mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
36523dc023
pam_apparmor pam module. The default behavior is to use the user's
primary groupname, and to fall back to the DEFAULT hat. You can change
this behavior by appending order=type1[,type2,type3] to the pam_apparmor
session line in the pam config for the application you're applying
pam_apparmor to. The available types are 'user' for username, 'group'
for groupname, and 'default' for DEFAULT. Thus, adding a configuration
entry like:
session optional pam_apparmor.so order=group,default
is equivalent to the default behavior for pam_apparmor.
The parse_option code got a little more complicated than I'd hoped
it would be; I could have just had types by space delimited options to
module, but I thought I'd leave open the possibility of adding additional
options to the module ('debug' immediately comes to mind).
I disabled the short-circuit that occurs if EPERM is returned by
change_hat, as we can't detect that this is because there's no hats or
that the application is entirely undefined; if ECHILD makes it in then
we can re-enable this.
I am less convinced now that pam_apparmor needs to be 'optional' than
'required'; killing the session if none of the change_hats succeeds is
starting to feel like reasonable behavior.
---
changehat/pam_apparmor/Makefile | 11 +
changehat/pam_apparmor/README | 74 +++++++++++++
changehat/pam_apparmor/get_options.c | 157 ++++++++++++++++++++++++++++
changehat/pam_apparmor/pam_apparmor.c | 155 +++++++++++++++++++--------
changehat/pam_apparmor/pam_apparmor.h | 56 +++++++++
changehat/pam_apparmor/pam_apparmor.spec.in | 2
6 files changed, 406 insertions(+), 49 deletions(-)
|
||
|---|---|---|
| .. | ||
| COPYING | ||
| get_options.c | ||
| Makefile | ||
| pam_apparmor.c | ||
| pam_apparmor.changes | ||
| pam_apparmor.h | ||
| pam_apparmor.spec.in | ||
| README | ||
pam_apparmor - a (linux specific) PAM module to add support for apparmor's subprocess confinement. An apparmor profile applies to an executable program; if a portion of the program needs different access permissions than other portions, the program can "change hats" via change_hat(2) to a different role, also known as a subprofile. The pam_apparmor PAM module allows applications to confine authenticated users into subprofiles based on groupnames, usernames, or a default profile. To accomplish this, pam_apparmor needs to be registered as a PAM session module. Compiling pam_apparmor ---------------------- The pam-development libraries and libapparmor need to be installed on the build system. 'make' should be all that is needed to build pam_apparmor.so; 'make rpm' should work on RPM-based systems. Configuring pam_apparmor ------------------------ To add pam_apparmor support to a pam enabled application, add a line like the following to the pam configuration file for the application (usually stored in /etc/pam.d/): session optional pam_apparmor.so Likely you will want add the pam_apparmor after other session management modules. If you make the pam_apparmor module 'required' instead of 'optional', the session will abort if pam_apparmor is not able to successfully find a hat to change_hat into. Be careful when making it required; it is possible to cause all attempted logins to the service to fail if the apparmor policy is insufficient. By default, pam_apparmor will attempt to change_hat into a hat based on the primary group name of the user logging in. If that hat fails to exist, the module will attempt to change_hat into a hat named DEFAULT (it is recommended to ensure this hat exists in the apparmor profiles for applications using pam_apparmor). However, this is configurable by adding an option to the pam configuration line to modify what order and what attributes pam_apparmor will attempt to use when attempting to change_hat. To do so, add 'order=' followed by a comma seperated list of types of hats to try. The type of hats available are: * 'user' - the username will be used as the hatname * 'group' - the primary group will be used as the hatname * 'default' - the string 'DEFAULT' will be used as the hatname. Generally, this should be the hat of last resort. The order in the list determines the order the hat will be attempted. Some exmaple configurations: # the default behavior session optional pam_apparmor.so order=group,default # attempt to use only the usernmae session optional pam_apparmor.so order=user # use the usernmae, followed by the primary groupname, follwed by # DEFAULT if the prior hats do not exist in the apparmor profile session optional pam_apparmor.so order=user,group,default References ---------- Project webpage: http://developer.novell.com/wiki/index.php/Novell_AppArmor To provide feedback or ask questions please contact the apparmor-dev@forge.novell.com mail list. This is the development list for the AppArmor team. See also: change_hat(3), and the Linux-PAM online documentation at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/