AppArmor

Merge lp:~sdeziel/apparmor/wireshark-refresh into lp:apparmor/2.12

  1. wireshark-refresh
  2. Merge into master
Proposed by Simon Déziel
Status: Merged
Merged at revision: 3728
Proposed branch: lp:~sdeziel/apparmor/wireshark-refresh
Merge into: lp:apparmor/2.12
Diff against target: 76 lines (+43/-6)
1 file modified
profiles/apparmor/profiles/extras/usr.bin.wireshark (+43/-6)
To merge this branch: bzr merge lp:~sdeziel/apparmor/wireshark-refresh
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+291820@code.launchpad.net

Description of the change

This refreshed profile was tested with Wireshark 2.0.2 (from Xenial). I only tested reading from pcaps. No capture testing was done because I feel this is best done with tcpdump that is well protected by Apparmor anyways.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

It feels like the accessibility dbus rules may be better suited in an #include. What else will require these?

Otherwise looks good to me.

Thanks

Revision history for this message
Simon Déziel (sdeziel) wrote :

On 2016-04-13 05:50 PM, Seth Arnold wrote:
> It feels like the accessibility dbus rules may be better suited in an #include.

Or maybe abstractions/dbus-accessibility-strict is just too strict?

> What else will require these?

I copied it from Firefox. Locally I have the following profiles using
the "a11y" rules:

 usr.bin.firefox
 usr.bin.keepassx
 usr.bin.pidgin
 usr.bin.remmina
 usr.bin.vlc
 usr.bin.wireshark

Revision history for this message
Tyler Hicks (tyhicks) wrote :

On 2016-04-14 14:03:27, Simon Déziel wrote:
> On 2016-04-13 05:50 PM, Seth Arnold wrote:
> > It feels like the accessibility dbus rules may be better suited in an #include.
>
> Or maybe abstractions/dbus-accessibility-strict is just too strict?

dbus-accessibility-strict is for talking to dbus-daemon itself on the
accessibility bus.

dbus-accessibility is for doing any action on the accessibility bus.

Note that the rules you have are for talking to a service on the session
bus. I'm thinking that there should be an "accessibility-services" (or
maybe just "accessibility") abstraction which has the a11y rules and
also includes dbus-accessibility-strict?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@Tyler, this makes sense to me. The accessibility rules are not well defined at all and could use a lot of love.

Revision history for this message
intrigeri (intrigeri) wrote :

Seth, Jamie, Tyler: thanks for the reviews and the forward looking thinking. It's not clear to me what's a blocker or not. Are you blocking on a big refactoring of the accessibility rules before this MR gets merged? I'm not sure it would be fair to expect Simon to do this work right now :) How about we track the refactoring proposal on a new bug and not block on it here?

Revision history for this message
Steve Beattie (sbeattie) wrote :

intrigeri: I agree, we should probably not block this merge request on an accessibility abstraction cleanup. I have filed https://bugs.launchpad.net/apparmor/+bug/1727887 to capture that request.

Otherwise, LGTM. I'll merge it in.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'profiles/apparmor/profiles/extras/usr.bin.wireshark'
2--- profiles/apparmor/profiles/extras/usr.bin.wireshark 2010-12-20 20:29:10 +0000
3+++ profiles/apparmor/profiles/extras/usr.bin.wireshark 2016-04-13 20:56:30 +0000
4@@ -16,29 +16,66 @@
5 #include <abstractions/base>
6 #include <abstractions/bash>
7 #include <abstractions/consoles>
8+ #include <abstractions/dconf>
9+ #include <abstractions/dbus-session-strict>
10+ #include <abstractions/ibus>
11 #include <abstractions/kde>
12 #include <abstractions/nameservice>
13 #include <abstractions/gnome>
14 #include <abstractions/user-write>
15 #include <abstractions/X>
16
17+ #include <abstractions/dbus-accessibility-strict>
18+ dbus (send)
19+ bus=session
20+ peer=(name=org.a11y.Bus),
21+ dbus (receive)
22+ bus=session
23+ interface=org.a11y.atspi**,
24+ dbus (receive, send)
25+ bus=accessibility,
26+
27 capability net_raw,
28
29+ # From abstractions/evince
30+ deny /run/udev/data/** r,
31+
32 /etc/ethers r,
33-
34- @{HOME}/.wireshark/* rw,
35- @{HOME}/.fonts.cache-* r,
36+ /etc/udev/udev.conf r,
37+ /etc/wireshark/** r,
38+
39+ owner @{HOME}/.wireshark/* rw,
40+ owner @{HOME}/.config/wireshark/* rw,
41+ owner @{HOME}/.config/QtProject.conf rw,
42+ owner @{HOME}/.config/QtProject.conf.lock rw,
43+ owner @{HOME}/.fonts.cache-* r,
44+
45+ owner @{HOME}/.config/dconf/user w,
46+ owner /{,var/}run/user/*/dconf/user w,
47+ owner @{PROC}/@{pid}/cmdline r,
48+ owner @{PROC}/@{pid}/fd/ r,
49+ @{PROC}/@{pid}/net/dev r,
50+ /sys/devices/pci[0-9]*/**/uevent r,
51
52 /etc/pango/pango.modules r,
53 /usr/lib/gtk-*/*/loaders/* mr,
54- /usr/share/* r,
55- /usr/share/icons/** r,
56+ /usr/share/icons/ r,
57+ /usr/share/icons/** rk,
58+ /usr/share/glib-2.0/schemas/gschemas.compiled r,
59 /usr/share/mime/* r,
60 /usr/lib/firefox/firefox.sh rPx,
61 /usr/bin/wireshark mixr,
62- /usr/share/icons r,
63 /usr/share/mime/* r,
64 /usr/share/snmp/mibs r,
65 /usr/share/snmp/mibs/* r,
66 /usr/share/snmp/mibs/.index rw,
67+ /usr/share/wireshark/** r,
68+ /usr/share/GeoIP/ r,
69+ /usr/share/GeoIP/** r,
70+ /usr/lib/@{multiarch}/wireshark/extcap/* ix,
71+ /usr/lib/@{multiarch}/wireshark/plugins/**/ r,
72+ /usr/lib/@{multiarch}/wireshark/plugins/**.so mr,
73+
74+ # for reading pcaps
75+ /**.pcap r,
76 }

Subscribers

People subscribed via source and target branches