2011-04-18 18:09:29 -07:00
|
|
|
apparmor-*
|
2010-06-04 18:39:20 -07:00
|
|
|
parser/po/*.mo
|
|
|
|
|
parser/af_names.h
|
|
|
|
|
parser/cap_names.h
|
|
|
|
|
parser/tst_misc
|
|
|
|
|
parser/tst_regex
|
|
|
|
|
parser/tst_symtab
|
|
|
|
|
parser/tst_variable
|
2011-08-09 01:17:42 -07:00
|
|
|
parser/tst/simple_tests/generated_*/*
|
2010-06-04 18:39:20 -07:00
|
|
|
parser/parser_lex.c
|
|
|
|
|
parser/parser_version.h
|
|
|
|
|
parser/parser_yacc.c
|
|
|
|
|
parser/parser_yacc.h
|
|
|
|
|
parser/pod2htm*.tmp
|
|
|
|
|
parser/*.7
|
|
|
|
|
parser/*.5
|
|
|
|
|
parser/*.8
|
|
|
|
|
parser/*.7.html
|
|
|
|
|
parser/*.5.html
|
|
|
|
|
parser/*.8.html
|
|
|
|
|
parser/common
|
|
|
|
|
parser/apparmor_parser
|
|
|
|
|
parser/libapparmor_re/regexp.cc
|
|
|
|
|
parser/techdoc.aux
|
|
|
|
|
parser/techdoc.log
|
|
|
|
|
parser/techdoc.pdf
|
|
|
|
|
parser/techdoc.toc
|
2010-07-25 18:52:19 -07:00
|
|
|
libraries/libapparmor/Makefile
|
|
|
|
|
libraries/libapparmor/Makefile.in
|
|
|
|
|
libraries/libapparmor/aclocal.m4
|
|
|
|
|
libraries/libapparmor/audit.log
|
|
|
|
|
libraries/libapparmor/autom4te.cache
|
|
|
|
|
libraries/libapparmor/compile
|
|
|
|
|
libraries/libapparmor/config.guess
|
|
|
|
|
libraries/libapparmor/config.log
|
|
|
|
|
libraries/libapparmor/config.status
|
|
|
|
|
libraries/libapparmor/config.sub
|
|
|
|
|
libraries/libapparmor/configure
|
|
|
|
|
libraries/libapparmor/depcomp
|
|
|
|
|
libraries/libapparmor/install-sh
|
|
|
|
|
libraries/libapparmor/libtool
|
|
|
|
|
libraries/libapparmor/ltmain.sh
|
|
|
|
|
libraries/libapparmor/missing
|
|
|
|
|
libraries/libapparmor/ylwrap
|
|
|
|
|
libraries/libapparmor/doc/Makefile
|
|
|
|
|
libraries/libapparmor/doc/Makefile.in
|
2010-12-20 14:02:03 -08:00
|
|
|
libraries/libapparmor/doc/*.2
|
2010-07-25 18:52:19 -07:00
|
|
|
libraries/libapparmor/src/.deps
|
|
|
|
|
libraries/libapparmor/src/.libs
|
|
|
|
|
libraries/libapparmor/src/Makefile
|
|
|
|
|
libraries/libapparmor/src/Makefile.in
|
|
|
|
|
libraries/libapparmor/src/af_protos.h
|
|
|
|
|
libraries/libapparmor/src/change_hat.lo
|
|
|
|
|
libraries/libapparmor/src/grammar.lo
|
|
|
|
|
libraries/libapparmor/src/libaalogparse.lo
|
|
|
|
|
libraries/libapparmor/src/libimmunix_warning.lo
|
|
|
|
|
libraries/libapparmor/src/scanner.lo
|
|
|
|
|
libraries/libapparmor/src/libapparmor.la
|
|
|
|
|
libraries/libapparmor/src/libimmunix.la
|
|
|
|
|
libraries/libapparmor/src/grammar.c
|
|
|
|
|
libraries/libapparmor/src/grammar.h
|
|
|
|
|
libraries/libapparmor/src/scanner.c
|
|
|
|
|
libraries/libapparmor/src/scanner.h
|
|
|
|
|
libraries/libapparmor/src/tst_aalogmisc
|
|
|
|
|
libraries/libapparmor/swig/Makefile
|
|
|
|
|
libraries/libapparmor/swig/Makefile.in
|
|
|
|
|
libraries/libapparmor/swig/perl/LibAppArmor.bs
|
|
|
|
|
libraries/libapparmor/swig/perl/LibAppArmor.pm
|
|
|
|
|
libraries/libapparmor/swig/perl/Makefile
|
|
|
|
|
libraries/libapparmor/swig/perl/Makefile.PL
|
|
|
|
|
libraries/libapparmor/swig/perl/Makefile.in
|
|
|
|
|
libraries/libapparmor/swig/perl/Makefile.perl
|
|
|
|
|
libraries/libapparmor/swig/perl/blib
|
|
|
|
|
libraries/libapparmor/swig/perl/libapparmor_wrap.c
|
|
|
|
|
libraries/libapparmor/swig/perl/pm_to_blib
|
|
|
|
|
libraries/libapparmor/swig/python/Makefile
|
|
|
|
|
libraries/libapparmor/swig/python/Makefile.in
|
|
|
|
|
libraries/libapparmor/swig/python/setup.py
|
|
|
|
|
libraries/libapparmor/swig/ruby/Makefile
|
|
|
|
|
libraries/libapparmor/swig/ruby/Makefile.in
|
|
|
|
|
libraries/libapparmor/testsuite/.deps
|
|
|
|
|
libraries/libapparmor/testsuite/.libs
|
|
|
|
|
libraries/libapparmor/testsuite/Makefile
|
|
|
|
|
libraries/libapparmor/testsuite/Makefile.in
|
|
|
|
|
libraries/libapparmor/testsuite/libaalogparse.log
|
|
|
|
|
libraries/libapparmor/testsuite/libaalogparse.sum
|
|
|
|
|
libraries/libapparmor/testsuite/site.exp
|
|
|
|
|
libraries/libapparmor/testsuite/test_multi.multi
|
|
|
|
|
libraries/libapparmor/testsuite/config/Makefile
|
|
|
|
|
libraries/libapparmor/testsuite/config/Makefile.in
|
|
|
|
|
libraries/libapparmor/testsuite/lib/Makefile
|
|
|
|
|
libraries/libapparmor/testsuite/lib/Makefile.in
|
|
|
|
|
libraries/libapparmor/testsuite/libaalogparse.test/Makefile
|
|
|
|
|
libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
|
|
|
|
|
libraries/libapparmor/testsuite/test_multi/out
|
2010-07-25 18:59:58 -07:00
|
|
|
changehat/mod_apparmor/.libs
|
|
|
|
|
changehat/mod_apparmor/common
|
|
|
|
|
changehat/pam_apparmor/common
|
|
|
|
|
changehat/tomcat_apparmor/common
|
|
|
|
|
utils/common
|
2010-07-26 11:02:42 -07:00
|
|
|
utils/*.8
|
|
|
|
|
utils/*.8.html
|
|
|
|
|
utils/*.5
|
|
|
|
|
utils/*.5.html
|
|
|
|
|
utils/*.tmp
|
|
|
|
|
utils/po/*.mo
|
2010-07-26 09:26:26 -07:00
|
|
|
tests/regression/apparmor/access
|
|
|
|
|
tests/regression/apparmor/changehat
|
|
|
|
|
tests/regression/apparmor/changehat_fail
|
|
|
|
|
tests/regression/apparmor/changehat_fork
|
|
|
|
|
tests/regression/apparmor/changehat_misc
|
|
|
|
|
tests/regression/apparmor/changehat_misc2
|
|
|
|
|
tests/regression/apparmor/changehat_pthread
|
|
|
|
|
tests/regression/apparmor/changehat_twice
|
|
|
|
|
tests/regression/apparmor/changehat_wrapper
|
|
|
|
|
tests/regression/apparmor/changeprofile
|
|
|
|
|
tests/regression/apparmor/chdir
|
|
|
|
|
tests/regression/apparmor/chgrp
|
|
|
|
|
tests/regression/apparmor/chmod
|
|
|
|
|
tests/regression/apparmor/chown
|
|
|
|
|
tests/regression/apparmor/clone
|
|
|
|
|
tests/regression/apparmor/deleted
|
|
|
|
|
tests/regression/apparmor/env_check
|
|
|
|
|
tests/regression/apparmor/environ
|
|
|
|
|
tests/regression/apparmor/exec
|
|
|
|
|
tests/regression/apparmor/exec_qual
|
|
|
|
|
tests/regression/apparmor/exec_qual2
|
|
|
|
|
tests/regression/apparmor/fchdir
|
|
|
|
|
tests/regression/apparmor/fchgrp
|
|
|
|
|
tests/regression/apparmor/fchmod
|
|
|
|
|
tests/regression/apparmor/fchown
|
|
|
|
|
tests/regression/apparmor/fork
|
|
|
|
|
tests/regression/apparmor/link
|
|
|
|
|
tests/regression/apparmor/link_subset
|
|
|
|
|
tests/regression/apparmor/mkdir
|
|
|
|
|
tests/regression/apparmor/mmap
|
|
|
|
|
tests/regression/apparmor/mount
|
|
|
|
|
tests/regression/apparmor/named_pipe
|
|
|
|
|
tests/regression/apparmor/net_raw
|
|
|
|
|
tests/regression/apparmor/open
|
|
|
|
|
tests/regression/apparmor/openat
|
|
|
|
|
tests/regression/apparmor/pipe
|
|
|
|
|
tests/regression/apparmor/ptrace
|
|
|
|
|
tests/regression/apparmor/ptrace_helper
|
|
|
|
|
tests/regression/apparmor/pwrite
|
|
|
|
|
tests/regression/apparmor/readdir
|
|
|
|
|
tests/regression/apparmor/rename
|
|
|
|
|
tests/regression/apparmor/rw
|
|
|
|
|
tests/regression/apparmor/swap
|
|
|
|
|
tests/regression/apparmor/symlink
|
|
|
|
|
tests/regression/apparmor/syscall_chroot
|
|
|
|
|
tests/regression/apparmor/syscall_mknod
|
|
|
|
|
tests/regression/apparmor/syscall_mlockall
|
|
|
|
|
tests/regression/apparmor/syscall_ptrace
|
|
|
|
|
tests/regression/apparmor/syscall_reboot
|
|
|
|
|
tests/regression/apparmor/syscall_setdomainname
|
|
|
|
|
tests/regression/apparmor/syscall_sethostname
|
|
|
|
|
tests/regression/apparmor/syscall_setpriority
|
|
|
|
|
tests/regression/apparmor/syscall_setscheduler
|
|
|
|
|
tests/regression/apparmor/syscall_sysctl
|
|
|
|
|
tests/regression/apparmor/sysctl_proc
|
|
|
|
|
tests/regression/apparmor/tcp
|
|
|
|
|
tests/regression/apparmor/unix_fd_client
|
|
|
|
|
tests/regression/apparmor/unix_fd_server
|
|
|
|
|
tests/regression/apparmor/unlink
|
|
|
|
|
tests/regression/apparmor/xattrs
|
2010-07-26 10:55:00 -07:00
|
|
|
tests/regression/apparmor/coredump
|
Committing per IRC discussions. Does not update the Makefile to install it yet.
= How it works =
There are basically two modes:
1. using an existing profile with --profile
2. dynamically generating a profile
For '1', aa-sandbox is just a wrapper around aa-exec.
For '2', aa-sandbox leverages easyprof and allows you to specify policy
in a limited way on the command line. It then loads the policy into the
kernel as a profile (ie, 'profile <foo> { ... }') so it doesn't get in
the way of existing profiles. It currently calls apparmor_parser via
sudo or pkexec. Once the profile is loaded, aa-exec the application
under the profile.
When -X is specified, the application is launched inside its own X
server using either xpra (the default, which uses Xvfb), xephyr and
xpra3d (xpra, but using Xorg with the xdummy[1] driver for now[2].
xpra3d doesn't currently perform well, but works ok with newer Gnome
applications that now require GLX). When using '-X', it:
- adds an explicit deny rule for ~/.Xauthority
- generates a dynamic Xauthority file for the session in
~/.Xauthority-sandbox<DISPLAYNUMBER>
- adds an allow rule for ~/.Xauthority-sandbox<DISPLAYNUMBER>
- adds checks for xhost being properly setup
- honors the --with-xauthority option which can be used with --profile
With the above, the :0.0 display should no longer be accessible. Eg:
$ ./aa-sandbox -t ~/sandbox-xterm -X /usr/bin/xterm
$ XAUTHORITY=~/.Xauthority DISPLAY=:0.0 xinput
No protocol specified
Unable to connect to X server
This requires a specifically configured xauth/xhost setup, which is less common
on modern distributions. The man page details how to get this setup.
= Trying it out =
Apply the patch, then:
$ cd ./utils
# cli
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates --read-path=/proc/ /usr/bin/uptime
# 2d only
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/gedit
# 2d alternate (xephyr)
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/gedit
# 3d
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/glxgears
# With an existing profile:
$ ./aa-sandbox --profile=/usr/bin/evolution -X --with-xserver=xpra3d /usr/bin/evolution
= The Patch =
The patch itself is pretty self contained:
utils/aa-easyprof:
- adjusted to import optparse
utils/easyprof/templates/sandbox*
- add two new templates to easyprof
utils/apparmor/easyprof.py:
- use 'profile <foo>' if '<foo>' is not an absolute path
- adjust parser handling so we can reuse it
utils/aa-sandbox:
- small script to drive utils/apparmor/sandbox.py
utils/apparmor/common.py:
- the start of our python library. aa-easyprof would eventually use
this (along with the various rewrites), but for now, only the
sandboxing uses it.
utils/apparmor/sandbox.py:
- the sandboxing code itself. Of particular note is the use of classing
to support different X servers
utils/aa-sandbox.pod:
- the corresponding man page
= Improvements =
* don't use sudo
* make pulseaudio in xpra opt-in (currently it is off)
* take advantage of upstream's 3D patches when they stabilize
* investigate how applications can work with the Unity global menu
* surely lots more
[1]http://xpra.org/Xdummy.html
[2]http://xpra.org/trac/ticket/147
2013-01-14 09:11:58 -06:00
|
|
|
./utils/apparmor/__pycache__
|