[apparmor] File rule question

Steve Beattie steve at nxnw.org
Mon Mar 12 19:38:08 UTC 2012 

On Mon, Mar 12, 2012 at 11:38:18AM -0700, John Johansen wrote:
> I can understand wanting the 'all' keyword but at the same time the
> current syntax does have a pattern to it that 'all' would break.
> 
> If we are to make such a change we would have to do it now, before 2.8
> releases, otherwise everything will be using such syntax.  As it is now
> we would have to have network rules support both, and we could work
> towards updating policy over the next few releases.
> 
> I am indifferent to which syntax to use, but there is already a cost to
> switching and I am not sure it is worth it.  And I think if it doesn't
> happen now it definitely won't be worth doing.

Yeah. I think it's somewhat late in the 2.8 release cycle to change
the language even more for a marginal gain in clarity, alas. I think
I will just need to live with it.

> >> instead of having to do
> >>
> >>   /** rwlkmix,
> >>
> >> the question is should this short cut provide all those permissions or should
> >> we separate out exec permissions.  It seems odd to me that saying you have
> >> access to all files means you also can exec anything even if it remains
> >> confined by the current profile.
> > 
> > As Seth pointed out, with the exception of setuid/setgid binaries,
> > it's not a significant extension over 'wm' in terms of abilities. So I
> > think this is okay.
> > 
> > I do wonder if Pix would be a more sane default.
> > 
> I wondered about that myself, and then thought that maybe it should just be
> separated out so we wouldn't have to figure that out.  Because depending on your
> situation they could both be sane defaults, and making one the default precludes
> the other because of x transitions conflicts.

Hrm. We don't have a way of expressing something globally like "when
entering profile foo, transition to apparmor namespace bar". If we had
that, you could make the Pix version emulate the ix version by having a
forced transition to a namespace that contains no other profiles. But
that's a technical hack to get around the core issue.

>   eg.  If ix is the default and I want Pix as the default I can not do
>   file,
>   /** Pix,
> 
> As those will conflict, unless we add some extra sugar to let the compiler that
> the file ix has a lower precedence.  That is doable but it strikes me as wrong.
> 
> Of course I have never really liked the mixing of exec and file rules.  And
> while I recognize that mr and ix are in many ways functionally equivalent. There
> are reasons that m was added instead of just using ix, so semantically they
> are a bit different

It's true that exec rules are different than other kinds of file
accesses because in large part policy transitions (or lack thereof) are
derived from the exec rules. I think it's that conflation that's the
real issue, though I'm not sure how acknowledging that comes up with an
improved solution here.

I could see something gross like allowing an optional mode to the file
syntactic sugar rule that specifies the default type of x transition to
use in the rule; i.e. we could decide ix is the default, and then if you
want Pix or even some crazy cx rule, you'd write:

  file Pix,

or whatever. It's not all that semantically different from the mount
options case.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120312/f9648ed5/attachment-0001.pgp>

More information about the AppArmor mailing list