[apparmor] [PATCH] man page updates for signals, ptrace and new variables

Tyler Hicks tyhicks at canonical.com
Thu Apr 3 06:21:35 UTC 2014 

On 2014-04-02 15:17:55, John Johansen wrote:
> On 04/02/2014 02:23 PM, Jamie Strandboge wrote:
> > Subject says it all. Thanks to John for starting this.
> > 
> > -- Jamie Strandboge http://www.ubuntu.com/
> > 
> 
> So this looks good and can go in as is, but I think adding the clarification
> I've added below might avoid some questions in the future.
> 
> Acked-by: John Johansen <john.johansen at canonical.com>

The original patch looks good and this addition looks good.

Acked-by: Tyler Hicks <tyhicks at canonical.com>

> 
> > 
> > 0001-manpage-signal-ptrace.diff
> > 
> > 
> > === modified file 'parser/apparmor.d.pod'
> > --- parser/apparmor.d.pod	2013-12-06 19:18:17 +0000
> > +++ parser/apparmor.d.pod	2014-04-02 21:23:32 +0000
> > @@ -3,7 +3,7 @@
> >  #                  2008, 2009
> >  #    NOVELL (All rights reserved)
> >  #
> > -#    Copyright (c) 2010 - 2013
> > +#    Copyright (c) 2010 - 2014
> >  #    Canonical Ltd. (All rights reserved)
> >  #
> >  #    This program is free software; you can redistribute it and/or
> > @@ -99,6 +99,32 @@
> >  
> >  B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
> >  
> > +B<PTRACE_RULE> = [ 'audit' ] [ 'deny' ] 'ptrace' [ I<PTRACE ACCESS PERMISSIONS> ] [ I<PTRACE PEER> ]
> > +
> > +B<PTRACE ACCESS PERMISSIONS> = I<PTRACE ACCESS> | I<PTRACE ACCESS LIST>
> > +
> > +B<PTRACE ACCESS LIST> = '(' Comma or space separated list of I<PTRACE ACCESS> ')'
> > +
> > +B<PTRACE ACCESS> = ( 'r' | 'w' | 'rw' | 'read' | 'readby' | 'trace' | 'tracedby' )
> > +
> > +B<PTRACE PEER> = 'peer' '=' I<AARE>
> > +
> > +B<SIGNAL_RULE> = [ 'audit' ] [ 'deny' ] 'signal' [ I<SIGNAL ACCESS PERMISSIONS> ] [ I<SIGNAL SET> ] [ I<SIGNAL PEER> ]
> > +
> > +B<SIGNAL ACCESS PERMISSIONS> = I<SIGNAL ACCESS> | I<SIGNAL ACCESS LIST>
> > +
> > +B<SIGNAL ACCESS LIST> = '(' Comma or space separated list of I<SIGNAL ACCESS> ')'
> > +
> > +B<SIGNAL ACCESS> = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' | 'receive' )
> > +
> > +B<SIGNAL SET> = 'set' '=' '(' I<SIGNAL LIST> ')'
> > +
> > +B<SIGNAL LIST> = Comma or space separated list of I<SIGNALS>
> > +
> > +B<SIGNALS> = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' )
> > +
> > +B<SIGNAL PEER> = 'peer' '=' I<AARE>
> > +
> >  B<DBUS RULE> = ( I<DBUS MESSAGE RULE> | I<DBUS SERVICE RULE> | I<DBUS EAVESDROP RULE> | I<DBUS COMBINED RULE> )
> >  
> >  B<DBUS MESSAGE RULE> = [ 'audit' ] [ 'deny' ] 'dbus' [ I<DBUS ACCESS EXPRESSION> ] [ I<DBUS BUS> ] [ I<DBUS PATH> ] [ I<DBUS INTERFACE> ] [ I<DBUS MEMBER> ] [ I<DBUS PEER> ]
> > @@ -655,6 +681,66 @@
> >  
> >  =back
> >  
> > +=head2 PTrace rules
> > +
> > +AppArmor supports mediation of ptrace(2). AppArmor PTrace rules are accumulated
> > +so that the granted PTrace permissions are the union of all the listed PTrace
> > +rule permissions.
> > +
> > +AppArmor PTrace permissions are implied when a rule does not explicitly state
> > +an access list. By default, all PTrace permissions are implied.
> > +
> > +The trace and tracedby permissions govern ptrace(2) while read and readby
> > +govern certain proc(5) filesystem accesses, kcmp(2), futexes
> > +(get_robust_list(2)) and perf trace events.
> > +
> For a ptrace operation to be allowed the profile of the tracing process and the
> profile of the target task must both have the correct permissions. For example
> the profile of the process attaching to another task must have the trace
> permission for the target task's profile, and the task being traced must have the
> tracedby permission for the tracing process' profile.
> 
> > +Example AppArmor PTrace rules:
> > +
> > +    # Allow all PTrace access
> > +    ptrace,
> > +
> > +    # Explicitly allow all PTrace access,
> > +    ptrace (read, readby, trace, tracedby),
> > +
> > +    # Explicitly deny use of ptrace(2)
> > +    deny ptrace (trace),
> > +
> > +    # Allow unconfined processes (eg, a debugger) to ptrace us
> > +    ptrace (readby, tracedby) peer=unconfined,
> > +
> > +    # Allow ptrace of a process running under the /usr/bin/foo profile
> > +    ptrace (trace) peer=/usr/bin/foo,
> > +
> > +=head2 Signal rules
> > +
> > +AppArmor supports mediation of signal(7). AppArmor signal rules are accumulated
> > +so that the granted signal permissions are the union of all the listed signal
> > +rule permissions.
> > +
> > +AppArmor signal permissions are implied when a rule does not explicitly state
> > +an access list. By default, all signal permissions are implied.
> > +
> For the sending of a signal to be allowed, the profile of the sending process and
> the profile of the target task must both have the correct permissions. For example
> the profile of a process sending a signal to another task must have the send
> permission for the target task's profile, and the task receiving the signal must
> have a receive permission for the sending process' profile.
> 
> > +Example AppArmor signal rules:
> > +
> > +    # Allow all signal access
> > +    signal,
> > +
> > +    # Explicitly deny sending the HUP and INT signals
> > +    deny signal (send) set=(hup, int),
> > +
> > +    # Allow unconfined processes to send us signals
> > +    signal (receive) peer=unconfined,
> > +
> > +    # Allow sending of signals to a process running under the /usr/bin/foo
> > +    # profile
> > +    signal (send) peer=/usr/bin/foo,
> > +
> > +    # Allow checking for PID existence
> > +    signal (receive, send) set=("exists"),
> > +
> > +    # Allow us to signal ourselves using the built-in @{profile_name} variable
> > +    signal peer=@{profile_name},
> > +
> >  =head2 DBus rules
> >  
> >  AppArmor supports DBus mediation. The mediation is performed in conjunction
> > @@ -725,11 +811,36 @@
> >  that they have been assigned; it is an error to reference a variable
> >  without setting at least one value.
> >  
> > -At the time of this writing, only B<@{HOME}> and B<@{HOMEDIRS}> are defined
> > -in the AppArmor policy provided, in the F</etc/apparmor.d/tunables/home>
> > -file; these variables are used in many of the abstractions described later.
> > +At the time of this writing, the following variables are defined in the
> > +provided AppArmor policy:
> > +
> > +  @{HOME}
> > +  @{HOMEDIRS}
> > +  @{multiarch}
> > +  @{pid}
> > +  @{PROC}
> > +  @{securityfs}
> > +  @{sys}
> > +  @{tid}
> > +  @{XDG_DESKTOP_DIR}
> > +  @{XDG_DOWNLOAD_DIR}
> > +  @{XDG_TEMPLATES_DIR}
> > +  @{XDG_PUBLICSHARE_DIR}
> > +  @{XDG_DOCUMENTS_DIR}
> > +  @{XDG_MUSIC_DIR}
> > +  @{XDG_PICTURES_DIR}
> > +  @{XDG_VIDEOS_DIR}
> > +
> > +These are defined in files in F</etc/apparmor.d/tunables> and are used in many
> > +of the abstractions described later.
> > +
> >  You may also add files in F</etc/apparmor.d/tunables/home.d> for
> > -site-specific customization of B<@{HOMEDIRS}>.
> > +site-specific customization of B<@{HOMEDIRS}>,
> > +F</etc/apparmor.d/tunables/multiarch.d> for B<@{multiarch}> and
> > +F</etc/apparmor.d/tunables/xdg-user-dirs.d> for B<@{XDG_*}>.
> > +
> > +The special B<@{profile_name}> variable is set to the profile name and may be
> > +used in all policy.
> >  
> >  =head2 Alias rules
> >  
> > 
> > 
> > 
> > -- AppArmor mailing list AppArmor at lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> > 
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140403/c27ddc0a/attachment-0001.pgp>

More information about the AppArmor mailing list