[apparmor] [PATCH 0/4] Add aa-easyprof command line utility
Cliffe
cliffe at ii.net
Tue Feb 7 17:17:47 UTC 2012
I am a proponent of the idea of policy templates. Please feel free to
look through the FBAC-LSM policy abstractions for template ideas.
FBAC-LSM (an experimental LSM and policy tools) does some simple
analysis of the application to confine, then recommends abstractions and
adapts them to the application. Note that FBAC-LSM has an export to
AppArmor profile feature that will work better once AppArmor has profile
stacking.
http://schreuders.org/FBAC-LSM
Cheers,
Cliffe.
On 07/02/12 14:50, Jamie Strandboge wrote:
> This patchset is to accomplish the code portion of the
> security-p-app-isolation blueprint. aa-easyprof is a standalone CLI
> application which can also be imported into developer SDKs. From the man
> page:
>
> "aa-easyprof provides an easy to use interface for AppArmor policy
> generation. aa-easyprof supports the use of templates and policy groups
> to quickly profile an application. Please note that while this tool can
> help with policy generation, its utility is dependent on the quality of
> the templates, policy groups and abstractions used. Also, this tool may
> create policy which is less restricted than creating policy by hand or
> with aa-genprof and aa-logprof."
>
> In essence, aa-easyprof takes a different view on policy generation and
> is useful when you already know how the application should behave and
> want to create an initial policy based on this. As such, one can create
> a template and any supporting policy groups (policy groups are similar
> to abstractions or the old-style program-chunks in that they are simply
> groupings of policy rules) then use aa-easyprof to generate a policy.
> The CLI tool dumps the resulting policy to stdout and requires no
> privileges.
>
> This patchset is broken into 4 parts:
> * 0001-aa-easyprof.patch: the application, library, documentation and
> installation script
> * 0002-aa-easyprof-policy.patch: the initial templates and policy
> groups. This will undoubtedly need refinement as we get feedback from
> users. Initial policy is based on Ubuntu's Application Review Board
> (ARB) requirements[2].
> * 0003-aa-easyprof-unittests.patch: tests for the library
> * 0004-aa-easyprof-makefile.patch: Makefile integration
>
> Templates are stored in /usr/share/apparmor/easyprof/templates and
> policy groups in /usr/share/apparmor/easyprof/policygroups. This can be
> adjusted via /etc/apparmor/easyprof.conf.
>
> The aa-easyprof.pod has complete documentation on usage with some
> additional information in utils/easyprof/README (mostly duplicated
> here).
>
> Example usage to achieve something approaching the ARB requirements[2]
> is:
> $ aa-easyprof --template=user-application \
> --template-var="@{APPNAME}=foo" \
> --policy-groups=opt-application,user-application \
> /opt/foo/bin/foo
>
> Testing can be performed in a number of ways:
> $ cd utils ; make check # runs unit tests and pyflakes
>
> Unit tests manually:
> $ ./test/test-aa-easyprof.py
>
> In source manual testing:
> $ ./aa-easyprof --templates-dir=./easyprof/templates \
> --policy-groups-dir=./easyprof/policygroups \
> ... \
> /opt/foo/bin/foo
>
> Post-install manual testing:
> $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install
> $ cd /tmp/test
> $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \
> --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \
> --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \
> /opt/bin/foo
>
> (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid
> specifying --templates-dir and --policy-groups-dir).
>
>
> [1]https://blueprints.launchpad.net/ubuntu/+spec/security-p-app-isolation
> [2]http://developer.ubuntu.com/publish/my-apps-packages/
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120207/63471a6d/attachment-0001.html>
More information about the AppArmor
mailing list