diff options
author | Colin Watson <cjwatson@debian.org> | 2020-07-04 22:16:41 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2020-07-04 22:16:41 +0100 |
commit | 38e2b5f7dfb86488a834f04b720380802f620a0a (patch) | |
tree | c56184e3537a038e2a1dd58c4eb377a085d78551 /debian | |
parent | 75f2bee6b6b773653f010b61b8c0ac63cf55e5b1 (diff) |
AppArmor: Silently deny dac_override and dac_read_search capabilities
Closes: #962006
Diffstat (limited to 'debian')
-rw-r--r-- | debian/apparmor/usr.bin.man | 6 | ||||
-rw-r--r-- | debian/changelog | 7 |
2 files changed, 13 insertions, 0 deletions
diff --git a/debian/apparmor/usr.bin.man b/debian/apparmor/usr.bin.man index b0160528..81ba10f4 100644 --- a/debian/apparmor/usr.bin.man +++ b/debian/apparmor/usr.bin.man @@ -39,6 +39,12 @@ capability setuid, capability setgid, + # Ordinary permission checks sometimes involve checking whether the + # process has this capability, which can produce audit log messages. + # Silence them. + deny capability dac_override, + deny capability dac_read_search, + signal peer=@{profile_name}, signal peer=/usr/bin/man//&man_groff, signal peer=/usr/bin/man//&man_filter, diff --git a/debian/changelog b/debian/changelog index 0fa4986e..c94461f4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +man-db (2.9.3-2) UNRELEASED; urgency=medium + + * AppArmor: Silently deny dac_override and dac_read_search capabilities + (closes: #962006). + + -- Colin Watson <cjwatson@debian.org> Sat, 04 Jul 2020 22:12:44 +0100 + man-db (2.9.3-1) unstable; urgency=medium * New upstream release. |