mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/.bzrignore
Jamie Strandboge 3c41028cd5 Committing per IRC discussions. Does not update the Makefile to install it yet. 
= How it works =
There are basically two modes:
 1. using an existing profile with --profile
 2. dynamically generating a profile

For '1', aa-sandbox is just a wrapper around aa-exec.

For '2', aa-sandbox leverages easyprof and allows you to specify policy
in a limited way on the command line. It then loads the policy into the
kernel as a profile (ie, 'profile <foo> { ... }') so it doesn't get in
the way of existing profiles. It currently calls apparmor_parser via
sudo or pkexec. Once the profile is loaded, aa-exec the application
under the profile.

When -X is specified, the application is launched inside its own X
server using either xpra (the default, which uses Xvfb), xephyr and
xpra3d (xpra, but using Xorg with the xdummy[1] driver for now[2].
xpra3d doesn't currently perform well, but works ok with newer Gnome
applications that now require GLX). When using '-X', it:
- adds an explicit deny rule for ~/.Xauthority
- generates a dynamic Xauthority file for the session in 
  ~/.Xauthority-sandbox<DISPLAYNUMBER>
- adds an allow rule for ~/.Xauthority-sandbox<DISPLAYNUMBER>
- adds checks for xhost being properly setup
- honors the --with-xauthority option which can be used with --profile

With the above, the :0.0 display should no longer be accessible. Eg:
$ ./aa-sandbox -t ~/sandbox-xterm -X /usr/bin/xterm
$ XAUTHORITY=~/.Xauthority DISPLAY=:0.0 xinput
No protocol specified
Unable to connect to X server

This requires a specifically configured xauth/xhost setup, which is less common
on modern distributions. The man page details how to get this setup.


= Trying it out =
Apply the patch, then:
$ cd ./utils
# cli
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates --read-path=/proc/ /usr/bin/uptime

# 2d only
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/gedit

# 2d alternate (xephyr)
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/gedit

# 3d
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/xeyes
$ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/glxgears

# With an existing profile:
$ ./aa-sandbox --profile=/usr/bin/evolution -X --with-xserver=xpra3d /usr/bin/evolution


= The Patch =
The patch itself is pretty self contained:
utils/aa-easyprof:
- adjusted to import optparse

utils/easyprof/templates/sandbox*
- add two new templates to easyprof

utils/apparmor/easyprof.py:
- use 'profile <foo>' if '<foo>' is not an absolute path
- adjust parser handling so we can reuse it

utils/aa-sandbox:
- small script to drive utils/apparmor/sandbox.py

utils/apparmor/common.py:
- the start of our python library. aa-easyprof would eventually use 
  this (along with the various rewrites), but for now, only the 
  sandboxing uses it.

utils/apparmor/sandbox.py:
- the sandboxing code itself. Of particular note is the use of classing
  to support different X servers

utils/aa-sandbox.pod:
- the corresponding man page


= Improvements =
* don't use sudo
* make pulseaudio in xpra opt-in (currently it is off)
* take advantage of upstream's 3D patches when they stabilize
* investigate how applications can work with the Unity global menu
* surely lots more 

[1]http://xpra.org/Xdummy.html
[2]http://xpra.org/trac/ticket/147
2013-01-14 09:11:58 -06:00

168 lines
5.5 KiB
Text
Raw Blame History

apparmor-*
parser/po/*.mo
parser/af_names.h
parser/cap_names.h
parser/tst_misc
parser/tst_regex
parser/tst_symtab
parser/tst_variable
parser/tst/simple_tests/generated_*/*
parser/parser_lex.c
parser/parser_version.h
parser/parser_yacc.c
parser/parser_yacc.h
parser/pod2htm*.tmp
parser/*.7
parser/*.5
parser/*.8
parser/*.7.html
parser/*.5.html
parser/*.8.html
parser/common
parser/apparmor_parser
parser/libapparmor_re/regexp.cc
parser/techdoc.aux
parser/techdoc.log
parser/techdoc.pdf
parser/techdoc.toc
libraries/libapparmor/Makefile
libraries/libapparmor/Makefile.in
libraries/libapparmor/aclocal.m4
libraries/libapparmor/audit.log
libraries/libapparmor/autom4te.cache
libraries/libapparmor/compile
libraries/libapparmor/config.guess
libraries/libapparmor/config.log
libraries/libapparmor/config.status
libraries/libapparmor/config.sub
libraries/libapparmor/configure
libraries/libapparmor/depcomp
libraries/libapparmor/install-sh
libraries/libapparmor/libtool
libraries/libapparmor/ltmain.sh
libraries/libapparmor/missing
libraries/libapparmor/ylwrap
libraries/libapparmor/doc/Makefile
libraries/libapparmor/doc/Makefile.in
libraries/libapparmor/doc/*.2
libraries/libapparmor/src/.deps
libraries/libapparmor/src/.libs
libraries/libapparmor/src/Makefile
libraries/libapparmor/src/Makefile.in
libraries/libapparmor/src/af_protos.h
libraries/libapparmor/src/change_hat.lo
libraries/libapparmor/src/grammar.lo
libraries/libapparmor/src/libaalogparse.lo
libraries/libapparmor/src/libimmunix_warning.lo
libraries/libapparmor/src/scanner.lo
libraries/libapparmor/src/libapparmor.la
libraries/libapparmor/src/libimmunix.la
libraries/libapparmor/src/grammar.c
libraries/libapparmor/src/grammar.h
libraries/libapparmor/src/scanner.c
libraries/libapparmor/src/scanner.h
libraries/libapparmor/src/tst_aalogmisc
libraries/libapparmor/swig/Makefile
libraries/libapparmor/swig/Makefile.in
libraries/libapparmor/swig/perl/LibAppArmor.bs
libraries/libapparmor/swig/perl/LibAppArmor.pm
libraries/libapparmor/swig/perl/Makefile
libraries/libapparmor/swig/perl/Makefile.PL
libraries/libapparmor/swig/perl/Makefile.in
libraries/libapparmor/swig/perl/Makefile.perl
libraries/libapparmor/swig/perl/blib
libraries/libapparmor/swig/perl/libapparmor_wrap.c
libraries/libapparmor/swig/perl/pm_to_blib
libraries/libapparmor/swig/python/Makefile
libraries/libapparmor/swig/python/Makefile.in
libraries/libapparmor/swig/python/setup.py
libraries/libapparmor/swig/ruby/Makefile
libraries/libapparmor/swig/ruby/Makefile.in
libraries/libapparmor/testsuite/.deps
libraries/libapparmor/testsuite/.libs
libraries/libapparmor/testsuite/Makefile
libraries/libapparmor/testsuite/Makefile.in
libraries/libapparmor/testsuite/libaalogparse.log
libraries/libapparmor/testsuite/libaalogparse.sum
libraries/libapparmor/testsuite/site.exp
libraries/libapparmor/testsuite/test_multi.multi
libraries/libapparmor/testsuite/config/Makefile
libraries/libapparmor/testsuite/config/Makefile.in
libraries/libapparmor/testsuite/lib/Makefile
libraries/libapparmor/testsuite/lib/Makefile.in
libraries/libapparmor/testsuite/libaalogparse.test/Makefile
libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
libraries/libapparmor/testsuite/test_multi/out
changehat/mod_apparmor/.libs
changehat/mod_apparmor/common
changehat/pam_apparmor/common
changehat/tomcat_apparmor/common
utils/common
utils/*.8
utils/*.8.html
utils/*.5
utils/*.5.html
utils/*.tmp
utils/po/*.mo
tests/regression/apparmor/access
tests/regression/apparmor/changehat
tests/regression/apparmor/changehat_fail
tests/regression/apparmor/changehat_fork
tests/regression/apparmor/changehat_misc
tests/regression/apparmor/changehat_misc2
tests/regression/apparmor/changehat_pthread
tests/regression/apparmor/changehat_twice
tests/regression/apparmor/changehat_wrapper
tests/regression/apparmor/changeprofile
tests/regression/apparmor/chdir
tests/regression/apparmor/chgrp
tests/regression/apparmor/chmod
tests/regression/apparmor/chown
tests/regression/apparmor/clone
tests/regression/apparmor/deleted
tests/regression/apparmor/env_check
tests/regression/apparmor/environ
tests/regression/apparmor/exec
tests/regression/apparmor/exec_qual
tests/regression/apparmor/exec_qual2
tests/regression/apparmor/fchdir
tests/regression/apparmor/fchgrp
tests/regression/apparmor/fchmod
tests/regression/apparmor/fchown
tests/regression/apparmor/fork
tests/regression/apparmor/link
tests/regression/apparmor/link_subset
tests/regression/apparmor/mkdir
tests/regression/apparmor/mmap
tests/regression/apparmor/mount
tests/regression/apparmor/named_pipe
tests/regression/apparmor/net_raw
tests/regression/apparmor/open
tests/regression/apparmor/openat
tests/regression/apparmor/pipe
tests/regression/apparmor/ptrace
tests/regression/apparmor/ptrace_helper
tests/regression/apparmor/pwrite
tests/regression/apparmor/readdir
tests/regression/apparmor/rename
tests/regression/apparmor/rw
tests/regression/apparmor/swap
tests/regression/apparmor/symlink
tests/regression/apparmor/syscall_chroot
tests/regression/apparmor/syscall_mknod
tests/regression/apparmor/syscall_mlockall
tests/regression/apparmor/syscall_ptrace
tests/regression/apparmor/syscall_reboot
tests/regression/apparmor/syscall_setdomainname
tests/regression/apparmor/syscall_sethostname
tests/regression/apparmor/syscall_setpriority
tests/regression/apparmor/syscall_setscheduler
tests/regression/apparmor/syscall_sysctl
tests/regression/apparmor/sysctl_proc
tests/regression/apparmor/tcp
tests/regression/apparmor/unix_fd_client
tests/regression/apparmor/unix_fd_server
tests/regression/apparmor/unlink
tests/regression/apparmor/xattrs
tests/regression/apparmor/coredump
./utils/apparmor/__pycache__
Reference in a new issue View git blame Copy permalink