[apparmor] apparmor.vim - profile format changes since 2.3?

John Johansen john.johansen at canonical.com
Tue Feb 1 00:02:12 UTC 2011 

>>>    ^foobar,  # external hat
> 
> You didn't answer that one ;-) - apparmor_parser doesn't like it...
> 
hrmm this seems to have been dropped when, some of the hat rule
changes were reverted post 2.3 release to fix some problems that we
had with policies that had large numbers of hats.

This could be added back in, but is essentially a nop now, and since
I don't think anyone is using it (they would have to be on a none
updated 2.3) I think we will just drop it.

>>> Is there something wrong in my (hand-written) example profile or is
>>> this a parser bug?
>>
>> hrmmm I am wondering if your examples came from the early prototype
>> for rlimit.  That version was slightly different, 
> 
> Obviously yes ;-)
> (and thanks for all the details!)
> 
>> There are a couple things I would like to fix with the rlimits
>> implementation. I would like to make it possible to specify that an
>> rlimit can't be changed, and in those cases a value should be
>> optional.
> 
> That would basically mean that a process won't be allowed to lower its 
> rlimits (raising can already be blocked by tight rlimit rules).
> Am I the only one who doesn't see a reason why this would be useful? ;-)
> 
Hrmmm, yes well I discribed that one poor.  Basically I meant that I would
like to be able to use the current task value as the upper limit and use
that as the upper limit instead of a manually specified value.

This has some use in locking down root processes, but its utility is
limited so its rather low on the priority queue.


>>>>> - network
>>>>
>>>> owner isn't currently supported but will be
>>>
>>> I'm slightly surprised - how can a network connection have an
>>> owner?
>>
>> Its may seem a little odd but it can make sense when sockets get
>> passed. Generally the "owner" of the socket is determined by who
>> created the socket.
>>
>> I don't see this being all that useful but it seems like more work to
>> disable this ability than allow access to it (sockets inherit it from
>> the common mediation code with files).
> 
> OK, good reason *g*
> 
> Please send me a note once "owner" is supported so that I can update 
> apparmor.vim.
> 
> The latest apparmor.vim is attached. 

thanks Christian

> I'll also submit it to Factory to match the RC1 deadline.
> 
when is the RC1 deadline?

> Changelog:
> - audit/deny support for capability, network, link                                                                                   
> - dropped set capability (removed in AppArmor 2.5)
> - rlimit: fixed to match correct syntax
> - fixed order of audit deny owner
> - flags= is now optional
> - fixed highlighting for #include (was marked as comment)
> 
> 
> Regards,
> 
> Christian Boltz
>

More information about the AppArmor mailing list