mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-12-25 22:46:47 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

doc: initial preparation for re-attached path.

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-08 22:53:52 +01:00
parent cc47d8d557
commit 28706b2a78
Failed to generate hash of commit
2 changed files with 16 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
apparmor.d/tunables/multiarch.d/system
View file

@ -151,7 +151,9 @@
@{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254
@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511
# Container path given to attach_disconnected.path=@{ct}@{profile_name}
@{ct}=/ct-
#aa:only abi3
# Attachment path for attach_disconnected.path flag.
# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3.
@{att}=/
# vim:syntax=apparmor

12
docs/development/internal.md
View file

@ -157,6 +157,18 @@ It is recommended to transition [in a subprofile](abstractions.md#appsystemctl)
All common programs are tracked and labelled in the [`apparmor.d/tunables/multiarch.d/programs`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/programs) and
[`apparmor.d/tunables/multiarch.d/paths`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/paths) files. They can be used in a `child-open` profile or directly in a profile. They are useful to allow opening resources using a kind of program (browsers, image viewer, text editor...), instead of allowing a given program path.
## Re-attached path
The flag `attach_disconnect` control how disconnected paths are handled. It determines if pathnames resolved to be outside the namespace are attached to the root (ie. have the `/` character prepended).
It is a security issue as it allows disconnected paths to alias to other files that exist in the file name. Therefore, it is only provided to work around problems that can arise with sandboxed programs.
AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this path to a prefix that is not `/`. When used it provide an important security improvement from AppArmor 3.0.
**`apparmor.d`** uses `attach_disconnect.path` by **default and automatically** on all profiles with the `attach_disconnect` flag. The attached path is set to `@{att}` a new dynamically generated variable set at build time in the preamble of all profile to be:
- `@{att}=/att/<profile_name>` for profile with `attach_disconnect` flag.
- `@{att}=/` for other profiles
## User Confinement [:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Only for Full System Policy (FSP)")