mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-13 15:56:46 +01:00
doc: initial preparation for re-attached path.
This commit is contained in:
parent
cc47d8d557
commit
28706b2a78
2 changed files with 16 additions and 2 deletions
|
@ -151,7 +151,9 @@
|
||||||
@{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254
|
@{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254
|
||||||
@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511
|
@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511
|
||||||
|
|
||||||
# Container path given to attach_disconnected.path=@{ct}@{profile_name}
|
#aa:only abi3
|
||||||
@{ct}=/ct-
|
# Attachment path for attach_disconnected.path flag.
|
||||||
|
# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3.
|
||||||
|
@{att}=/
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
|
@ -157,6 +157,18 @@ It is recommended to transition [in a subprofile](abstractions.md#appsystemctl)
|
||||||
All common programs are tracked and labelled in the [`apparmor.d/tunables/multiarch.d/programs`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/programs) and
|
All common programs are tracked and labelled in the [`apparmor.d/tunables/multiarch.d/programs`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/programs) and
|
||||||
[`apparmor.d/tunables/multiarch.d/paths`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/paths) files. They can be used in a `child-open` profile or directly in a profile. They are useful to allow opening resources using a kind of program (browsers, image viewer, text editor...), instead of allowing a given program path.
|
[`apparmor.d/tunables/multiarch.d/paths`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/paths) files. They can be used in a `child-open` profile or directly in a profile. They are useful to allow opening resources using a kind of program (browsers, image viewer, text editor...), instead of allowing a given program path.
|
||||||
|
|
||||||
|
## Re-attached path
|
||||||
|
|
||||||
|
The flag `attach_disconnect` control how disconnected paths are handled. It determines if pathnames resolved to be outside the namespace are attached to the root (ie. have the `/` character prepended).
|
||||||
|
It is a security issue as it allows disconnected paths to alias to other files that exist in the file name. Therefore, it is only provided to work around problems that can arise with sandboxed programs.
|
||||||
|
|
||||||
|
AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this path to a prefix that is not `/`. When used it provide an important security improvement from AppArmor 3.0.
|
||||||
|
|
||||||
|
**`apparmor.d`** uses `attach_disconnect.path` by **default and automatically** on all profiles with the `attach_disconnect` flag. The attached path is set to `@{att}` a new dynamically generated variable set at build time in the preamble of all profile to be:
|
||||||
|
|
||||||
|
- `@{att}=/att/<profile_name>` for profile with `attach_disconnect` flag.
|
||||||
|
- `@{att}=/` for other profiles
|
||||||
|
|
||||||
|
|
||||||
## User Confinement [:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Only for Full System Policy (FSP)")
|
## User Confinement [:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Only for Full System Policy (FSP)")
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue