[apparmor] [PATCH] 01/04 man page update for abstract, anonymous and netlink
Seth Arnold
seth.arnold at canonical.com
Wed Aug 27 22:50:35 UTC 2014
On Wed, Aug 27, 2014 at 04:39:21PM -0500, Jamie Strandboge wrote:
> On 08/27/2014 04:34 PM, Jamie Strandboge wrote:
> > Starting a subthread for some additions to John's patches. This series assumes
> > John's 12 patches are applied and includes updates to the apparmor.d man page
> > and some policy updates. I expect I might have to adjust this a bit, but wanted
> > to send it up for comment. Let's have an ACK mean to apply it once it is safe to
> > do so.
> >
> Attached is a patch with man page update to:
> - fix typo
> - fix whitespace
> - add netlink
> - update for change from path to addr
> - remove TODO items
> - add and document examples
> - remove undocumented 'unix server addr=@foo,' example
>
> Acked-By: Jamie Strandboge <jamie at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
>
> --
> Jamie Strandboge http://www.ubuntu.com/
> Author: Jamie Strandboge <jamie at canonical.com>
> Description: man page updates for abstract, anonymous and netlink sockets
> - fix typo
> - fix whitespace
> - add netlink
> - update for change from path to addr
> - remove TODO items
> - add and document examples
> - remove undocumented 'unix server addr=@foo,' example
>
> Index: apparmor-2.8.96~2541/parser/apparmor.d.pod
> ===================================================================
> --- apparmor-2.8.96~2541.orig/parser/apparmor.d.pod
> +++ apparmor-2.8.96~2541/parser/apparmor.d.pod
> @@ -63,7 +63,7 @@ capabilities(7))
>
> B<NETWORK RULE> = 'network' [ [ I<DOMAIN> ] [ I<TYPE> ] [ I <PROTOCOL> ] ] ','
>
> -B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' ) ','
> +B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' ) ','
>
> B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' )
>
> @@ -423,7 +423,8 @@ AppArmor supports simple coarse grained
> rule restrict all socket(2) based operations. The mediation done is
> a course grained check on whether a socket of a given type and family
> can be created, read, or written. There is no mediation based of port
> -number or protocol beyond tcp, udp, and raw.
> +number or protocol beyond tcp, udp, and raw. Network netlink(7) rules may
> +only specify type 'dgram' and 'raw'.
>
> AppArmor network rules are accumulated so that the granted network
> permissions are the union of all the listed network rule permissions.
> @@ -437,6 +438,7 @@ eg.
> network tcp, #allow access to tcp
> network inet tcp, #allow access to tcp only for inet4 addresses
> network inet6 tcp, #allow access to tcp only for inet6 addresses
> + network netlink raw, #allow access to AF_NETLINK SOCK_RAW
>
> =head2 Mount Rules
>
> @@ -888,16 +890,14 @@ Example AppArmor DBus rules:
> AppArmor supports fine grained mediation of unix domain abstract and
> anonymous sockets. Unix domain sockets with file system paths are
> mediated via file access rules.
> -TODO: do we want to revise this to allow certain permission to be
> - specified by unix rules that can not be specified via file
> - paths?
>
> -Abstract unix domain sockets is a nonprotable Linux extension of unix
> -domain sockets, see man 7 unix for more information.
> +Abstract unix domain sockets is a nonportable Linux extension of unix
> +domain sockets, see unix(7) for more information.
>
> -=head3 Unix socket paths
> +=head3 Unix socket address paths
>
> -The path address component of a unix domain socket is specified by the
> +The sun_path component (aka the socket address) of a unix domain socket is
> +specified by the
> addr=
>
> conditional. If an address conditional is not specified as part of
> @@ -908,76 +908,71 @@ the I<@> character, similar to how they
> netstat -x. The address then follows and may contain pattern matching
> and any characters including the null character. In apparmor null
> characters must be specified by using an escape sequence I<\000> or
> -I<\x00>. The pattern matching is the same as is used by path matching
> +I<\x00>. The pattern matching is the same as is used by file path matching
> so * will not match I</> even though it has no special meaning with
> in an abstract socket name. Eg.
> unix addr=@*,
>
> -Anonymous unix domain sockets have no address associated with
> -them, however it can be specified with the special I<none> keyword
> -to indicate the rule only applies to anonymous unix domain sockets. Eg.
> +Anonymous unix domain sockets have no sun_path associated with the socket
> +address, however it can be specified with the special I<none> keyword to
> +indicate the rule only applies to anonymous unix domain sockets. Eg.
> unix addr=none,
>
> If the address component of a rule is not specified then the rule applies
> to both abstract and anonymous sockets.
>
> =head3 Unix socket permissions
> -Unix domain socket rules are accumulated so that the granted unix
> -socket permissions are the union of all the listed unix rule permissions.
> +Unix domain socket rules are accumulated so that the granted unix
> +socket permissions are the union of all the listed unix rule permissions.
>
> -Unix domain socket rules are broad and general and become more restrictive
> -as further information is specified. Policy may be specified down to
> -the addr and label level. The content of the communication is not
> -examined.
> -
> -Unix socket rule permissions are implied when a rule does not explicitly
> -state an access list. By default if a rule does not have an access list
> -all permissions that are compatible with the specified set of local
> -and peer conditionals are implied.
> +Unix domain socket rules are broad and general and become more restrictive
> +as further information is specified. Policy may be specified down to
> +the socket address (aka sun_path) and label level. The content of the
> +communication is not
> +examined.
> +
> +Unix socket rule permissions are implied when a rule does not explicitly
> +state an access list. By default if a rule does not have an access list
> +all permissions that are compatible with the specified set of local
> +and peer conditionals are implied.
>
> The create, bind, listen, shutdown, getattr, setattr permissions are
> applied to the local socket. The accept, connect, send, receive permissions
> apply to the combination of a local and peer. Currently it is required that
> create, bind, listen, shutdown, getattr, and settr permission are only
> specified in rules that do not have a peer component.
> -???TODO: Do we really want this????
> -
> -If a rule is specified with a peer component it will not imply the
> -create, bind, listen, shutdown, getattr, or setattr permissions.
>
> -??? TODO: Describe explicitly labeled sockets ???? !!!
> +If a rule is specified with a peer component it will only imply accept
> +(stream), connect (stream), listen, receive and send, and not imply the create,
> +bind, listen, shutdown, getattr, or setattr permissions.
>
> =head3 Example Unix domain socket rules:
>
> - # Allow all permissions to unix sockets
> - unix,
> -
> - # Explicitly allow all unix permissions
> - unix (create, listen, accept, connect, send, receive, getattr, setattr, setopt, getopt),
> -
> - # Explicitly deny unix socket access ??? should this block unix file as well???
> - deny unix,
> + # Allow all permissions to unix sockets
> + unix,
>
> -
> - unix type=stream,
> + # Explicitly allow all unix permissions
> + unix (create, listen, accept, connect, send, receive, getattr, setattr, setopt, getopt),
>
> - unix type=dgram,
> + # Explicitly deny unix socket access
> + deny unix,
>
> - unix addr=none
> + # Allow create and use of abstract and anonymous sockets for profile_name
> + unix peer=(label=@{profile_name}),
>
> - unix addr=@foo,
> + # Allow receiving via unix sockets from unconfined
> + unix (receive) peer=(label=unconfined),
>
> - unix type=stream addr=@foo,
> + # Allow getattr and shutdown on anonymous sockets
> + unix (getattr, shutdown) peer=(addr=none),
>
> - unix server addr=@foo,
> -
> - unix accept addr=@foo peer=(label=/bar),
> -
> - unix receive addr=@foo peer=(label=/bar),
> -
> -
> - unix addr=none
> + # Allow SOCK_STREAM connect, receive and send on an abstract socket @bar
> + # with peer running under profile '/foo'
> + unix (connect, receive, send) type=stream peer=(label=/foo,addr="@bar"),
>
> + # Allow accepting connections from and receiving from peer running under
> + # profile '/bar' on abstract socket '@foo'
> + unix (accept, receive) addr=@foo peer=(label=/bar),
>
> =head3 Abstract unix domain sockets autobind
>
> @@ -991,7 +986,7 @@ from a regular address.
>
> The coarse grained networking rules can be used to control unix domain
> sockets as well. When fine grained unix domain socket mediation is available
> -the coase grained network rule is mapped into the equivalent unix socket
> +the coarse grained network rule is mapped into the equivalent unix socket
> rule.
>
> Eg.
> @@ -1008,12 +1003,6 @@ Has no exact match under coarse grained
> the much wider permission rule of.
> network unix,
>
> -TODO: ??? should we make unix rules imply this when fine grained mediation
> -is not available, or do we fail? Warning to wider is similar to the
> -current behavior of loading policy which specify rules that can't be
> -enforced. Hrmmm this behavior really needs to be a config option, to
> -fail or warn.
> -
> =head2 Variables
>
> AppArmor's policy language allows embedding variables into file rules
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140827/7e6d0191/attachment.pgp>
More information about the AppArmor
mailing list