[apparmor] Using r, w, m, c altogether
John Johansen
john.johansen at canonical.com
Wed Jun 26 00:35:30 UTC 2013
On 06/25/2013 05:21 PM, Seth Arnold wrote:
> On Wed, Jun 26, 2013 at 07:54:46AM +0800, Aaron Lewis wrote:
>> Hi,
>>
>> Looks like I can use rwmc altogether, am I wrong?
>>
>> owner @{HOME}/.config/google-googletalkplugin/{**,} rwmc,
>
> I can't see 'c' support in our current parser source code, not can I get
> this to work in a test profile:
>
c is not supported as an independent permission. We have cx for child profile
transitions.
The audit logs do unfortunately report c for the the create permission as
the kernel does have the permission set broken down finer than what is
currently exposed in the language.
currently the w permission implies c,
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#File_permissions
has a guide (reproduced below) of how the letter permissions map to the wider set of permissions
Short form permissions map to
r - read, meta-read, mmap_r
w - create, delete, trunc, write, meta-write, chmod, chown, mmap_w, mprot_wx, partial rename (where it implies partial source rename permissions and full destination renamed permission)
a - append, create
l - link (may be combined with other permissions to determine if allowed)
k - lock (combines with ???write to determine if exclusive lock is allowed)
m - mmap_x, mprot_wx
x - exec, (if ix then also mmap_x)
> $ echo "/t { / rwmc, }" | apparmor_parser -Q -d
> Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
> AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_ID, expecting TOK_MODE
>
> But removing the 'c':
>
> $ echo "/t { / rwm, }" | apparmor_parser -Q -d
> Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
> ----- Debugging built structures -----
> Name: /t
> Profile Mode: Enforce
> --- Entries ---
> Mode: rwam:rwam Name: (/)
>
> $
>
> When the kernel logs a denied mode of 'c', it is indeed a process trying
> to create the file, but there is currently no way to give _only_ this
> privilege to a process. 'w' will also grant this permission.
>
> All you need is 'rwm'.
>
> Thanks
>
>
>
More information about the AppArmor
mailing list