From 99f7e0210ab3224a36f66a63a19fe5aaa91b1cce Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Tue, 7 Jul 2020 00:08:14 +0200 Subject: [PATCH] committing changes in /etc after apt run Package changes: -libc-bin 2.27-3ubuntu1 amd64 -libc-dev-bin 2.27-3ubuntu1 amd64 -libc6 2.27-3ubuntu1 amd64 -libc6 2.27-3ubuntu1 i386 -libc6-dbg 2.27-3ubuntu1 amd64 -libc6-dev 2.27-3ubuntu1 amd64 +libc-bin 2.27-3ubuntu1.2 amd64 +libc-dev-bin 2.27-3ubuntu1.2 amd64 +libc6 2.27-3ubuntu1.2 amd64 +libc6 2.27-3ubuntu1.2 i386 +libc6-dbg 2.27-3ubuntu1.2 amd64 +libc6-dev 2.27-3ubuntu1.2 amd64 -libnss3 2:3.35-2ubuntu2.8 amd64 +libnss3 2:3.35-2ubuntu2.9 amd64 -libopenexr22 2.2.0-11.1ubuntu1.2 amd64 +libopenexr22 2.2.0-11.1ubuntu1.3 amd64 -linux-base 4.5ubuntu1.1 all +linux-base 4.5ubuntu1.2 all -locales 2.27-3ubuntu1 all +locales 2.27-3ubuntu1.2 all -multiarch-support 2.27-3ubuntu1 amd64 +multiarch-support 2.27-3ubuntu1.2 amd64 -snapd 2.42.1+18.04 amd64 +snapd 2.45.1+18.04 amd64 --- .etckeeper | 1 + apparmor.d/usr.lib.snapd.snap-confine.real | 86 ++++++++++++++----- sudoers.d/99-snapd.conf | 3 + .../snapd.apparmor.service | 1 + .../snapd.recovery-chooser-trigger.service | 1 + 5 files changed, 70 insertions(+), 22 deletions(-) create mode 100644 sudoers.d/99-snapd.conf create mode 120000 systemd/system/multi-user.target.wants/snapd.apparmor.service create mode 120000 systemd/system/multi-user.target.wants/snapd.recovery-chooser-trigger.service diff --git a/.etckeeper b/.etckeeper index 359f836..3551cf5 100755 --- a/.etckeeper +++ b/.etckeeper @@ -2873,6 +2873,7 @@ maybe chmod 0644 'subuid-' maybe chmod 0440 'sudoers' maybe chmod 0755 'sudoers.d' maybe chmod 0440 'sudoers.d/0pwfeedback' +maybe chmod 0440 'sudoers.d/99-snapd.conf' maybe chmod 0440 'sudoers.d/README' maybe chmod 0440 'sudoers.d/ctdb' maybe chmod 0440 'sudoers.d/mintupdate' diff --git a/apparmor.d/usr.lib.snapd.snap-confine.real b/apparmor.d/usr.lib.snapd.snap-confine.real index 8894343..86fe1a1 100644 --- a/apparmor.d/usr.lib.snapd.snap-confine.real +++ b/apparmor.d/usr.lib.snapd.snap-confine.real @@ -14,24 +14,24 @@ # any abstractions /etc/ld.so.cache r, /etc/ld.so.preload r, - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, # libc, you are funny - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr, - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, # normal libs in order /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, @@ -56,25 +56,24 @@ capability dac_read_search, capability dac_override, /sys/fs/cgroup/devices/snap{,py}.*/ w, - /sys/fs/cgroup/devices/snap{,py}.*/tasks w, + /sys/fs/cgroup/devices/snap{,py}.*/cgroup.procs w, /sys/fs/cgroup/devices/snap{,py}.*/devices.{allow,deny} w, # cgroup: freezer # Allow creating per-snap cgroup freezers and adding snap command (task) # invocations to the freezer. This allows for reliably enumerating all - # running tasks for the snap. In addition, allow enumerating processes in - # the cgroup to determine if it is occupied. + # running processes for the snap. In addition, allow enumerating processes + # in the cgroup to determine if it is occupied. /sys/fs/cgroup/freezer/ r, /sys/fs/cgroup/freezer/snap.*/ w, - /sys/fs/cgroup/freezer/snap.*/tasks w, - /sys/fs/cgroup/freezer/snap.*/cgroup.procs r, + /sys/fs/cgroup/freezer/snap.*/cgroup.procs rw, # cgroup: pids # allow creating per snap-security-tag hierarchy and adding snap command (task) # invocations to the controller. /sys/fs/cgroup/pids/ r, /sys/fs/cgroup/pids/snap.*/ w, - /sys/fs/cgroup/pids/snap.*/tasks w, + /sys/fs/cgroup/pids/snap.*/cgroup.procs w, # querying udev /etc/udev/udev.conf r, @@ -131,9 +130,11 @@ # reading seccomp filters /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r, - # LP: #1668659 + # LP: #1668659 and parallel instaces of classic snaps mount options=(rw rbind) /snap/ -> /snap/, mount options=(rw rshared) -> /snap/, + mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/, + mount options=(rw rshared) -> /var/lib/snapd/snap/, # boostrapping the mount namespace mount options=(rw rshared) -> /, @@ -175,6 +176,9 @@ mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/, + mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_*/var/lib/dhcp/, + mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/dhcp/, + mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/, @@ -232,8 +236,17 @@ # pivot_root preparation and execution mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, - # pivot_root mediation in AppArmor is not complete. See LP: #1791711 - pivot_root, + + # pivot_root mediation in AppArmor is not complete. See LP: #1791711. + # However, we can mediate the new_root and put_old to be what we expect, + # and then deny directory creation within old_root to prevent trivial + # pivoting into a whitelisted path. + pivot_root oldroot=/tmp/snap.rootfs_*/var/lib/snapd/hostfs/ /tmp/snap.rootfs_*/, + # Explicitly deny creating the old_root directory in case it is + # inadvertently added somewhere else. While this doesn't resolve + # LP: #1791711, it provides some hardening. + audit deny /tmp/snap.rootfs_*/{var/,var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w, + # cleanup umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/, umount /var/lib/snapd/hostfs/sys/, @@ -241,9 +254,20 @@ umount /var/lib/snapd/hostfs/proc/, mount options=(rw rslave) -> /var/lib/snapd/hostfs/, + # Hide /writable from view of snaps. + mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/, + umount /{,var/lib/snapd/hostfs/}writable/, + # set up user mount namespace mount options=(rslave) -> /, + # set up mount namespace for parallel instances of classic snaps + mount options=(rw rbind) /snap/{,*/} -> /snap/{,*/}, + mount options=(rslave) -> /snap/, + mount options=(rslave) -> /var/snap/, + mount options=(rw rbind) /var/snap/{,*/} -> /var/snap/{,*/}, + mount options=(rw rshared) -> /var/snap/, + # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/}os-release r, @@ -419,15 +443,15 @@ # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, # libc, you are funny - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr, - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, @@ -436,7 +460,7 @@ # normal libs in order /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, - /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, @@ -531,4 +555,22 @@ # Allow mounting /var/lib/jenkins from the host into the snap. mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/, + + # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is + # fixed. + deny /dev/shm/.org.chromium.Chromium.* rw, + + # While snap-confine itself doesn't require unix rules and therefore all + # unix rules are implicitly denied, adding an explicit deny for unix to + # silence noisy denials breaks nested lxd. Until the cause is determined, + # do not use an explicit deny for unix. (LP: #1855355) + #deny unix, + + # Explicitly deny these accesses which show up on Arch to silence the + # denials for this unneeded access. + deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr, + deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9]*.so* mr, + deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9]*.so* mr, + deny /etc/nsswitch.conf r, + deny /etc/passwd r, } diff --git a/sudoers.d/99-snapd.conf b/sudoers.d/99-snapd.conf new file mode 100644 index 0000000..2b03d48 --- /dev/null +++ b/sudoers.d/99-snapd.conf @@ -0,0 +1,3 @@ +# Allow snap-provided applications to work with sudo + +Defaults secure_path += /snap/bin diff --git a/systemd/system/multi-user.target.wants/snapd.apparmor.service b/systemd/system/multi-user.target.wants/snapd.apparmor.service new file mode 120000 index 0000000..93661da --- /dev/null +++ b/systemd/system/multi-user.target.wants/snapd.apparmor.service @@ -0,0 +1 @@ +/lib/systemd/system/snapd.apparmor.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/snapd.recovery-chooser-trigger.service b/systemd/system/multi-user.target.wants/snapd.recovery-chooser-trigger.service new file mode 120000 index 0000000..ea555fd --- /dev/null +++ b/systemd/system/multi-user.target.wants/snapd.recovery-chooser-trigger.service @@ -0,0 +1 @@ +/lib/systemd/system/snapd.recovery-chooser-trigger.service \ No newline at end of file -- 2.39.5