key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
- fix split init so that apparmor can be enabled at the boot command line.
The init was broken so that apparmor couldn't be enabled unless enabled
by default.
M apparmor-fix-lock-letter.diff
- fix the lock letter being reported (z -> k) and update some comments
A apparmor-create-append.diff
- fix semanitc bug where full write perms were needed to create a new file,
where only append is needed.
M fix-link-subset.diff
- partial fix of link subset
A no-safex-link-subset.diff
- more link subset fixes
A audit-log-type-in-syslog.diff
- fix audit type being missing when messages go to syslog. This patch
is needed for apparmor to work when messages go to syslog instead of
auditd. This patch can be dropped when upstream includes the
patch to report audit number when reporting to syslog
A audit-uid.diff
- report the fsuid to the log
A hat_perm.diff
- setup to use hat permissions instead of just profile search for
2.3
A apparmor-failed-name-error.diff
- fix a bug where on failed name resolution no error or information is
output. It now reports info in the status field and includes an
error_code
A extend-x-mods.diff
- extend the x-mods in preparation of audit ctl
A apparmor-secondary-accept.diff
- extend the dfa to have a second accept table used for audit ctl
A apparmor-audit-flags2.diff
- extend apparmor to support audit ctl of individual permissions.
- finish fixing link-subset
A fix-change_profile-namespace.diff
- Not applied, ignore
exits but doesn't have a flags=(X) component.
Use of uninitialized value in substitution (s///) at
/usr/lib/perl5/vendor_perl/Immunix/SubDomain.pm line 4687 (#1)
(W uninitialized) An undefined value was used as if it were already
defined. It was interpreted as a "" or a 0, but maybe it was a mistake.
To suppress this warning assign a defined value to your variables.
To help you figure out what was undefined, perl tells you what operation
you used the undefined value in. Note, however, that perl optimizes your
program and the operation displayed in the warning may not necessarily
appear literally in your program. For example, "that $foo" is
usually optimized into "that " . $foo, and the warning will refer to
the concatenation (.) operator, even though there is no . in your
program.
sends messages to dispatcheres without the type=X string prepended.
So update the library so the dbus dispatcher doesn't have to prepend
the audit type information before trying to parse the message.
users to push/pull/search for profiles in remote
repositories. It is not fully functional at the
moment (the official repository is down) but I'd
like to get feedback on the basic usage. The
options for
push/pull/search/status/getconfig/setconfig
are working (usage/help below). I think the next
step could be a basic gtk UI to give users a
decent UI to manage profiles/repositories.
Feedback welcomed about the usage model -
would a graphical tool make sense?
--------------------------------------------------------
aa-repo.pl --command args
--search [author=XXX] [prog=XXX] [id=XXX]
Search the repository for profiles matching the search criteria
and return the results.
NOTE: One --search switch per option
--verbose|v
Verbosity level. Supply either one or two switches. Two switches
adds full profile text in returned search results.
--push [--profile=XXX|all] [--changelog=XXX]
Push local profiles to repository, uses configured user and upon
overwrite of an existing profile in the repository then prompt
user with a diff for confirmation XXX the name of the application
whose profile should be uploaded or "all" to upload all
profiles. Multiple --profile switches may be passed to supply
multiple profile names
e.g. --push --profile /usr/sbin/mdnsd --profile /usr/sbin/ftp
e.g. --push --profile all
--pull [--author=XXX] [--profile=XXX] or [--id=XXX] [--mode=complain]
pull remote profiles and install on local system
If operation will change local profiles then prompt user with
diff for confirmation
NOTE: One --pull switch per option and there are three acceptable
combinations
--pull --author=XXX
* pull all profiles in the repo for the author
--pull --author=XXX --profile=XXXX
* pull the profile for prog owned by author
--pull --id=XXXX
* pull the profile with id
--pull --mode=complain
* set the profile(s) to complain mode when installed
Profiles are checked for conflicts with currently installed
profiles and presented as a list to the user to confirm and view.
--sync [--up] [--down] [--noconfirm]
Synchronize local profile set with the repository - showing
changes and allowing prompting the user with the diffs and
suggest the newest version to be activated. If the --all option
is passed then treat profiles not marked as remote as new
profiles that will be uploaded to the repository.
--status
Show the current status of the local profile set. This operation
is similar to sync but does not prompt the user to up|down load
changes
--setconfig [url=xxx] [username=xxxx] [password=xxxx] [enabled=(yes|no)]
[upload=(yes|no)]
Set the configuration options for the repository.
NOTE: One --setconfig switch per option
--getconfig|c
Print the current configuration for the repsository
--quiet|q Don't prompt user - assume that all changes should be made.
routines into a standalone perl module.
Factor out the config file reading/writing into a
standalone perl module. The goal here was to
start to break out some of the basic routines
that the tools use into their own independent
modules.
- pass vfsmnt param for cgroups
A fix-user-audit.diff
- nothing
A fix-link-subset.diff
- fix reporting of failed link subsets
A apparmor-fix-lock-letter.diff
- fix the reported lock letter in apparmorfs/matching
- reverted audit request_mask back to requested_mask
A apparmor-fix-sysctl-refcount.diff
- fix a refcount leak in sysctl audit
which means the failure of the tests is known. So known_fail
means the test should fail but is known to succeed and similar
for known_pass.
This allows tests to be marked as having a known problem so that
regressions are useful to those less familure with what is failing
