mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
Page: AppArmorPolicyView
Pages
2.12.4_Signatures 2.13.10_Signatures 2.13.11_Signatures 2.13.3_signature 2.13.4_signature 2.13.7_Signatures 2.13.8_Signatures 2.13.9_Signatures 3.0.10_Signatures 3.0.11_Signatures 3.0.12_Signatures 3.0.13_Signatures 3.0.8_Signatures 3.0.9_Signatures 3.1.1_Signatures 3.1.2_Signatures 3.1.3_Signatures 3.1.4_Signatures 3.1.5_Signatures 3.1.6_Signatures 3.1.7_Signatures 4.0.0 alpha2_Signatures 4.0.0 alpha3_Signatures 4.0.0 beta4_Signatures 4.0.1_Signatures 4.0.2_Signatures 4.0.3_Signatures 4.1.0 beta1_Signatures 4.1.0 beta4_Signatures About AbstractionsGuide AlternativeMethodsforSystemWideRestrictions AppArmor and Kubernetes AppArmor2FeatureABI AppArmorAPIs AppArmorAuditing AppArmorClassNumbers AppArmorDBus AppArmorDelegation AppArmorDynamicIncludes AppArmorFeatureABI AppArmorFeatureABIinteractions AppArmorGSettings AppArmorInSystemd AppArmorInterfaces AppArmorJournald AppArmorLabelsandTypes AppArmorLinuxNamespaces AppArmorLog AppArmorMLS AppArmorMonitoring AppArmorNamespaces AppArmorObjectDelegation AppArmorPolicy AppArmorPolicyScope AppArmorPolicyTOC AppArmorPolicyView AppArmorPortals AppArmorProfileSpec AppArmorProgramaticApplicationPolicy AppArmorRBAC AppArmorSandboxing AppArmorSnappyDesktop AppArmorStacking AppArmorSystemWideRestrictions AppArmorTrustedHelpers AppArmorUpdateGuidelines AppArmorUserDefinedPolicy AppArmorWine AppArmorXace AppArmor_Core_Policy_Reference AppArmor_Failures AppArmor_History AppArmor_Model AppArmor_Presentations AppArmor_versions AppArmor_versions_2.1 AppArmor_versions_2.10 AppArmor_versions_2.11 AppArmor_versions_2.12 AppArmor_versions_2.13 AppArmor_versions_2.3 AppArmor_versions_2.4 AppArmor_versions_2.5 AppArmor_versions_2.6 AppArmor_versions_2.7 AppArmor_versions_2.8 AppArmor_versions_2.9 AppArmor_versions_3.0 AppArmor_versions_3.1 AppArmor_versions_4.0 AppArmor_versions_4.1 AppArmorpolicyfeaturesDev AppArmorpolicyversioning Apparmor_parser Apparmorbinarypolicy Apparmorearlypolicy Apparmorinitrd Apparmorpolicycache Apparmorpolicymanagement Apparmorpolicymanagement2x Binary_Profile_Language Binary_profile_format BugTracking Coding Style CollaborativeProfileDevSpec CombiningStackingAndNamespaces CommitPolicy CompilerImprovements Complain Mode Confining_all_tasks Controlling_Profile_State CreatingPolicy DeprecateProfilePathName DevelopmentRoadmap Distro_CentOS Distro_debian Distro_suse Distro_ubuntu Documentation EnvironmentVariables ExampleProfiles Extended_profiling_example FAQ Firejail FullSystemPolicy GettingStarted Gittutorial IRC_meeting_2010 IRC_meeting_2011 IRC_meeting_2012 09 25 IRC_meeting_2012 11 06 IRC_meeting_2012 12 04 IRC_meeting_2012 IRC_meeting_2013 01 08 IRC_meeting_2013 02 05 IRC_meeting_2013 03 01 IRC_meeting_2013 05 14 IRC_meeting_2013 06 11 IRC_meeting_2013 07 09 IRC_meeting_2013 08 13 IRC_meeting_2013 10 08 IRC_meeting_2013 11 13 IRC_meeting_2013 IRC_meeting_2014 02 24 IRC_meeting_2014 06 10 IRC_meeting_2014 07 08 IRC_meeting_2014 09 09 IRC_meeting_2014 10 14 IRC_meeting_2014 11 05 IRC_meeting_2014 12 09 IRC_meeting_2014 IRC_meeting_2015 02 10 IRC_meeting_2015 03 10 IRC_meeting_2015 04 14 IRC_meeting_2015 05 12 IRC_meeting_2015 06 09 IRC_meeting_2015 07 14 IRC_meeting_2015 11 17 IRC_meeting_2015 IRC_meeting_2016 01 19 IRC_meeting_2016 09 13 IRC_meeting_2016 IRC_meeting_2017 10 10 IRC_meeting_2017 11 25 IRC_meeting_2017 12 13 IRC_meeting_2017 IRC_meeting_2018 01 16 IRC_meeting_2018 02 15 IRC_meeting_2018 12 11 IRC_meeting_2018 IRC_meeting_2019 04 09 IRC_meeting_2019 06 13 IRC_meeting_2019 10 08 IRC_meeting_2019 IRC_meeting_2020 01 14 IRC_meeting_2020 02 11 IRC_meeting_2020 02 12 IRC_meeting_2020 03 10 IRC_meeting_2020 04 10 IRC_meeting_2020 04 28 IRC_meeting_2020 06 09 IRC_meeting_2020 09 08 IRC_meeting_2020 10 13 IRC_meeting_2020 IRC_meeting_2021 07 13 IRC_meeting_2021 11 09 IRC_meeting_2021 12 14 IRC_meeting_2022 02 08 IRC_meeting_2022 08 09 IRC_meeting_2022 10 11 IRC_meeting_2022 11 08 IRC_meeting_2022 12 13 IRC_meeting_2022 4 12 IRC_meeting_2022 7 12 IRC_meeting_2023 02 14 IRC_meeting_2023 06 13 IRC_meeting_2023 08 08 IRC_meeting_2023 09 12 IRC_meeting_2023 10 10 IRC_meeting_2024 01 09 IRC_meeting_2024 04 09 IRC_meeting_2024 06 11 IRC_meeting_2024 08 13 IRC_meeting_2024 09 10 IRC_meeting_2024 10 08 IRC_meeting_2024 11 12 IRC_meeting_2025 01 14 IRC_meeting_2025 02 18 Integrating Test plan Kernel_Feature_Matrix Kernel_interfaces Launchpadtutorial Libvirt ManPages MeetingAgenda Mod_apparmor Mod_apparmor_example Multi Category Security (MCS) Pam_apparmor Pam_apparmor_example PerformanceImprovements Policy_Layout ProfileLanguage Profile_repo Profile_variants Profiles Profiling_by_hand Profiling_with_tools QuickProfileLanguage RBAC_2_0 RBAC_2_1 RBAC_2_3 RBAC_2_5 README Raising_Task_Capabilities ReleaseProcess Release_Notes_2.10.1 Release_Notes_2.10.2 Release_Notes_2.10.3 Release_Notes_2.10.4 Release_Notes_2.10.5 Release_Notes_2.10.6 Release_Notes_2.10 Release_Notes_2.11.1 Release_Notes_2.11.2 Release_Notes_2.11.3 Release_Notes_2.11.4 Release_Notes_2.11 Release_Notes_2.12.0 Release_Notes_2.12.1 Release_Notes_2.12.2 Release_Notes_2.12.3 Release_Notes_2.12.4 Release_Notes_2.12 Release_Notes_2.13.1 Release_Notes_2.13.10 Release_Notes_2.13.11 Release_Notes_2.13.2 Release_Notes_2.13.3 Release_Notes_2.13.4 Release_Notes_2.13.5 Release_Notes_2.13.6 Release_Notes_2.13.7 Release_Notes_2.13.8 Release_Notes_2.13.9 Release_Notes_2.13 Release_Notes_2.14 Release_Notes_2.4 Release_Notes_2.5.1 Release_Notes_2.5.2 Release_Notes_2.5 Release_Notes_2.6.0 Release_Notes_2.6.1 Release_Notes_2.7.1 Release_Notes_2.7.2 Release_Notes_2.7 Release_Notes_2.8.1 Release_Notes_2.8.2 Release_Notes_2.8.3 Release_Notes_2.8.4 Release_Notes_2.8.5 Release_Notes_2.8 Release_Notes_2.9.0 Release_Notes_2.9.1 Release_Notes_2.9.2 Release_Notes_2.9.3 Release_Notes_2.9.4 Release_Notes_2.9.5 Release_Notes_3.0.1 Release_Notes_3.0.10 Release_Notes_3.0.11 Release_Notes_3.0.12 Release_Notes_3.0.13 Release_Notes_3.0.2 Release_Notes_3.0.3 Release_Notes_3.0.4 Release_Notes_3.0.5 Release_Notes_3.0.6 Release_Notes_3.0.7 Release_Notes_3.0.8 Release_Notes_3.0.9 Release_Notes_3.0 Release_Notes_3.1.1 Release_Notes_3.1.2 Release_Notes_3.1.3 Release_Notes_3.1.4 Release_Notes_3.1.5 Release_Notes_3.1.6 Release_Notes_3.1.7 Release_Notes_3.1 Release_Notes_4.0 alpha1 Release_Notes_4.0 alpha2 Release_Notes_4.0 alpha3 Release_Notes_4.0 alpha4 Release_Notes_4.0 beta1 Release_Notes_4.0 beta2 Release_Notes_4.0 beta3 Release_Notes_4.0 beta4 Release_Notes_4.0.1 Release_Notes_4.0.2 Release_Notes_4.0.3 Release_Notes_4.0.4 Release_Notes_4.1 beta1 Release_Notes_4.1 beta2 Release_Notes_4.1 beta3 Release_Notes_4.1 beta4 Release_Notes_4.1 beta5 Release_Notes_4.1 beta6 Release_Notes_4.1.0 beta1 Release_Notes_5.0 Revising_and_fine_tuning_policy_and_abstractions Sandstorm StackingConfiningUsers TechnicalDoc TechnicalDoc_DBusRuleEncoding TechnicalDoc_DFA TechnicalDoc_FileRuleEncoding TechnicalDoc_HFA TechnicalDoc_HFA_Layout TechnicalDoc_HFA_permissions TechnicalDoc_Kernel TechnicalDoc_MountRuleEncoding TechnicalDoc_Mount_Flags TechnicalDoc_NetworkRuleEncoding TechnicalDoc_PolicyDB TechnicalDoc_Policy_Layout TechnicalDoc_Proc_and_ptrace TechnicalDoc_RulePathEncoding TechnicalDoc_XWindowsRuleEncoding Translations Unconfined, the unconfined flag and default allow Userconditional Users in AppArmor Userspace_Feature_Matrix Versioning WorkItems _sidebar aparmor_policy_development_guide apparmor 5 config layout spec apparmor_compiler_development_guide apparmor_kernel_development_guide apparmor_kernel_development_guide_notifications apparmor_library_development_guide apparmor_profile_tools_guide apparmordynamicpolicy apparmorpolicyfeaturesABI apparmorversioning bubblewrap clearcontainers containers docker flatpak gVisor home how to setup a policy namespace for containers io_uring rules kata containers kubernetes manpage_aa audit.8 manpage_aa autodep.8 manpage_aa cleanprof.8 manpage_aa complain.8 manpage_aa decode.8 manpage_aa disable.8 manpage_aa easyprof.8 manpage_aa enabled.1 manpage_aa enforce.8 manpage_aa exec.1 manpage_aa features abi.1 manpage_aa genprof.8 manpage_aa logprof.8 manpage_aa mergeprof.8 manpage_aa notify.8 manpage_aa remove unknown.8 manpage_aa status.8 manpage_aa teardown.8 manpage_aa unconfined.8 manpage_aa_change_hat.2 manpage_aa_change_profile.2 manpage_aa_features.3 manpage_aa_find_mountpoint.2 manpage_aa_getcon.2 manpage_aa_kernel_interface.3 manpage_aa_policy_cache.3 manpage_aa_query_label.2 manpage_aa_splitcon.3 manpage_aa_stack_profile.2 manpage_apparmor.7 manpage_apparmor.d.5 manpage_apparmor_parser.8 manpage_apparmor_parser manpage_apparmor_xattrs.7 manpage_logprof.conf.5 manpage_mod_apparmor.8 mqueue rules nabla containers no_new_privs profileflags prompt v3 interface rule operations rule prefixes and modes runV runc sanitized_helper security@apparmor template reply unprivileged_unconfined_restriction unprivileged_userns_restriction wip conditional policy
6 AppArmorPolicyView
John Johansen edited this page 2019-10-20 09:01:19 +00:00
Table of Contents

Related Documents

Introduction

The policy view determines whether a namespace is treated as the root for policy visibility. By default when a new policy namespace is created it is also treated as a new policy view. This feature is used by containers like LXD to load and treat their policy as if it is the root system policy. Note that there are cases where the use of policy namespaces is beneficial but a new view is not desired. Eg, setting up user roles or application sandboxing where visibility of system policy is desirable.

The policy view affects how policy is authored because it affects the names that are used in transitions and for communication between tasks. As such policy must be authored with a certain view in mind. It is the policy author's responsibility to ensure the policy and views required for a namespace are correctly setup.

TODO: transitions between profiles in different namespaces...

Namespace View

AppArmor policy namespaces are strictly hierarchical but the full hierarchy may not be visible to all tasks. A virtualized view of the policy namespace hierarchy may be set and tasks under that view can as a result only see the portion of the hierarchy within their view.

Example:

Given a hierarchy of :ns1//ns2: and a view set to :ns1: then only the profiles in ns1 and ns2 will be visible.

The profile introspection and management interfaces are virtualized to the current namespace view of the task doing profile management or introspection. Note: See Interfaces and current view???(or is it current namespace???) for additional notes

The View acts as the root namespace for tasks assigned to that view, and the name of the View namespace will not be reported to tasks in that view.

Example:

If profile foo is loaded into :ns1:, and Task A has its View set to :ns1: then when task one introspects task B confined by :ns1:foo it will see the confinement of task B as just foo. Tasks outside the view may be able to see the full hierarchy or nothing depending on their own views.

While the AppArmor interfaces are virtualized, depending on how the kernel and other system namespaces (proc, user, ...) are configured it may be possible to introspect a task that is outside of the namespace View. In this situation the confinement of the task will be reported as having the name ---. AppArmor will not expose the namespace name nor the profile name of the task.

For example, given the namespaces

   root policy namespace
   :ns1:
   :ns1//ns2:
   :ns3:

And the following tasks and views

  • Task A has a view set to the root system policy namespace, with it confinement set to unconfined
  • Task B has a view set to ns1, with its confinement set to unconfined of namespace :ns1:
  • Task C has a view set to ns1//ns2, with its confinement set to unconfined of namespace :ns1//ns2:
  • Task D has a view set to ns3, with its confinement set to unconfined of namespace :ns3:

Then

  • Task A
    • can see profiles in the system namespace
    • can see the namespaces :ns1:, :ns1//ns2:, and :ns3: and the profiles in them
    • sees the confinement of
      • Task A (itself) as unconfined
      • Task B as :ns1:unconfined
      • Task C as :ns1//ns2:unconfined
      • Task D as :ns3:unconfined
  • Task B
    • can NOT see profiles in the system namespace
    • can see profiles in namespaces :ns1: which appears to be the root system namespace to it
    • sees namespace :ns1//ns2: as :ns2: and can see the profiles in it
    • can NOT see namespace :ns3: nor the profiles in it
    • sees the confinement of
      • Task A as ---
      • Task B (itself) as unconfined
      • Task C as :ns2:unconfined
      • Task D as ---
  • Task C
    • can NOT see profiles in the system namespace
    • can NOT see namespace :ns1: nor :ns3: nor their profiles
    • can see profiles in namespaces :ns1//ns2: which appears to be the root system namespace to it
    • sees the confinement of
      • Task A as ---
      • Task B as ---
      • Task C (itself) as unconfined
      • Task D as ---
  • Task D
    • can NOT see profiles in the system namespace
    • can NOT see namespace :ns1: nor :ns1//ns2: nor their profiles
    • can see profiles in namespaces :ns3: which appears to be the root system namespace to it
    • sees the confinement of
      • Task A as ---
      • Task B as ---
      • Task C as ---
      • Task D (itself) as unconfined

How the Namespace View affects Policy

The namespace view not only affects what policy is visible from a task but also affects how policy needs to be authored, and managed.

TODO

Namespace View and policy transitions

Namespace View and policy management

??? how is the view of a namespace set

  • Note: Before AppArmor 4, the View and current namespace are the same

Defining/Setting the Namespace View

There are two ways that a namespace view can be set. It can be defined in policy, or if policy does not explicitly define the namespace view it can be set via the apparmorfs interface (used by the api).

Defining the View in Policy

The view is set relative to the namespace the policy is being defined for.

 namespace ns1 {
     view ./, # view of ns1 is set to the policy root 
      namespace ns2 {
         view ns1, # view of ns1//ns2 is set to that of ns1 
          profile D {
             ...
         }
     }
      namespace ns3 {
         # view not defined so set to ns1//ns3
         profile E {
             ...
         }
     }
      profile C {
         ...
     }
 }
  profile A {
     ...
 }
  profile :ns1:B {
     # profile defined external to its namespace block, view is still set in namespace block 
     ...
 }

Setting the View via the apparmorfs interface

The apparmorfs interface can be used to set a namespace view when policy does not define the view of the namespace. This is usually occurs because the namespace is being dynamically created by a trusted helper (lxd, pam, ..), and the policy of the new namespace doesn't have to directly interact with existing policy. When a namespace is created without its view being set, either via the profile load interface, or the apparmorfs interface, the namespace's view is defaulted to its self (its policy will not see existing policy on the system).

The View of a policy namespace can be set by a task in an ancestor namespace with admin rights over the namespace. The setting task can set the namespace view to any namespace it can view including its own view. A task confined by the namespace can not change the view of the namespace, in fact once a task is confined by the namespace its view can not be changed.

The View of a namespace can be set by writing to the view file under the its namespace directory. Eg. to set the View of namespace ns1 to the current tasks view it could write

 echo “.” > /sys/kernel/security/apparmor/policy/namespaces/ns1/view

Current Namespace(s)

When a task is created it is assigned to a policy namespace (usually inherited from its parent). When stacking is used the task may be assigned to multiple policy namespaces. From a mediation point of view all of the task's namespaces are active and enforced (even the ones out of the task's view). Once a task has entered a namespace there is no way for it to leave that policy namespace unless so directed/defined in the policy of that namespace. The current namespace of a given task is the namespace of the task's label or if the label is composed of multiple profiles it is namespace that is the furtherest descendent from the system's root namespace.

That is if the task is confined by

 profile_A//:ns1:profile_B//:ns1//ns2:profile_C

the current namespace will be ns1//ns2.

The current task's namespace is not directly used in mediation but is used to find a task's

  • current View namespace
  • current Scope namespace

which are used in mediation.

The current namespace is always the Scope namespace or one of its children, it can never be a parent of the namespace Scope, and the Scope namespace is always the same as the View namespace or one of its children. (ie. current View >= current Scope >= current namespace)

  • Note: Before Version 4.0 of the AppArmor kernel module the current namespace was always set as the current View such that the current namespace always appeared to be the root namespace for tasks in that namespace.

Current View

The current View namespace of a task governs which namespace is used for profile lookups, profile attachments, and transitions. It also determines what part of the confinement stack can be viewed by a task when doing introspection. The current View is determined by the view namespace of the the task's current namespace. The current view will be the same as the current namespace or an ancestor of it.

E.G., given a child namespace :child1: with its view set to the root namespace and with profile R in the root namespace, profile C in the the child namespace, task Tr confined by R and task Tc confined by C, then

  • Tr
    • views Tc confinement as :child1:C
    • views its own confinement as R
  • Tc
    • views its own confinement as :child1:C
    • views Tr confinement as R

Now lets say Tc and Tr both try to transition to a profile X

  • Tr will transition to X in the root namespace
  • Tc will transition to a different profile X in the namespace :child1: because its current namespace is :child1: and profile lookups that don't specify a namespace are relative to the current namespace.

However if the transitions is to :child1:X

  • Tr will transition to the X profile in :child1:
  • Tc will still transition to the X profile in :child1:

This is because the namespace lookup is relative to the view not the current profile.

Similarly if the transitions is to :child2:Y

  • Tr will transition to the Y profile in :child2:
  • Tc will transition to the Y profile in :child2:

??? Eg. A transition of

 px /** -> /bin/foo,

is relative to the current namespace.

While a transition of

 px /** -> :foo:/bin/foo,

is relative to the current view.