
1305 | 382 | sync | ||
1306 | 383 | sync_file_range | ||
1307 | 384 | sync_file_range2 | ||
1308 | 385 | arm_sync_file_range | ||
1309 | 386 | fdatasync | ||
1310 | 387 | fsync | ||
1311 | 388 | syncfs | ||
1312 | 389 | sysinfo | ||
1313 | 390 | syslog | ||
1314 | 391 | tee | ||
1315 | 392 | tgkill | ||
1316 | 393 | time | ||
1317 | 394 | timer_create | ||
1318 | 395 | timer_delete | ||
1319 | 396 | timer_getoverrun | ||
1320 | 397 | timer_gettime | ||
1321 | 398 | timer_settime | ||
1322 | 399 | timerfd_create | ||
1323 | 400 | timerfd_gettime | ||
1324 | 401 | timerfd_settime | ||
1325 | 402 | times | ||
1326 | 403 | tkill | ||
1327 | 404 | |||
1328 | 405 | truncate | ||
1329 | 406 | truncate64 | ||
1330 | 407 | ftruncate | ||
1331 | 408 | ftruncate64 | ||
1332 | 409 | |||
1333 | 410 | umask | ||
1334 | 411 | |||
1335 | 412 | uname | ||
1336 | 413 | olduname | ||
1337 | 414 | oldolduname | ||
1338 | 415 | |||
1339 | 416 | unlink | ||
1340 | 417 | unlinkat | ||
1341 | 418 | |||
1342 | 419 | utime | ||
1343 | 420 | utimensat | ||
1344 | 421 | utimes | ||
1345 | 422 | futimesat | ||
1346 | 423 | |||
1347 | 424 | vfork | ||
1348 | 425 | vmsplice | ||
1349 | 426 | wait4 | ||
1350 | 427 | oldwait4 | ||
1351 | 428 | waitpid | ||
1352 | 429 | waitid | ||
1353 | 430 | |||
1354 | 431 | write | ||
1355 | 432 | writev | ||
1356 | 433 | pwrite | ||
1357 | 434 | pwrite64 | ||
1358 | 435 | pwritev | ||
1359 | 436 | |||
1360 | 437 | # Can communicate with DBus system service | ||
1361 | 438 | accept | ||
1362 | 439 | accept4 | ||
1363 | 440 | bind | ||
1364 | 441 | connect | ||
1365 | 442 | getpeername | ||
1366 | 443 | getsockname | ||
1367 | 444 | getsockopt | ||
1368 | 445 | listen | ||
1369 | 446 | recv | ||
1370 | 447 | recvfrom | ||
1371 | 448 | recvmmsg | ||
1372 | 449 | recvmsg | ||
1373 | 450 | send | ||
1374 | 451 | sendmmsg | ||
1375 | 452 | sendmsg | ||
1376 | 453 | sendto | ||
1377 | 454 | setsockopt | ||
1378 | 455 | shutdown | ||
1379 | 456 | socketpair | ||
1380 | 457 | socket | ||
1381 | 458 | 0 | ||
1382 | === modified file 'parts/plugins/x-autotools.py' | |||
1383 | --- parts/plugins/x-autotools.py 2016-04-20 17:42:41 +0000 | |||
1384 | +++ parts/plugins/x-autotools.py 2016-04-20 17:42:41 +0000 | |||
1385 | @@ -72,8 +72,8 @@ | |||
1386 | 72 | 72 | ||
1387 | 73 | return schema | 73 | return schema |
1388 | 74 | 74 | ||
1391 | 75 | def __init__(self, name, options): | 75 | def __init__(self, name, options, project): |
1392 | 76 | super().__init__(name, options) | 76 | super().__init__(name, options, project) |
1393 | 77 | self.build_packages.extend([ | 77 | self.build_packages.extend([ |
1394 | 78 | 'autoconf', | 78 | 'autoconf', |
1395 | 79 | 'automake', | 79 | 'automake', |
1396 | @@ -126,5 +126,5 @@ | |||
1397 | 126 | 126 | ||
1398 | 127 | self.run(configure_command + self.options.configflags) | 127 | self.run(configure_command + self.options.configflags) |
1399 | 128 | self.run(['make', '-j{}'.format( | 128 | self.run(['make', '-j{}'.format( |
1401 | 129 | snapcraft.common.get_parallel_build_count())]) | 129 | self.project.parallel_build_count)]) |
1402 | 130 | self.run(make_install_command) | 130 | self.run(make_install_command) |
1403 | 131 | 131 | ||
1404 | === modified file 'snapcraft.yaml' | |||
1405 | --- snapcraft.yaml 2016-04-20 17:42:41 +0000 | |||
1406 | +++ snapcraft.yaml 2016-04-20 17:42:41 +0000 | |||
1407 | @@ -9,32 +9,24 @@ | |||
1408 | 9 | apps: | 9 | apps: |
1409 | 10 | bluetoothctl: | 10 | bluetoothctl: |
1410 | 11 | command: usr/bin/bluetoothctl | 11 | command: usr/bin/bluetoothctl |
1412 | 12 | uses: [bluez-client] | 12 | plugs: [client] |
1413 | 13 | obexctl: | 13 | obexctl: |
1414 | 14 | command: usr/bin/obexctl | 14 | command: usr/bin/obexctl |
1416 | 15 | uses: [bluez-client] | 15 | plugs: [client] |
1417 | 16 | bluez: | 16 | bluez: |
1418 | 17 | command: "usr/lib/bluetooth/bluetoothd -E" | 17 | command: "usr/lib/bluetooth/bluetoothd -E" |
1419 | 18 | daemon: simple | 18 | daemon: simple |
1421 | 19 | uses: [bluez-service] | 19 | slots: [service] |
1422 | 20 | obex: | 20 | obex: |
1423 | 21 | command: "usr/lib/bluetooth/obexd" | 21 | command: "usr/lib/bluetooth/obexd" |
1424 | 22 | daemon: simple | 22 | daemon: simple |
1440 | 23 | uses: [obex-service] | 23 | slots: [service] |
1441 | 24 | uses: | 24 | plugs: |
1442 | 25 | bluez-client: | 25 | client: |
1443 | 26 | type: migration-skill | 26 | interface: bluez |
1444 | 27 | caps: [bluez_client] | 27 | slots: |
1445 | 28 | bluez-service: | 28 | service: |
1446 | 29 | type: migration-skill | 29 | interface: bluez |
1432 | 30 | security-policy: | ||
1433 | 31 | apparmor: bluez.apparmor | ||
1434 | 32 | seccomp: bluez.seccomp | ||
1435 | 33 | obex-service: | ||
1436 | 34 | type: migration-skill | ||
1437 | 35 | security-policy: | ||
1438 | 36 | apparmor: obex.apparmor | ||
1439 | 37 | seccomp: obex.seccomp | ||
1447 | 38 | 30 | ||
1448 | 39 | parts: | 31 | parts: |
1449 | 40 | bluez: | 32 | bluez: |
1450 | @@ -74,7 +66,5 @@ | |||
1451 | 74 | dbus-configuration: | 66 | dbus-configuration: |
1452 | 75 | plugin: copy | 67 | plugin: copy |
1453 | 76 | files: | 68 | files: |
1454 | 77 | conf/bluez-dbus.conf: conf/bluez-dbus.conf | ||
1455 | 78 | meta/framework-policy: meta/framework-policy | ||
1456 | 79 | copyright: usr/share/doc/bluez/copyright | 69 | copyright: usr/share/doc/bluez/copyright |
1457 | 80 | doc/overview.md: usr/share/doc/bluez/overview.md | 70 | doc/overview.md: usr/share/doc/bluez/overview.md |
Left one naming related comment inline but otherwise LGTM