[apparmor] [PATCH] add abstractions to support the apparmor api

John Johansen john.johansen at canonical.com
Fri Oct 19 19:05:09 UTC 2012 

Just a simple set of abstractions to support the base apparmor api

Signed-off-by: John Johansen <john.johansen at canonical.com>

---
 .../abstractions/apparmor_api/change_profile        |   11 +++++++++++
 .../apparmor.d/abstractions/apparmor_api/examine    |   12 ++++++++++++
 .../abstractions/apparmor_api/find_mountpoint       |   13 +++++++++++++
 .../apparmor.d/abstractions/apparmor_api/introspect |   12 ++++++++++++
 .../apparmor.d/abstractions/apparmor_api/is_enabled |   17 +++++++++++++++++
 profiles/apparmor.d/tunables/apparmorfs             |   11 +++++++++++
 profiles/apparmor.d/tunables/kernelvars             |   19 +++++++++++++++++++
 profiles/apparmor.d/tunables/securityfs             |   12 ++++++++++++
 profiles/apparmor.d/tunables/sys                    |   10 ++++++++++
 9 files changed, 117 insertions(+)
 create mode 100644 profiles/apparmor.d/abstractions/apparmor_api/change_profile
 create mode 100644 profiles/apparmor.d/abstractions/apparmor_api/examine
 create mode 100644 profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
 create mode 100644 profiles/apparmor.d/abstractions/apparmor_api/introspect
 create mode 100644 profiles/apparmor.d/abstractions/apparmor_api/is_enabled
 create mode 100644 profiles/apparmor.d/tunables/apparmorfs
 create mode 100644 profiles/apparmor.d/tunables/kernelvars
 create mode 100644 profiles/apparmor.d/tunables/securityfs
 create mode 100644 profiles/apparmor.d/tunables/sys

diff --git a/profiles/apparmor.d/abstractions/apparmor_api/change_profile b/profiles/apparmor.d/abstractions/apparmor_api/change_profile
new file mode 100644
index 0000000..30f6b70
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/apparmor_api/change_profile
@@ -0,0 +1,11 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <abstractions/apparmor_api/introspect>
+
+@{PROC}/@{tid}/attr/{current,exec} w,
diff --git a/profiles/apparmor.d/abstractions/apparmor_api/examine b/profiles/apparmor.d/abstractions/apparmor_api/examine
new file mode 100644
index 0000000..856418d
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/apparmor_api/examine
@@ -0,0 +1,12 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/proc>
+#include <tunables/kernelvars>
+
+@{PROC}/@{pids}/attr/{current,prev,exec} r,
diff --git a/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint b/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
new file mode 100644
index 0000000..77b4765
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
@@ -0,0 +1,13 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#permissions needed for aa_find_mountpoint
+
+#include <tunables/proc>
+
+@{proc}/*/mounts r,
\ No newline at end of file
diff --git a/profiles/apparmor.d/abstractions/apparmor_api/introspect b/profiles/apparmor.d/abstractions/apparmor_api/introspect
new file mode 100644
index 0000000..627a6d2
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/apparmor_api/introspect
@@ -0,0 +1,12 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/proc>
+#include <tunables/kernelvars>
+
+@{PROC}/@{tid}/attr/{current,prev,exec} r,
diff --git a/profiles/apparmor.d/abstractions/apparmor_api/is_enabled b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
new file mode 100644
index 0000000..41a81c4
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
@@ -0,0 +1,17 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# permissions needed for aa_is_enabled
+
+#include <tunables/sys>
+#include <tunables/apparmorfs>
+
+#include <abstractions/apparmor_api/find_mountpoint>
+@{sys}/module/apparmor/parameters/enabled r,
+
+# TODO: add alternate apparmorfs interface for enabled
\ No newline at end of file
diff --git a/profiles/apparmor.d/tunables/apparmorfs b/profiles/apparmor.d/tunables/apparmorfs
new file mode 100644
index 0000000..8df8675
--- /dev/null
+++ b/profiles/apparmor.d/tunables/apparmorfs
@@ -0,0 +1,11 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/securityfs>
+
+@{apparmorfs}=@{securityfs}/apparmor/
diff --git a/profiles/apparmor.d/tunables/kernelvars b/profiles/apparmor.d/tunables/kernelvars
new file mode 100644
index 0000000..ab603ab
--- /dev/null
+++ b/profiles/apparmor.d/tunables/kernelvars
@@ -0,0 +1,19 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# This file should contain declarations to kernel vars or variables
+# that will become kernel vars at some point
+
+# until kernel vars are implemented just use a pattern [0-9]{1,6}
+@{pid}=[0-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
+
+#same pattern as @{pid} for now
+@{tid}=@{pid}
+
+#A pattern for pids that can appear
+@{pids}=@{pid}
\ No newline at end of file
diff --git a/profiles/apparmor.d/tunables/securityfs b/profiles/apparmor.d/tunables/securityfs
new file mode 100644
index 0000000..1350fee
--- /dev/null
+++ b/profiles/apparmor.d/tunables/securityfs
@@ -0,0 +1,12 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/sys>
+
+# @{securityfs} is the location where securityfs is mounted.
+@{securityfs}=@{sys}/kernel/security/
diff --git a/profiles/apparmor.d/tunables/sys b/profiles/apparmor.d/tunables/sys
new file mode 100644
index 0000000..e49702c
--- /dev/null
+++ b/profiles/apparmor.d/tunables/sys
@@ -0,0 +1,10 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{sys} is the location where sysfs is mounted.
+@{sys}=/sys/
-- 
1.7.10.4

More information about the AppArmor mailing list