mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser/apparmor.d.pod: more fully document child profiles, including:

Browse source 
- cx and Cx
  - change_profile()
This commit is contained in:
Jamie Strandboge 2010-12-20 13:40:59 -06:00
parent 289dcfb492
commit e5f4aa4140
1 changed files with 59 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
parser/apparmor.d.pod
View file

@ -55,9 +55,9 @@ B<COMMENT> = '#' I<TEXT>
B<TEXT> = any characters
B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | 'capability ' I<CAPABILITY> | I<NETWORK RULE> ) ... ] '}'
B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | 'capability ' I<CAPABILITY> | I<NETWORK RULE> | 'change_profile -> ' I<PROGRAMCHILD> ) ... ] '}'
B<SUBPROFILE> = [ I<COMMENT> ... ] I<PROGRAMHAT> '{' [ ( I<FILE RULE> | I<COMMENT> | I<INCLUDE> ) ... ] '}'
B<SUBPROFILE> = [ I<COMMENT> ... ] ( I<PROGRAMHAT> | 'profile ' I<PROGRAMCHILD> ) '{' [ ( I<FILE RULE> | I<COMMENT> | I<INCLUDE> ) ... ] '}'
B<CAPABILITY> = (lowercase capability name without 'CAP_' prefix; see
capabilities(7))
@ -74,13 +74,15 @@ B<PROGRAM> = (non-whitespace characters except for '^', must start with '/'. Emb
B<PROGRAMHAT> = '^' (non-whitespace characters; see change_hat(2) for a description of how this "hat" is used.)
B<PROGRAMCHILD> = I<SUBPROFILE> name
B<FILE RULE> = I<RULE QUALIFIER> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) I<ACCESS> ','
B<RULE QUALIFIER> = [ 'audit' ] [ 'deny' ] [ 'owner' ]
B<FILEGLOB> = (must start with '/' (after variable expansion), B<?*[]{}^> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
B<ACCESS> = ( 'r' | 'w' | 'l' | 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'm' ) [ I<ACCESS> ... ] (not all combinations are allowed; see below.)
B<ACCESS> = ( 'r' | 'w' | 'l' | 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx -> ' I<PROGRAMCHILD> | 'Cx -> ' I<PROGRAMCHILD> | 'm' ) [ I<ACCESS> ... ] (not all combinations are allowed; see below.)
B<VARIABLE> = '@{' I<ALPHA> [ I<ALPHANUMERIC> ... ] '}'
@ -94,14 +96,19 @@ B<ALPHANUMERIC> = ('1', '2', '3', ... '9', 'a', 'b', 'c', ... 'z', 'A', 'B', ...
=back
All resources and programs need a full path. There may be any number
of subprofiles ("hats") in a profile, limited only by kernel memory.
Subprofile names are limited to 974 characters.
Not all profiles benefit from subprofiles
--- applications must either be written or modified to use change_hat(2)
to take advantage of subprofiles. Several change_hat(2)-aware
All resources and programs need a full path. There may be any number of
subprofiles (aka child profiles) in a profile, limited only by kernel
memory. Subprofile names are limited to 974 characters. Child profiles can
be used to confine an application in a special way, or when you want the
child to be unconfined on the system, but confined when called from the
parent. Hats are a special child profile that can be used with the
change_hat(2) API call. Applications written or modified to use
change_hat(2) can take advantage of subprofiles to run under different
confinements, dependent on program logic. Several change_hat(2)-aware
applications exist, including an Apache module, mod_apparmor(5); a PAM
module, pam_apparmor; and a Tomcat valve, tomcat_apparmor.
module, pam_apparmor; and a Tomcat valve, tomcat_apparmor. Applications
written or modified to use change_profile(2) transition permanently to the
specified profile. libvirt is one such application.
=head2 Access Modes
@ -124,6 +131,10 @@ modes:
=item B<Px> - discrete profile execute -- scrub the environment
=item B<cx> - transition to subprofile on execute
=item B<Cx> - transition to subprofile on execute -- scrub the environment
=item B<ix> - inherit execute
=item B<m> - allow PROT_EXEC with mmap(2) calls
@ -179,7 +190,7 @@ over the callee. Use this mode only if the child absolutely must be
run unconfined and LD_PRELOAD must be used. Any profile using this mode
provides negligible security. Use at your own risk.
Incompatible with 'Ux', 'px', 'Px', 'ix'.
Incompatible with 'Ux', 'px', 'Px', 'cx', 'Cx', 'ix'.
=item B<Ux - unconfined execute -- scrub the environment>
@ -193,7 +204,7 @@ designated child processes to be run without any AppArmor protection.
Use this mode only if the child absolutely must be run unconfined. Use
at your own risk.
Incompatible with 'ux', 'px', 'Px', 'ix'.
Incompatible with 'ux', 'px', 'Px', 'cx', 'Cx', 'ix'.
=item B<px - Discrete Profile execute mode>
@ -205,7 +216,7 @@ B<WARNING> 'px' does not scrub the environment of variables such as
LD_PRELOAD; as a result, the calling domain may have an undue amount of
influence over the callee.
Incompatible with 'Ux', 'ux', 'Px', 'ix'.
Incompatible with 'Ux', 'ux', 'Px', 'cx', 'Cx', 'ix'.
=item B<Px - Discrete Profile execute mode -- scrub the environment>
@ -214,7 +225,28 @@ will invoke the Linux Kernel's B<unsafe_exec> routines to scrub
the environment, similar to setuid programs. (See ld.so(8) for some
information on setuid/setgid environment scrubbing.)
Incompatible with 'Ux', 'ux', 'px', 'ix'.
Incompatible with 'Ux', 'ux', 'px', 'cx', 'Cx', 'ix'.
=item B<cx - Transition to Subprofile execute mode>
This mode requires that a local security profile is defined and forces an
AppArmor domain transition to the named profile. If there is no profile
defined then the access will be denied.
B<WARNING> 'cx' does not scrub the environment of variables such as
LD_PRELOAD; as a result, the calling domain may have an undue amount of
influence over the callee.
Incompatible with 'Ux', 'ux', 'px', 'Px', 'Cx', 'ix'.
=item B<Cx - Transition to Subprofile execute mode -- scrub the environment>
'Cx' allows the named program to run in 'cx' mode, but AppArmor
will invoke the Linux Kernel's B<unsafe_exec> routines to scrub
the environment, similar to setuid programs. (See ld.so(8) for some
information on setuid/setgid environment scrubbing.)
Incompatible with 'Ux', 'ux', 'px', 'Px', 'cx', 'ix'.
=item B<ix - Inherit execute mode>
@ -228,7 +260,7 @@ profile, or losing the permissions of the current profile. There is no
version to scrub the environment because 'ix' executions don't change
privileges.
Incompatible with 'Ux', 'ux', 'Px', 'px'. Implies 'm'.
Incompatible with 'Ux', 'ux', 'Px', 'px', 'cx', 'Cx'. Implies 'm'.
=item B<m - Allow executable mapping>
@ -528,7 +560,7 @@ generated profiles.
An example AppArmor profile:
# a variable definition
# a variable definition in the preamble
@{HOME} = /home/*/ /root/
# a comment about foo.
@ -545,13 +577,23 @@ An example AppArmor profile:
/tmp/foo.pid wr,
/tmp/foo.* lrw,
/@{HOME}/.foo_file rw,
/usr/bin/baz Cx -> baz,
# a comment about foo's subprofile, bar.
# a comment about foo's hat (subprofile), bar.
^bar {
/lib/ld-*.so* rmix,
/usr/bin/bar rmix,
/var/spool/* rwl,
}
# a comment about foo's subprofile, baz.
profile baz {
#include <abstractions/bash>
owner /proc/[0-9]*/stat r,
/bin/bash ixr,
/var/lib/baz/ r,
owner /var/lib/baz/* rw,
}
}
=head1 FILES