[apparmor] Questions about RBAC and profile load-time of AppArmor

fykcee1 at gmail.com fykcee1 at gmail.com
Tue Dec 7 01:51:17 GMT 2010 

2010/12/7 John Johansen <john.johansen at canonical.com>
>
> >     * If the confined session launches a process without a corresponding
> profile, will this process be confined?
> No, (maybe?)  Basically if a process is launched unconfined then it will
> remain unconfined, even if a profile that
> would confine it is loaded.
>
> There is currently no way to force confinement on an unconfined running
> process, however that process can use
> the change_profile api to confine it self and then it and its children
> launched after taking on the confinement
> will have profiles attached.
>
If a user logged in, then run a program from login shell(e.g. /bin/bash),
how does this program be confined if no profile attached with it? e.g.:

   - The program will not run, because this is not described in login
   shell's profile.
   - Or profile stacking? (mentioned at
   https://apparmor.wiki.kernel.org/index.php/AppArmorRBAC), what is it in
   detail? Is it available(shipped with linux-2.6.36 and the userland tools are
   ready)?


>     * Does a role transition require a  logout and login to another
> account?
> If the user is unconfined, it does require the user to log out before
> confinement will take affect.
>
> Logging into another account is entirely dependent on how the roles are
> setup, but is certainly not necessary.
>
How to express a user has role A, role B, etc? A user changes his/her role
to C, but role C may not be allowed for this user. How to confine role
transition?



> >
> >
> > Also, does AppArmor support "on daemon profile load"? i.e. Load a profile
> just before related program get executed automatically, and then unload the
> profile when program terminates -- saving some memory footprint.
> >
> Not yet and yes.  AppArmor supports incremental profile load, ie. new
> profiles can be loaded at anytime, as
> long as they are loaded before an application is run they will attach
> properly.
>
> If the program is a service managed by the startup service (upstart,
> systemd) it would be possible to setup
> those to load the profile before the service is started.
>
> There are plans to add an interface that would allow a daemon profile load
> triggered by apparmor it self.
> This would greatly enhance the current learning tools ability.
>
Say implement sandbox executing for each application with AppArmor, I need
profiles for each application. It may have many applications installed,
loads all profiles will take a long time/occupy a large memory, so I expect
a profile-load when an application get executed, and a profile-unload when
termination. Does AppArmor support an profile-unload feature?



--
Regards,

- cee1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/apparmor/attachments/20101207/c8cd64e0/attachment-0001.htm

More information about the AppArmor mailing list