mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
Page: TechnicalDoc_HFA_permissions
Pages
2.12.4_Signatures 2.13.10_Signatures 2.13.11_Signatures 2.13.3_signature 2.13.4_signature 2.13.7_Signatures 2.13.8_Signatures 2.13.9_Signatures 3.0.10_Signatures 3.0.11_Signatures 3.0.12_Signatures 3.0.13_Signatures 3.0.8_Signatures 3.0.9_Signatures 3.1.1_Signatures 3.1.2_Signatures 3.1.3_Signatures 3.1.4_Signatures 3.1.5_Signatures 3.1.6_Signatures 3.1.7_Signatures 4.0.0 alpha2_Signatures 4.0.0 alpha3_Signatures 4.0.0 beta4_Signatures 4.0.1_Signatures 4.0.2_Signatures 4.0.3_Signatures 4.1.0 beta1_Signatures 4.1.0 beta4_Signatures About AbstractionsGuide AlternativeMethodsforSystemWideRestrictions AppArmor and Kubernetes AppArmor2FeatureABI AppArmorAPIs AppArmorAuditing AppArmorClassNumbers AppArmorDBus AppArmorDelegation AppArmorDynamicIncludes AppArmorFeatureABI AppArmorFeatureABIinteractions AppArmorGSettings AppArmorInSystemd AppArmorInterfaces AppArmorJournald AppArmorLabelsandTypes AppArmorLinuxNamespaces AppArmorLog AppArmorMLS AppArmorMonitoring AppArmorNamespaces AppArmorObjectDelegation AppArmorPolicy AppArmorPolicyScope AppArmorPolicyTOC AppArmorPolicyView AppArmorPortals AppArmorProfileSpec AppArmorProgramaticApplicationPolicy AppArmorRBAC AppArmorSandboxing AppArmorSnappyDesktop AppArmorStacking AppArmorSystemWideRestrictions AppArmorTrustedHelpers AppArmorUpdateGuidelines AppArmorUserDefinedPolicy AppArmorWine AppArmorXace AppArmor_Core_Policy_Reference AppArmor_Failures AppArmor_History AppArmor_Model AppArmor_Presentations AppArmor_versions AppArmor_versions_2.1 AppArmor_versions_2.10 AppArmor_versions_2.11 AppArmor_versions_2.12 AppArmor_versions_2.13 AppArmor_versions_2.3 AppArmor_versions_2.4 AppArmor_versions_2.5 AppArmor_versions_2.6 AppArmor_versions_2.7 AppArmor_versions_2.8 AppArmor_versions_2.9 AppArmor_versions_3.0 AppArmor_versions_3.1 AppArmor_versions_4.0 AppArmor_versions_4.1 AppArmorpolicyfeaturesDev AppArmorpolicyversioning Apparmor_parser Apparmorbinarypolicy Apparmorearlypolicy Apparmorinitrd Apparmorpolicycache Apparmorpolicymanagement Apparmorpolicymanagement2x Binary_Profile_Language Binary_profile_format BugTracking Coding Style CollaborativeProfileDevSpec CombiningStackingAndNamespaces CommitPolicy CompilerImprovements Complain Mode Confining_all_tasks Controlling_Profile_State CreatingPolicy DeprecateProfilePathName DevelopmentRoadmap Distro_CentOS Distro_debian Distro_suse Distro_ubuntu Documentation EnvironmentVariables ExampleProfiles Extended_profiling_example FAQ Firejail FullSystemPolicy GettingStarted Gittutorial IRC_meeting_2010 IRC_meeting_2011 IRC_meeting_2012 09 25 IRC_meeting_2012 11 06 IRC_meeting_2012 12 04 IRC_meeting_2012 IRC_meeting_2013 01 08 IRC_meeting_2013 02 05 IRC_meeting_2013 03 01 IRC_meeting_2013 05 14 IRC_meeting_2013 06 11 IRC_meeting_2013 07 09 IRC_meeting_2013 08 13 IRC_meeting_2013 10 08 IRC_meeting_2013 11 13 IRC_meeting_2013 IRC_meeting_2014 02 24 IRC_meeting_2014 06 10 IRC_meeting_2014 07 08 IRC_meeting_2014 09 09 IRC_meeting_2014 10 14 IRC_meeting_2014 11 05 IRC_meeting_2014 12 09 IRC_meeting_2014 IRC_meeting_2015 02 10 IRC_meeting_2015 03 10 IRC_meeting_2015 04 14 IRC_meeting_2015 05 12 IRC_meeting_2015 06 09 IRC_meeting_2015 07 14 IRC_meeting_2015 11 17 IRC_meeting_2015 IRC_meeting_2016 01 19 IRC_meeting_2016 09 13 IRC_meeting_2016 IRC_meeting_2017 10 10 IRC_meeting_2017 11 25 IRC_meeting_2017 12 13 IRC_meeting_2017 IRC_meeting_2018 01 16 IRC_meeting_2018 02 15 IRC_meeting_2018 12 11 IRC_meeting_2018 IRC_meeting_2019 04 09 IRC_meeting_2019 06 13 IRC_meeting_2019 10 08 IRC_meeting_2019 IRC_meeting_2020 01 14 IRC_meeting_2020 02 11 IRC_meeting_2020 02 12 IRC_meeting_2020 03 10 IRC_meeting_2020 04 10 IRC_meeting_2020 04 28 IRC_meeting_2020 06 09 IRC_meeting_2020 09 08 IRC_meeting_2020 10 13 IRC_meeting_2020 IRC_meeting_2021 07 13 IRC_meeting_2021 11 09 IRC_meeting_2021 12 14 IRC_meeting_2022 02 08 IRC_meeting_2022 08 09 IRC_meeting_2022 10 11 IRC_meeting_2022 11 08 IRC_meeting_2022 12 13 IRC_meeting_2022 4 12 IRC_meeting_2022 7 12 IRC_meeting_2023 02 14 IRC_meeting_2023 06 13 IRC_meeting_2023 08 08 IRC_meeting_2023 09 12 IRC_meeting_2023 10 10 IRC_meeting_2024 01 09 IRC_meeting_2024 04 09 IRC_meeting_2024 06 11 IRC_meeting_2024 08 13 IRC_meeting_2024 09 10 IRC_meeting_2024 10 08 IRC_meeting_2024 11 12 IRC_meeting_2025 01 14 IRC_meeting_2025 02 18 Integrating Test plan Kernel_Feature_Matrix Kernel_interfaces Launchpadtutorial Libvirt ManPages MeetingAgenda Mod_apparmor Mod_apparmor_example Multi Category Security (MCS) Pam_apparmor Pam_apparmor_example PerformanceImprovements Policy_Layout ProfileLanguage Profile_repo Profile_variants Profiles Profiling_by_hand Profiling_with_tools QuickProfileLanguage RBAC_2_0 RBAC_2_1 RBAC_2_3 RBAC_2_5 README Raising_Task_Capabilities ReleaseProcess Release_Notes_2.10.1 Release_Notes_2.10.2 Release_Notes_2.10.3 Release_Notes_2.10.4 Release_Notes_2.10.5 Release_Notes_2.10.6 Release_Notes_2.10 Release_Notes_2.11.1 Release_Notes_2.11.2 Release_Notes_2.11.3 Release_Notes_2.11.4 Release_Notes_2.11 Release_Notes_2.12.0 Release_Notes_2.12.1 Release_Notes_2.12.2 Release_Notes_2.12.3 Release_Notes_2.12.4 Release_Notes_2.12 Release_Notes_2.13.1 Release_Notes_2.13.10 Release_Notes_2.13.11 Release_Notes_2.13.2 Release_Notes_2.13.3 Release_Notes_2.13.4 Release_Notes_2.13.5 Release_Notes_2.13.6 Release_Notes_2.13.7 Release_Notes_2.13.8 Release_Notes_2.13.9 Release_Notes_2.13 Release_Notes_2.14 Release_Notes_2.4 Release_Notes_2.5.1 Release_Notes_2.5.2 Release_Notes_2.5 Release_Notes_2.6.0 Release_Notes_2.6.1 Release_Notes_2.7.1 Release_Notes_2.7.2 Release_Notes_2.7 Release_Notes_2.8.1 Release_Notes_2.8.2 Release_Notes_2.8.3 Release_Notes_2.8.4 Release_Notes_2.8.5 Release_Notes_2.8 Release_Notes_2.9.0 Release_Notes_2.9.1 Release_Notes_2.9.2 Release_Notes_2.9.3 Release_Notes_2.9.4 Release_Notes_2.9.5 Release_Notes_3.0.1 Release_Notes_3.0.10 Release_Notes_3.0.11 Release_Notes_3.0.12 Release_Notes_3.0.13 Release_Notes_3.0.2 Release_Notes_3.0.3 Release_Notes_3.0.4 Release_Notes_3.0.5 Release_Notes_3.0.6 Release_Notes_3.0.7 Release_Notes_3.0.8 Release_Notes_3.0.9 Release_Notes_3.0 Release_Notes_3.1.1 Release_Notes_3.1.2 Release_Notes_3.1.3 Release_Notes_3.1.4 Release_Notes_3.1.5 Release_Notes_3.1.6 Release_Notes_3.1.7 Release_Notes_3.1 Release_Notes_4.0 alpha1 Release_Notes_4.0 alpha2 Release_Notes_4.0 alpha3 Release_Notes_4.0 alpha4 Release_Notes_4.0 beta1 Release_Notes_4.0 beta2 Release_Notes_4.0 beta3 Release_Notes_4.0 beta4 Release_Notes_4.0.1 Release_Notes_4.0.2 Release_Notes_4.0.3 Release_Notes_4.0.4 Release_Notes_4.1 beta1 Release_Notes_4.1 beta2 Release_Notes_4.1 beta3 Release_Notes_4.1 beta4 Release_Notes_4.1 beta5 Release_Notes_4.1 beta6 Release_Notes_4.1.0 beta1 Release_Notes_5.0 Revising_and_fine_tuning_policy_and_abstractions Sandstorm StackingConfiningUsers TechnicalDoc TechnicalDoc_DBusRuleEncoding TechnicalDoc_DFA TechnicalDoc_FileRuleEncoding TechnicalDoc_HFA TechnicalDoc_HFA_Layout TechnicalDoc_HFA_permissions TechnicalDoc_Kernel TechnicalDoc_MountRuleEncoding TechnicalDoc_Mount_Flags TechnicalDoc_NetworkRuleEncoding TechnicalDoc_PolicyDB TechnicalDoc_Policy_Layout TechnicalDoc_Proc_and_ptrace TechnicalDoc_RulePathEncoding TechnicalDoc_XWindowsRuleEncoding Translations Unconfined, the unconfined flag and default allow Userconditional Users in AppArmor Userspace_Feature_Matrix Versioning WorkItems _sidebar aparmor_policy_development_guide apparmor 5 config layout spec apparmor_compiler_development_guide apparmor_kernel_development_guide apparmor_kernel_development_guide_notifications apparmor_library_development_guide apparmor_profile_tools_guide apparmordynamicpolicy apparmorpolicyfeaturesABI apparmorversioning bubblewrap clearcontainers containers docker flatpak gVisor home how to setup a policy namespace for containers io_uring rules kata containers kubernetes manpage_aa audit.8 manpage_aa autodep.8 manpage_aa cleanprof.8 manpage_aa complain.8 manpage_aa decode.8 manpage_aa disable.8 manpage_aa easyprof.8 manpage_aa enabled.1 manpage_aa enforce.8 manpage_aa exec.1 manpage_aa features abi.1 manpage_aa genprof.8 manpage_aa logprof.8 manpage_aa mergeprof.8 manpage_aa notify.8 manpage_aa remove unknown.8 manpage_aa status.8 manpage_aa teardown.8 manpage_aa unconfined.8 manpage_aa_change_hat.2 manpage_aa_change_profile.2 manpage_aa_features.3 manpage_aa_find_mountpoint.2 manpage_aa_getcon.2 manpage_aa_kernel_interface.3 manpage_aa_policy_cache.3 manpage_aa_query_label.2 manpage_aa_splitcon.3 manpage_aa_stack_profile.2 manpage_apparmor.7 manpage_apparmor.d.5 manpage_apparmor_parser.8 manpage_apparmor_parser manpage_apparmor_xattrs.7 manpage_logprof.conf.5 manpage_mod_apparmor.8 mqueue rules nabla containers no_new_privs profileflags prompt v3 interface rule operations rule prefixes and modes runV runc sanitized_helper security@apparmor template reply unprivileged_unconfined_restriction unprivileged_userns_restriction wip conditional policy
1 TechnicalDoc_HFA_permissions
Steve Beattie edited this page 2017-11-10 14:04:56 -08:00
Table of Contents

Related Documents

Overview

The encoding of permissions in the DFA/HFA has evolved over time.

AppArmor 2.1 AppArmor 2.3 - 2.7

AppArmor 3.0

Reasons for the major permission rework

There are four basic reasons a permission layout was changed after AppArmor 2.7

Efficiency

The layout of AppArmor 2.1 - 2.7 permissions was inefficient wasting space, even for the limited set of permissions covered by AppArmor 2.7. Even though the full set of bits per entry where in use, if a state shared the same permission with another state the information was duplicated, 64bits per state. With a DFA/HFA with a size of 10,000 states typically having between 20 and 30 unique accept permissions, the result was less than efficient, and would be even less efficient if the accept information was widened.

 2.7 accept table size = 8*(states)
 3.0 accept table size = 2*(states) + (# unique perms) * (size of expanded permission block)

So assuming the accept block size was not expanded and encoded the same 64-bit permissions, and there where 30 unique permissions to encode.

 2.7 format = 8*10,000 = 80,000 bytes
 3.0 format = 2*10,000 + 30*8 = 20,240 bytes

And as the accept block is expanded the saving increase.

Future expansion

As documented in the AppArmor 2.7 layout all 64bits of the permission structure where in use, an expansion was needed to be able to add new abilities. The expansion could have just expanded the width of the accept table, but that would not have been as efficient or flexible.

Flexibility

The older accept format was to ridged to be able to efficiently represent, all the new abilities that where desired.

Speed

Reworking the layout provided for better cache efficiency, and no need to unpack and transform the entries to determine the final permissions.

The permission rework also affected the the internals of the DFA/HFA compilation engine. - rework to track information

  • lost at tree to dfa state

  • provide for full minimization - provide for per rule negation - provide for conditional tracking

AppArmor 2.1

AppArmor 2.1 used a single 32-bit accept table in DFA to store permission.

Layout

Compiler internals

AppArmor 2.3 - 2.7

File Permission Layout

AppArmor 2.3 introduced a second accept 32 bit accept table to the DFA making each accept state a total of 64 bits wide, and reworked the bit layout, breaking compatibility with AppArmor 2.1.

The permissions where packed into the accept states as follows

Bit 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Global Other Owner
Table 1 - perms mask cp onx x3 x2 x1 x0 i u pux m k/ls l a r w x x3 x2 x1 x0 i u pux m k/ls l a r w x
Table 2 - audit mask cp onx qm qk ql qa qr qw qx m k/ls l a r w x qm qk ql qa qr qw qx m k/ls l a r w x

The permissions stored in the owner mask are used if the objects uid == to the tasks fsuid, other wise the other mask is used.

Execute permissions is determined by x, with the transition type determined by a combination of pux, u, i, and x0-x3.

  • i - fall back to inherit current profile
  • u - unsafe exec, have glibc scrub environment variables
  • pux - unconfined flag used in combination with x0-x3 to create pux. Was added after original layout to extend pux support explaining duplication of unconfined flag
  • x0-x3 - index into transition table.
    • 0 - not defined (use i, u to determine transition)
    • 1 - unconfined (precludes px)
    • 2 - use executable name
    • 3 - use executable name, lookup child profile
    • 4-15 - index into named transition table, to find transition name. Note: named transition to children profiles where stored using compound name (ie parent//child), so they could share in a single global table entry.

cp - is the change_profile permission onx - change_profile on exec permission

the link pair permission overlaid on the k permission on the second pair.

ls - link subset permission, overlaps k permission, only happens in second match of chain (see link below) where k is not possible.

The audit and quiet table (Table2). The permissions stored in table 2 are used to determine if a permission is forced audited, or if for denied requests where the auditing is quieted. The upper 7 bits of the Owner and Other sets store the quiet masks, which get shifted by 7 bits when applied to mask the x through m permissions.

Link rules are encoded requiring sequential matching and permissions in two permission tables. First the link name is matched, and a permission lookup for the l permission bit is done against the matched state. A transition on the 0 byte from the current state is done and then the target name is matched, and a second permission look up for the l permission bit is done against the new match state. The link_subset permission (overlaps k in permission table) can also be looked up against the second match.

change profile rules use cp and onx permissions and are overlayed over top of file rule dfa entries. They are encoded in a multiphase lookup, with the change_profile permission bit being used to determine permission. First a check is done against the profile name for permission, if that doesn't succeed then a second lookup is done against the namespace name followed by a colon followed by a profile name.

Compiler internals

  • AppArmor 2.6 saw flattening of permissions at state creation time as part of internal optimizations to speed up the compiler.

AppArmor 3.0

Permission Layout

AppArmor 3.0 extends and reworks the dfa and permissions structures used in the AppArmor 2.x series. Unlike the AppArmor 2.x series a single dfa can be shared by more than one profile, with each profile having its own accept permissions for a give state. To accommodate this the permission structure is split off from the dfa. The dfa accept table now contains a single 16 or 32 bit index value (size dependent on dfa16, or dfa32 format).

If the accept index value has its high bit clear (15 or 31) then it is an index into a profiles permission table. If the accept index value has its high bit set then it is an index into a profiles conditional table. Each profile that references the dfa defines its own conditional and permission tables allow each profile to have a different set of permissions for any given state.

This split of the dfa and permissions was done to allow for dfa sharing and to provide greater performance as when a dfa is shared multiple profile matches can performed at once. It also allowed reducing the amount of memory dedicated to storing permission data, by allowing for duplicate elimination of permissions.

The split of the conditional information from the permissions structure was done to allow for a much broader range of conditions that could be easily extended in the future, and for better sharing of the extended permission structure.

The permission structure for AppArmor 3.0 is extended to support a much broader set of permissions, and information. Firstly as mention with the dfa accept table value, it has been split into a permission table and a conditional table. The conditional table contains entries that encode conditional expressions to obtain a permission (eg. the owner flag), the permission table contains the actual permissions that the profile will grant.

The permission table has been expanded to support a broader set of permissions, including file, network, ipc.

File Permission Entry

Network Permission Entry

Capability Permission Entry

????

Compiler internals

  • rework of permission handling to find unique permissions during DFA/HFA creation and to carry full permission information through out the DFA/HFA creation pipe line. Carry the full information through the entire pipeline reduced performance slightly but was offset by improvements brought by reducing comparison time by separating out the accept states into unique sets.

The AppArmor DFA/HFA uses multiple unique accept states to encode permissions, and related control information for any given match.

Why multiple distinct accept states

could encode in stream but

  • have to make multiple matches one for each permission
  • still have to store extra information for control that happens for the matched state (xtrans ..)

Encoding Conditional permissions

AppArmor encodes conditional information both in the DFA/HFA and in a separate conditional structure. The split is determined by how the permission request is done. Permission queries done with information external to the object (file path vs. inode) are done within the dfa while, permissions conditional on object properties are done in the conditional table.

Encoding within the DFA/HFA (parameter)

To encode conditionals within the DFA alternations and ordering are used.

Encoding in the (object)

When conditionals are encoded in stream

When conditionals are encoded out of band