Applying patches often creates *.orig files, and those files are quite
annoying in the "bzr status" output and also in the "unknown" file list
when commiting.
Note: I intentionally don't want to add *.rej files - while those files
should never end up in bzr, they are important enough to be listed in
bzr status output.
Acked-by: Steve Beattie <steve@nxnw.org>
This ignores the sniplets generated by profiles/Makefile, but doesn't
ignore local/README because it doesn't have a dot in its name.
Acked-by: John Johansen <john.johansen@canonical.com>
Also add libraries/libapparmor/swig/perl/Makefile.perle (noticed and
proposed by Steve)
With these changes, "bzr status" is clean again after "make distclean"
Acked-by: Steve Beattie <steve@nxnw.org>.
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The Makefiles don't create/need the 'common' symlinks since some time,
which also means we no longer need to have them in .bzrignore.
Acked-by: Steve Beattie <steve@nxnw.org>
= How it works =
There are basically two modes:
1. using an existing profile with --profile
2. dynamically generating a profile
For '1', aa-sandbox is just a wrapper around aa-exec.
For '2', aa-sandbox leverages easyprof and allows you to specify policy
in a limited way on the command line. It then loads the policy into the
kernel as a profile (ie, 'profile <foo> { ... }') so it doesn't get in
the way of existing profiles. It currently calls apparmor_parser via
sudo or pkexec. Once the profile is loaded, aa-exec the application
under the profile.
When -X is specified, the application is launched inside its own X
server using either xpra (the default, which uses Xvfb), xephyr and
xpra3d (xpra, but using Xorg with the xdummy[1] driver for now[2].
xpra3d doesn't currently perform well, but works ok with newer Gnome
applications that now require GLX). When using '-X', it:
- adds an explicit deny rule for ~/.Xauthority
- generates a dynamic Xauthority file for the session in
~/.Xauthority-sandbox<DISPLAYNUMBER>
- adds an allow rule for ~/.Xauthority-sandbox<DISPLAYNUMBER>
- adds checks for xhost being properly setup
- honors the --with-xauthority option which can be used with --profile
With the above, the :0.0 display should no longer be accessible. Eg:
$ ./aa-sandbox -t ~/sandbox-xterm -X /usr/bin/xterm
$ XAUTHORITY=~/.Xauthority DISPLAY=:0.0 xinput
No protocol specified
Unable to connect to X server
This requires a specifically configured xauth/xhost setup, which is less common
on modern distributions. The man page details how to get this setup.
= Trying it out =
Apply the patch, then:
$ cd ./utils
# cli
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates --read-path=/proc/ /usr/bin/uptime
# 2d only
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/gedit
# 2d alternate (xephyr)
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/gedit
# 3d
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/glxgears
# With an existing profile:
$ ./aa-sandbox --profile=/usr/bin/evolution -X --with-xserver=xpra3d /usr/bin/evolution
= The Patch =
The patch itself is pretty self contained:
utils/aa-easyprof:
- adjusted to import optparse
utils/easyprof/templates/sandbox*
- add two new templates to easyprof
utils/apparmor/easyprof.py:
- use 'profile <foo>' if '<foo>' is not an absolute path
- adjust parser handling so we can reuse it
utils/aa-sandbox:
- small script to drive utils/apparmor/sandbox.py
utils/apparmor/common.py:
- the start of our python library. aa-easyprof would eventually use
this (along with the various rewrites), but for now, only the
sandboxing uses it.
utils/apparmor/sandbox.py:
- the sandboxing code itself. Of particular note is the use of classing
to support different X servers
utils/aa-sandbox.pod:
- the corresponding man page
= Improvements =
* don't use sudo
* make pulseaudio in xpra opt-in (currently it is off)
* take advantage of upstream's 3D patches when they stabilize
* investigate how applications can work with the Unity global menu
* surely lots more
[1]http://xpra.org/Xdummy.html
[2]http://xpra.org/trac/ticket/147
tarball. Let's drop this from future tarball creation.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
the testsuite. It looks like coredump mediation may have been removed,
since it is rather a corner-case, so I have currently marked it as XFAIL.
In hooking it back up, the "prologue.inc" was reviewed, dead code dropped,
and the "image=" argument changed to correctly handle the imageperms
syntax used elsewhere. It was working in other tests out of coincidence.
