mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
The AppArmor user space development project.
4be07c3265
tree. It is limited in that it doesn't currently handle the permissions of a rule.
conversion output presents an aare -> prce conversion followed by 1 or more expression
tree rules, governed by what the rule does.
eg.
aare: /** -> /[^/\x00][^\x00]*
rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])*
eg.
echo "/foo { /** rwlkmix, } " | ./apparmor_parser -QT -D rule-exprs -D expr-tree
aare: /foo -> /foo
aare: /** -> /[^/\x00][^\x00]*
rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])*
rule: /[^/\x00][^\x00]*\x00/[^/].* -> /[^\0000/]([^\0000])*\0000/[^/](.)*
DFA: Expression Tree
(/[^\0000/]([^\0000])*(((((((((((((<513>|<2>)|<4>)|<8>)|<16>)|<32>)|<64>)|<8404992>)|<32768>)|<65536>)|<131072>)|<262144>)|<524288>)|<1048576>)|/[^\0000/]([^\0000])*\0000/[^/](.)*((<16>|<32>)|<262144>))
This simple example shows many things
1. The profile name under goes pcre conversion. But since no regular expressions where found
it doesn't generate any expr rules
2. /** is converted into the pcre expression /[^\0000/]([^\0000])*
3. The pcre expression /[^\0000/]([^\0000])* is converted into two rules that are then
converted into expression trees.
The reason for this can not be seen by the output as this is actually triggered by
permissions separation for the rule. In this case the link permission is separated
into what is shown as the second rule: statement.
4. DFA: Expression Tree dump shows how these rules are combined together
You will notice that the rule conversion statement is fairly redundant currently as it just
show pcre to expression tree pcre. This will change when direct aare parsing occurs,
but currently serves to verify the pcre conversion step.
It is not the prettiest patch, as its touching some ugly code that is schedule to be cleaned
up/replaced. eg. convert_aaregex_to_pcre is going to replaced with native parse conversion
from an aare straight to the expression tree, and dfaflag passing will become part of the
rule set.
|
||
|---|---|---|
| changehat | ||
| common | ||
| deprecated/management | ||
| kernel-patches | ||
| libraries/libapparmor | ||
| parser | ||
| profiles | ||
| tests | ||
| utils | ||
| .bzrignore | ||
| LICENSE | ||
| Makefile | ||
| README | ||
------------ Introduction ------------ AppArmor protects systems from insecure or untrusted processes by running them in restricted confinement, while still allowing processes to share files, exercise privilege and communicate with other processes. AppArmor is a Mandatory Access Control (MAC) mechanism which uses the Linux Security Module (LSM) framework. The confinement's restrictions are mandatory and are not bound to identity, group membership, or object ownership. The protections provided are in addition to the kernel's regular access control mechanisms (including DAC) and can be used to restrict the superuser. The AppArmor kernel module and accompanying user-space tools are available under the GPL license (the exception is the libapparmor library, available under the LGPL license, which allows change_hat(2) and change_profile(2) to be used by non-GPL binaries). For more information, you can read the techdoc.pdf (available after building the parser) and http://apparmor.wiki.kernel.org. ------------- Source Layout ------------- AppArmor consists of several different parts: changehat/ source for using changehat with Apache, PAM and Tomcat common/ common makefile rules desktop/ empty kernel-patches/ patches for various kernel versions libraries/ libapparmor source and language bindings parser/ source for parser/loader and corresponding documentation profiles/ configuration files, reference profiles and abstractions tests/ regression and stress testsuites utils/ high-level utilities for working with AppArmor ------------------------------------------ Building and Installing AppArmor Userspace ------------------------------------------ To build and install AppArmor userspace on your system, build and install in the following order. libapparmor: $ cd ./libraries/libapparmor $ sh ./autogen.sh $ sh ./configure --prefix=/usr --with-perl $ make $ make check Utilities: $ cd utils $ make $ make install parser: $ cd parser $ make $ make tests # not strictly necessary as they are run during the # build by default $ make install Apache mod_apparmor: $ cd changehat/mod_apparmor $ LIBS="-lapparmor" make $ make install PAM AppArmor: $ cd changehat/pam_apparmor $ LIBS="-lapparmor -lpam" make $ make install Profiles: $ cd profiles $ make $ make install ------------------- AppArmor Testsuites ------------------- A number of testsuites are in the AppArmor sources. Most have documentation on usage and how to update and add tests. Below is a quick overview of their location and how to run them. Regression tests ---------------- For details on structure and adding tests, see tests/regression/subdomain/README. To run: $ cd tests/regression/subdomain (requires root) $ make $ sudo make tests $ sudo bash open.sh -r # runs and saves the last testcase from open.sh Parser tests ------------ For details on structure and adding tests, see parser/tst/README. To run: $ cd parser/tst $ make $ make tests Libapparmor ----------- For detail son structure and adding tests, see libraries/libapparmor/README. $ cd libraries/libapparmor $ make check Stress Tests ------------ To run subdomain stress tests: $ make all Use these: $ ./change_hat $ ./child $ ./kill.sh $ ./open $ ./s.sh Or run all at once: $ ./stress.sh Please note that the above will stress the system so much it may end up invoking the OOM killer. To run parser stress tests (requires /usr/bin/ruby): $ ./stress.sh (see stress.sh -h for options) ----------------------------------------------- Building and Installing AppArmor Kernel Patches ----------------------------------------------- TODO