[apparmor] Using r, w, m, c altogether

Aaron Lewis the.warl0ck.1989 at gmail.com
Wed Jun 26 15:24:19 UTC 2013 

Ah Thanks

I get it now

On Wed, Jun 26, 2013 at 8:35 AM, John Johansen
<john.johansen at canonical.com> wrote:
> On 06/25/2013 05:21 PM, Seth Arnold wrote:
>> On Wed, Jun 26, 2013 at 07:54:46AM +0800, Aaron Lewis wrote:
>>> Hi,
>>>
>>> Looks like I can use rwmc altogether, am I wrong?
>>>
>>> owner @{HOME}/.config/google-googletalkplugin/{**,} rwmc,
>>
>> I can't see 'c' support in our current parser source code, not can I get
>> this to work in a test profile:
>>
> c is not supported as an independent permission. We have cx for child profile
> transitions.
>
> The audit logs do unfortunately report c for the the create permission as
> the kernel does have the permission set broken down finer than what is
> currently exposed in the language.
>
> currently the w permission implies c,
>
> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#File_permissions
>
> has a guide (reproduced below) of how the letter permissions map to the wider set of permissions
>
> Short form permissions map to
> r - read, meta-read, mmap_r
> w - create, delete, trunc, write, meta-write, chmod, chown, mmap_w, mprot_wx, partial rename (where it implies partial source rename permissions and full destination renamed permission)
> a - append, create
> l - link (may be combined with other permissions to determine if allowed)
> k - lock (combines with ???write to determine if exclusive lock is allowed)
> m - mmap_x, mprot_wx
> x - exec, (if ix then also mmap_x)
>
>
>> $ echo "/t { / rwmc, }" | apparmor_parser -Q -d
>> Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
>> AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_ID, expecting TOK_MODE
>>
>> But removing the 'c':
>>
>> $ echo "/t { / rwm, }" | apparmor_parser -Q -d
>> Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
>> ----- Debugging built structures -----
>> Name:         /t
>> Profile Mode: Enforce
>> --- Entries ---
>> Mode: rwam:rwam       Name:   (/)
>>
>> $
>>
>> When the kernel logs a denied mode of 'c', it is indeed a process trying
>> to create the file, but there is currently no way to give _only_ this
>> privilege to a process. 'w' will also grant this permission.
>>
>> All you need is 'rwm'.
>>
>> Thanks
>>
>>
>>
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor



-- 
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

More information about the AppArmor mailing list