mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
Page: Policy_Layout
Pages
2.12.4_Signatures 2.13.10_Signatures 2.13.11_Signatures 2.13.3_signature 2.13.4_signature 2.13.7_Signatures 2.13.8_Signatures 2.13.9_Signatures 3.0.10_Signatures 3.0.11_Signatures 3.0.12_Signatures 3.0.13_Signatures 3.0.8_Signatures 3.0.9_Signatures 3.1.1_Signatures 3.1.2_Signatures 3.1.3_Signatures 3.1.4_Signatures 3.1.5_Signatures 3.1.6_Signatures 3.1.7_Signatures 4.0.0 alpha2_Signatures 4.0.0 alpha3_Signatures 4.0.0 beta4_Signatures 4.0.1_Signatures 4.0.2_Signatures 4.0.3_Signatures 4.1.0 beta1_Signatures 4.1.0 beta4_Signatures About AbstractionsGuide AlternativeMethodsforSystemWideRestrictions AppArmor and Kubernetes AppArmor2FeatureABI AppArmorAPIs AppArmorAuditing AppArmorClassNumbers AppArmorDBus AppArmorDelegation AppArmorDynamicIncludes AppArmorFeatureABI AppArmorFeatureABIinteractions AppArmorGSettings AppArmorInSystemd AppArmorInterfaces AppArmorJournald AppArmorLabelsandTypes AppArmorLinuxNamespaces AppArmorLog AppArmorMLS AppArmorMonitoring AppArmorNamespaces AppArmorObjectDelegation AppArmorPolicy AppArmorPolicyScope AppArmorPolicyTOC AppArmorPolicyView AppArmorPortals AppArmorProfileSpec AppArmorProgramaticApplicationPolicy AppArmorRBAC AppArmorSandboxing AppArmorSnappyDesktop AppArmorStacking AppArmorSystemWideRestrictions AppArmorTrustedHelpers AppArmorUpdateGuidelines AppArmorUserDefinedPolicy AppArmorWine AppArmorXace AppArmor_Core_Policy_Reference AppArmor_Failures AppArmor_History AppArmor_Model AppArmor_Presentations AppArmor_versions AppArmor_versions_2.1 AppArmor_versions_2.10 AppArmor_versions_2.11 AppArmor_versions_2.12 AppArmor_versions_2.13 AppArmor_versions_2.3 AppArmor_versions_2.4 AppArmor_versions_2.5 AppArmor_versions_2.6 AppArmor_versions_2.7 AppArmor_versions_2.8 AppArmor_versions_2.9 AppArmor_versions_3.0 AppArmor_versions_3.1 AppArmor_versions_4.0 AppArmor_versions_4.1 AppArmorpolicyfeaturesDev AppArmorpolicyversioning Apparmor_parser Apparmorbinarypolicy Apparmorearlypolicy Apparmorinitrd Apparmorpolicycache Apparmorpolicymanagement Apparmorpolicymanagement2x Binary_Profile_Language Binary_profile_format BugTracking Coding Style CollaborativeProfileDevSpec CombiningStackingAndNamespaces CommitPolicy CompilerImprovements Complain Mode Confining_all_tasks Controlling_Profile_State CreatingPolicy DeprecateProfilePathName DevelopmentRoadmap Distro_CentOS Distro_debian Distro_suse Distro_ubuntu Documentation EnvironmentVariables ExampleProfiles Extended_profiling_example FAQ Firejail FullSystemPolicy GettingStarted Gittutorial IRC_meeting_2010 IRC_meeting_2011 IRC_meeting_2012 09 25 IRC_meeting_2012 11 06 IRC_meeting_2012 12 04 IRC_meeting_2012 IRC_meeting_2013 01 08 IRC_meeting_2013 02 05 IRC_meeting_2013 03 01 IRC_meeting_2013 05 14 IRC_meeting_2013 06 11 IRC_meeting_2013 07 09 IRC_meeting_2013 08 13 IRC_meeting_2013 10 08 IRC_meeting_2013 11 13 IRC_meeting_2013 IRC_meeting_2014 02 24 IRC_meeting_2014 06 10 IRC_meeting_2014 07 08 IRC_meeting_2014 09 09 IRC_meeting_2014 10 14 IRC_meeting_2014 11 05 IRC_meeting_2014 12 09 IRC_meeting_2014 IRC_meeting_2015 02 10 IRC_meeting_2015 03 10 IRC_meeting_2015 04 14 IRC_meeting_2015 05 12 IRC_meeting_2015 06 09 IRC_meeting_2015 07 14 IRC_meeting_2015 11 17 IRC_meeting_2015 IRC_meeting_2016 01 19 IRC_meeting_2016 09 13 IRC_meeting_2016 IRC_meeting_2017 10 10 IRC_meeting_2017 11 25 IRC_meeting_2017 12 13 IRC_meeting_2017 IRC_meeting_2018 01 16 IRC_meeting_2018 02 15 IRC_meeting_2018 12 11 IRC_meeting_2018 IRC_meeting_2019 04 09 IRC_meeting_2019 06 13 IRC_meeting_2019 10 08 IRC_meeting_2019 IRC_meeting_2020 01 14 IRC_meeting_2020 02 11 IRC_meeting_2020 02 12 IRC_meeting_2020 03 10 IRC_meeting_2020 04 10 IRC_meeting_2020 04 28 IRC_meeting_2020 06 09 IRC_meeting_2020 09 08 IRC_meeting_2020 10 13 IRC_meeting_2020 IRC_meeting_2021 07 13 IRC_meeting_2021 11 09 IRC_meeting_2021 12 14 IRC_meeting_2022 02 08 IRC_meeting_2022 08 09 IRC_meeting_2022 10 11 IRC_meeting_2022 11 08 IRC_meeting_2022 12 13 IRC_meeting_2022 4 12 IRC_meeting_2022 7 12 IRC_meeting_2023 02 14 IRC_meeting_2023 06 13 IRC_meeting_2023 08 08 IRC_meeting_2023 09 12 IRC_meeting_2023 10 10 IRC_meeting_2024 01 09 IRC_meeting_2024 04 09 IRC_meeting_2024 06 11 IRC_meeting_2024 08 13 IRC_meeting_2024 09 10 IRC_meeting_2024 10 08 IRC_meeting_2024 11 12 IRC_meeting_2025 01 14 IRC_meeting_2025 02 18 Integrating Test plan Kernel_Feature_Matrix Kernel_interfaces Launchpadtutorial Libvirt ManPages MeetingAgenda Mod_apparmor Mod_apparmor_example Multi Category Security (MCS) Pam_apparmor Pam_apparmor_example PerformanceImprovements Policy_Layout ProfileLanguage Profile_repo Profile_variants Profiles Profiling_by_hand Profiling_with_tools QuickProfileLanguage RBAC_2_0 RBAC_2_1 RBAC_2_3 RBAC_2_5 README Raising_Task_Capabilities ReleaseProcess Release_Notes_2.10.1 Release_Notes_2.10.2 Release_Notes_2.10.3 Release_Notes_2.10.4 Release_Notes_2.10.5 Release_Notes_2.10.6 Release_Notes_2.10 Release_Notes_2.11.1 Release_Notes_2.11.2 Release_Notes_2.11.3 Release_Notes_2.11.4 Release_Notes_2.11 Release_Notes_2.12.0 Release_Notes_2.12.1 Release_Notes_2.12.2 Release_Notes_2.12.3 Release_Notes_2.12.4 Release_Notes_2.12 Release_Notes_2.13.1 Release_Notes_2.13.10 Release_Notes_2.13.11 Release_Notes_2.13.2 Release_Notes_2.13.3 Release_Notes_2.13.4 Release_Notes_2.13.5 Release_Notes_2.13.6 Release_Notes_2.13.7 Release_Notes_2.13.8 Release_Notes_2.13.9 Release_Notes_2.13 Release_Notes_2.14 Release_Notes_2.4 Release_Notes_2.5.1 Release_Notes_2.5.2 Release_Notes_2.5 Release_Notes_2.6.0 Release_Notes_2.6.1 Release_Notes_2.7.1 Release_Notes_2.7.2 Release_Notes_2.7 Release_Notes_2.8.1 Release_Notes_2.8.2 Release_Notes_2.8.3 Release_Notes_2.8.4 Release_Notes_2.8.5 Release_Notes_2.8 Release_Notes_2.9.0 Release_Notes_2.9.1 Release_Notes_2.9.2 Release_Notes_2.9.3 Release_Notes_2.9.4 Release_Notes_2.9.5 Release_Notes_3.0.1 Release_Notes_3.0.10 Release_Notes_3.0.11 Release_Notes_3.0.12 Release_Notes_3.0.13 Release_Notes_3.0.2 Release_Notes_3.0.3 Release_Notes_3.0.4 Release_Notes_3.0.5 Release_Notes_3.0.6 Release_Notes_3.0.7 Release_Notes_3.0.8 Release_Notes_3.0.9 Release_Notes_3.0 Release_Notes_3.1.1 Release_Notes_3.1.2 Release_Notes_3.1.3 Release_Notes_3.1.4 Release_Notes_3.1.5 Release_Notes_3.1.6 Release_Notes_3.1.7 Release_Notes_3.1 Release_Notes_4.0 alpha1 Release_Notes_4.0 alpha2 Release_Notes_4.0 alpha3 Release_Notes_4.0 alpha4 Release_Notes_4.0 beta1 Release_Notes_4.0 beta2 Release_Notes_4.0 beta3 Release_Notes_4.0 beta4 Release_Notes_4.0.1 Release_Notes_4.0.2 Release_Notes_4.0.3 Release_Notes_4.0.4 Release_Notes_4.1 beta1 Release_Notes_4.1 beta2 Release_Notes_4.1 beta3 Release_Notes_4.1 beta4 Release_Notes_4.1 beta5 Release_Notes_4.1 beta6 Release_Notes_4.1.0 beta1 Release_Notes_5.0 Revising_and_fine_tuning_policy_and_abstractions Sandstorm StackingConfiningUsers TechnicalDoc TechnicalDoc_DBusRuleEncoding TechnicalDoc_DFA TechnicalDoc_FileRuleEncoding TechnicalDoc_HFA TechnicalDoc_HFA_Layout TechnicalDoc_HFA_permissions TechnicalDoc_Kernel TechnicalDoc_MountRuleEncoding TechnicalDoc_Mount_Flags TechnicalDoc_NetworkRuleEncoding TechnicalDoc_PolicyDB TechnicalDoc_Policy_Layout TechnicalDoc_Proc_and_ptrace TechnicalDoc_RulePathEncoding TechnicalDoc_XWindowsRuleEncoding Translations Unconfined, the unconfined flag and default allow Userconditional Users in AppArmor Userspace_Feature_Matrix Versioning WorkItems _sidebar aparmor_policy_development_guide apparmor 5 config layout spec apparmor_compiler_development_guide apparmor_kernel_development_guide apparmor_kernel_development_guide_notifications apparmor_library_development_guide apparmor_profile_tools_guide apparmordynamicpolicy apparmorpolicyfeaturesABI apparmorversioning bubblewrap clearcontainers containers docker flatpak gVisor home how to setup a policy namespace for containers io_uring rules kata containers kubernetes manpage_aa audit.8 manpage_aa autodep.8 manpage_aa cleanprof.8 manpage_aa complain.8 manpage_aa decode.8 manpage_aa disable.8 manpage_aa easyprof.8 manpage_aa enabled.1 manpage_aa enforce.8 manpage_aa exec.1 manpage_aa features abi.1 manpage_aa genprof.8 manpage_aa logprof.8 manpage_aa mergeprof.8 manpage_aa notify.8 manpage_aa remove unknown.8 manpage_aa status.8 manpage_aa teardown.8 manpage_aa unconfined.8 manpage_aa_change_hat.2 manpage_aa_change_profile.2 manpage_aa_features.3 manpage_aa_find_mountpoint.2 manpage_aa_getcon.2 manpage_aa_kernel_interface.3 manpage_aa_policy_cache.3 manpage_aa_query_label.2 manpage_aa_splitcon.3 manpage_aa_stack_profile.2 manpage_apparmor.7 manpage_apparmor.d.5 manpage_apparmor_parser.8 manpage_apparmor_parser manpage_apparmor_xattrs.7 manpage_logprof.conf.5 manpage_mod_apparmor.8 mqueue rules nabla containers no_new_privs profileflags prompt v3 interface rule operations rule prefixes and modes runV runc sanitized_helper security@apparmor template reply unprivileged_unconfined_restriction unprivileged_userns_restriction wip conditional policy
2 Policy_Layout
Steve Beattie edited this page 2017-11-03 22:32:48 -07:00
Table of Contents

Standardized AppArmor Policy

This documents the standardized AppArmor policy layout, and is what is expected by the AppArmor tools. The enforcement of AppArmor policy does not depend on this layout and it can be modified by setting config file options or even completely replaced if the tools are modified/replaced.

Tool settings

Configuration settings for the AppArmor tools are stored in two locations:

  • Global and system settings are stored in /etc/apparmor/
  • User settings are stored in ${HOME}/.apparmor/

Policy Layout

System policy is stored in the /etc/apparmor.d/ directory and, when implemented user policy will be stored in ${HOME}/.apparmor.d/ (${APPARMOR.D} is used to refer to both of these directories). The ${APPARMOR.D} directory contains a set of directories and profile files. All files within the directory are treated as profiles unless they match any of the following patterns in which case the files are ignored.

  • *~
  • *.bak
  • *.rpm*
  • *.dpkg-{bak,dist,new,old}

Within ${APPARMOR.D} the following directories have special meaning:

  • ${APPARMOR.D}/abstractions/
  • ${APPARMOR.D}/apache2.d/
  • ${APPARMOR.D}/cache/- precompiled binary policy files
  • ${APPARMOR.D}/disable/- symlinks to profiles to disable
  • ${APPARMOR.D}/force-complain/- symlinks to profiles to set to complain mode
  • ${APPARMOR.D}/libvirt/
  • ${APPARMOR.D}/local/
  • ${APPARMOR.D}/namespaces/
  • ${APPARMOR.D}/pam/
  • ${APPARMOR.D}/tunables/

Your system may have some or all of the above directories, depending on your OS vendor and version.

${APPARMOR.D}/abstractions/

This directory contains files and directories of common profile 'chunks' that can be included by profiles files. These files can be thought of as libraries of access rules. Abstraction files may include other abstractions (when appropriate -- doing too often can make profile auditing less clear). By convention, sub-directories are used to group abstractions that are logically related.

AppArmor integrators can provide their own set of abstractions and changes in a subdirectory. For example, Ubuntu uses abstractions/ubuntu-browsers.d/ to contain abstractions for profiling web browsers in Ubuntu.

${APPARMOR.D}/apache2.d/ - DRAFT

Optional directory containing mod_apparmor hat profiles for Apache. See mod_apparmor_example for more information.

${APPARMOR.D}/cache/

This directory contains a file for each file in the profiles directory that has been precompiled and cached. The file name matches that of the profile file that it is caching. A file with the same name prefixed with '.' will contain the list of files used to build the cached binary and can be used to verify that the cache files are valid. Eg:

 ${APPARMOR.D}/usr.bin.evince                # profile file
 ${APPARMOR.D}/cache/usr.bin.evince          # binary cache of usr.bin.evince profile
 ${APPARMOR.D}/cache/.usr.bin.evince         # list of files (one per line) used to create ${APPARMOR.D}/cache/usr.bin.evince

There is a special .features file which contains information about the kernel features when the cached binary policy was built. This allows for invalidating the cache when it doesn't match what is supported by the current kernel.

${APPARMOR.D}/disable/

This directory may contain symlinks to profile files in the ${APPARMOR.D} directory. Profiles with symlinks in this directory are ignored by the initscripts.

${APPARMOR.D}/force-complain/

This directory may contains symlink to profile files in the ${APPARMOR.D} directory. Profiles with symlinks in this directory are loaded in complain mode by the initscripts.

${APPARMOR.D}/libvirt/

Systems using an AppArmor-enabled libvirt will also have the ${APPARMOR.D}/libvirt/ directory. This directory contains dynamically generated profiles for individual virtual machines. The dynamic profiles are template-based with names based on the UUID of the domain XML of the virtual machine. Please see the libvirt documentation for more information.

${APPARMOR.D}/local/

This directory is intended to contain profile additions and overrides to distributed profiles to aid in packaging AppArmor for distributions. The main profiles in ${APPARMOR.D} can still be modified by an administrator and people should modify the main profile when making large policy changes, rather than trying to make those adjustments in the local include.

For simple access additions or the occasional deny override, adjusting them here can prevent the package manager of the distribution from interfering with local modifications. For example, if the main ${APPARMOR.D}/usr.sbin.smbd profile has:

 #include <local/usr.sbin.smbd>

then an administrator can adjust ${APPARMOR.D}/local/usr.sbin.smbd to contain any additional paths to be allowed, such as:

 /var/exports/** lrw,

Keep in mind that 'deny' rules are evaluated after allow rules, so you won't be able to allow access to files that are explicitly denied by the shipped profile using this mechanism. In most cases, the main profile should be adjusted when you want to deny specific accesses to avoid confusing and inflated policy.

${APPARMOR.D}/namespaces/

This directory contains the policy for sub-namespaces. Sub-namespace policy may be defined in other places as well, such as in the ${APPARMOR.D} directory in a chroot. The layout of the sub-namespaces directory is the common set of directories described here, one per namespace being defined with the name of the directory being the name of the namespace.

Because the layout of the namespace directory is the same as that of ${APPARMOR.D}, sub-namespaces can have their own sub-namespace. The abstractions and other directories can be unique to the namespace or they can be shared with profile directories by using symlinks. Eg:

 /etc/apparmor.d/namespaces/foo/
 /etc/apparmor.d/namespaces/foo/abstractions
 /etc/apparmor.d/namespaces/foo/usr.bin.evince
 /etc/apparmor.d/namespaces/bar/
 /etc/apparmor.d/namespaces/bar/abstractions
 /etc/apparmor.d/namespaces/bar/usr.bin.evince
 ...

NOTE: users can not currently define their own namespaces.

${APPARMOR.D}/pam/ - DRAFT

Optional directory containing pam_apparmor profile mappings and/or includes. See Pam_apparmor_example for more information.

${APPARMOR.D}/tunables/

The tunables directory contains variable and alias definitions files that can be included as part of the preamble of profile files. Depending on your OS and installed profile set, this directory might contain:

  • alias - used to define AppArmor aliases
  • global - used to include other tunables files, such as alias, home, and proc
  • home - used to define the @{HOME} and @{HOMEDIRS} variables
  • home.d/ - directory containing files used to define additional values for the @{HOMEDIRS} variable
  • ntpd - used to define the @{NTPD_DEVICE} variable
  • proc - used to define the @{PROC} variable

Profile file naming conventions

The profile name used by AppArmor is defined by the executable being confined, not the name of the file containing policy. The profile files within ${APPARMOR.D} can be arbitrarily named, but the file name should relate in some meaningful way to the profile that it contains.

By convention, AppArmor uses a few different naming conventions depending on the type of profiles that are contained. The AppArmor tools will use these conventions when generating profiles, but will respect any file names that are manually specified.

If a file contains profiles that do not specify attachment (ie does not start with a / character), then the file name should begin with profile_, role_, or some other prefix that helps describes the profiles purpose. Eg:

 ${APPARMOR.D}/profile_example1
 ${APPARMOR.D}/role_log_admin
 ${APPARMOR.D}/pam_roles

If a file contains a profile that specifies attachment (ie starts with a / character), then the file is named after the profile it contains with the / characters changed to . and with the leading . omitted. Eg. a profile confining /usr/sbin/smbd will have its policy saved in

 ${APPARMOR.D}/usr.sbin.smbd

If a file contains any of the following:

  • multiple profiles
  • a profile with multiple names
  • uses globbing to specify attachment
  • specifies hats
  • uses child profiles

then the profile file should be named after single name that bests describes the intent of the profile(s). Eg. The Ubuntu firefox profile uses both globbing (/usr/lib/firefox-3.6.13/firefox-*bin) and contains multiple child profiles for Java. While the profile actually confines /usr/lib/firefox-3.6.13/firefox-*bin, ${APPARMOR.D}/usr.bin.firefox is used as the file name since this is the way most people will launch the application.

It is acceptable to use the basename of the executable base name as a file name if:

  • there will only be one instance of the executable, or
  • all instances will be defined in the file, or
  • it is the primary instance, with secondary instances being named using the dot convention described above

For example, for the firefox example above, it would be acceptable to have the profile file name be ${APPARMOR.D}/firefox

The tools will not generate profiles with these shortened names because they do not have the required knowledge to verify the above conditions, but they will respect any file name the administrator chooses to use.