From 65c84071bb7949d5205790be1f016d1accf2d213 Mon Sep 17 00:00:00 2001 From: Ryan Lee Date: Wed, 28 Aug 2024 11:22:08 -0700 Subject: [PATCH] Replace 'scrub the environment' wording in man pages with something more accurate Signed-off-by: Ryan Lee --- parser/apparmor.d.pod | 64 +++++++++++++++++++++---------------------- parser/apparmor.pod | 4 +-- 2 files changed, 34 insertions(+), 34 deletions(-) diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index 6624bb587..74da030cd 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -604,7 +604,7 @@ modes: =item B -- unconfined execute -- scrub the environment +- unconfined execute -- use ld.so(8) secure-execution mode =item B @@ -612,7 +612,7 @@ modes: =item B -- discrete profile execute -- scrub the environment +- discrete profile execute -- use ld.so(8) secure-execution mode =item B @@ -620,7 +620,7 @@ modes: =item B -- transition to subprofile on execute -- scrub the environment +- transition to subprofile on execute -- use ld.so(8) secure-execution mode =item B @@ -632,7 +632,7 @@ modes: =item B -- discrete profile execute with inherit fallback -- scrub the environment +- discrete profile execute with inherit fallback -- use ld.so(8) secure-execution mode =item B @@ -640,7 +640,7 @@ modes: =item B -- transition to subprofile on execute with inherit fallback -- scrub the environment +- transition to subprofile on execute with inherit fallback -- use ld.so(8) secure-execution mode =item B @@ -648,7 +648,7 @@ modes: =item B -- discrete profile execute with fallback to unconfined -- scrub the environment +- discrete profile execute with fallback to unconfined -- use ld.so(8) secure-execution mode =item B @@ -656,7 +656,7 @@ modes: =item B -- transition to subprofile on execute with fallback to unconfined -- scrub the environment +- transition to subprofile on execute with fallback to unconfined -- use ld.so(8) secure-execution mode =item B @@ -715,20 +715,20 @@ constrained, see the apparmor(7) man page. B 'ux' should only be used in very special cases. It enables the designated child processes to be run without any AppArmor protection. -'ux' does not scrub the environment of variables such as LD_PRELOAD; -as a result, the calling domain may have an undue amount of influence -over the callee. Use this mode only if the child absolutely must be +'ux' does not use ld.so(8) secure-execution mode to clear variables such as +LD_PRELOAD; as a result, the calling domain may have an undue amount of +influence over the callee. Use this mode only if the child absolutely must be run unconfined and LD_PRELOAD must be used. Any profile using this mode provides negligible security. Use at your own risk. Incompatible with other exec transition modes and the deny qualifier. -=item B +=item B 'Ux' allows the named program to run in 'ux' mode, but AppArmor -will invoke the Linux Kernel's B routines to scrub -the environment, similar to setuid programs. (See ld.so(8) for some -information on setuid/setgid environment scrubbing.) +will invoke the Linux Kernel's B routines to set ld.so(8) +secure-execution mode and clear environment variables such as LD_PRELOAD, +similar to setuid programs. (See ld.so(8) for more information.) B 'Ux' should only be used in very special cases. It enables the designated child processes to be run without any AppArmor protection. @@ -743,18 +743,18 @@ This mode requires that a discrete security profile is defined for a program executed and forces an AppArmor domain transition. If there is no profile defined then the access will be denied. -B 'px' does not scrub the environment of variables such as -LD_PRELOAD; as a result, the calling domain may have an undue amount of +B 'px' does not use ld.so(8) secure-execution mode to clear variables +such as LD_PRELOAD; as a result, the calling domain may have an undue amount of influence over the callee. Incompatible with other exec transition modes and the deny qualifier. -=item B +=item B 'Px' allows the named program to run in 'px' mode, but AppArmor -will invoke the Linux Kernel's B routines to scrub -the environment, similar to setuid programs. (See ld.so(8) for some -information on setuid/setgid environment scrubbing.) +will invoke the Linux Kernel's B routines to set ld.so(8) +secure-execution mode and clear environment variables such as LD_PRELOAD, +similar to setuid programs. (See ld.so(8) for more information.) Incompatible with other exec transition modes and the deny qualifier. @@ -764,18 +764,18 @@ This mode requires that a local security profile is defined and forces an AppArmor domain transition to the named profile. If there is no profile defined then the access will be denied. -B 'cx' does not scrub the environment of variables such as -LD_PRELOAD; as a result, the calling domain may have an undue amount of +B 'cx' does not use ld.so(8) secure-execution mode to clear variables +such as LD_PRELOAD; as a result, the calling domain may have an undue amount of influence over the callee. Incompatible with other exec transition modes and the deny qualifier. -=item B +=item B 'Cx' allows the named program to run in 'cx' mode, but AppArmor -will invoke the Linux Kernel's B routines to scrub -the environment, similar to setuid programs. (See ld.so(8) for some -information on setuid/setgid environment scrubbing.) +will invoke the Linux Kernel's B routines to set ld.so(8) +secure-execution mode and clear environment variables such as LD_PRELOAD, +similar to setuid programs. (See ld.so(8) for more information.) Incompatible with other exec transition modes and the deny qualifier. @@ -788,7 +788,7 @@ will inherit the current profile. This mode is useful when a confined program needs to call another confined program without gaining the permissions of the target's profile, or losing the permissions of the current profile. There is no -version to scrub the environment because 'ix' executions don't change +version to set secure-execution mode because 'ix' executions don't change privileges. Incompatible with other exec transition modes and the deny qualifier. @@ -1688,11 +1688,11 @@ rule set. Eg. change_profile /bin/bash -> {new_profile1,new_profile2,new_profile3}, The exec mode dictates whether or not the Linux Kernel's B -routines should be used to scrub the environment, similar to setuid programs. -(See ld.so(8) for some information on setuid/setgid environment scrubbing.) The -B mode sets up environment scrubbing to occur when the new application is -executed and B mode disables AppArmor's requirement for environment -scrubbing (the kernel and/or libc may still require environment scrubbing). An +routines should be used to set ld.so(8) secure-execution mode and clear +environment variables such as LD_PRELOAD, similar to setuid programs. +(See ld.so(8) for more information.) The B mode sets up secure-execution +mode for the new application, and B mode disables AppArmor's +requirement for it (the kernel and/or libc may still turn it on). An exec mode can only be specified when an exec condition is present. change_profile safe /bin/bash -> new_profile, diff --git a/parser/apparmor.pod b/parser/apparmor.pod index 0d2a01bed..317368d49 100644 --- a/parser/apparmor.pod +++ b/parser/apparmor.pod @@ -206,8 +206,8 @@ which can help debugging profiles. =head2 Enable debug mode When debug mode is enabled, AppArmor will log a few extra messages to -dmesg (not via the audit subsystem). For example, the logs will tell -whether environment scrubbing has been applied. +dmesg (not via the audit subsystem). For example, the logs will state when +ld.so(8) secure-execution mode has been applied in a profile transition. To enable debug mode, run: