[apparmor] aa chapter in suse security guide - all the received reviews implemented

Christian Boltz apparmor at cboltz.de
Tue Feb 25 18:12:37 UTC 2014 

Hello,

Am Montag, 24. Februar 2014 schrieb Tomáš Bažant:
> I added 2 new sections - aa-notify + profile flags. I hope it's the
> last major change in the aa chapter for now. Would you be so kind and
> have a look at the added text if it's correct? Mainly the flags, the
> wording is too technical and even I dont understand it well...so
> suggestions welcome. I believe that diff-based inspection is
> sufficient?

Yes, diff-based is ok and yes, some of the flags _are_ technical ;-)

@John: can you please review the flags section? The text looks correct
to me (except for the part where I added a comment), however you know 
the details about attach_disconnected etc. better than I do ;-)
I pasted the section below the diff so that you can just review it in 
this mail.

@Tomáš: your changes look mostly good, but "as usual" ;-) I have some 
comments.

Index: xml/apparmor_profiles.xml
===================================================================
--- xml/apparmor_profiles.xml   (Revision 12153)
+++ xml/apparmor_profiles.xml   (Arbeitskopie)
@@ -980,6 +980,8 @@
     <emphasis>Mode</emphasis> flags are <literal>enforce</literal> (enforces
     the policy) or <literal>complain</literal> (illegal accesses are allowed
     and logged). They are mutually exclusive.
+<!-- there's no "enforce" flag. Profiles are enforced if they don't have a
+ "complain" flag (or if a symlink in force-complain exists) -->
    </para>
    <tip>
     <para>

Index: xml/apparmor_profiles_man.xml
===================================================================
--- xml/apparmor_profiles_man.xml       (Revision 12153)
+++ xml/apparmor_profiles_man.xml       (Arbeitskopie)
@@ -1979,6 +1982,8 @@
      X System display number you are currently using, such as
      <literal>:0</literal>. The process is run in the background, and shows
      notification each time a deny event happens.
+<!-- typically "--display $DISPLAY" is what users want -->
+
     </para>
     <figure>
      <title><command>aa-notify Message in GNOME</command></title>





Flags section:

  <sect2 id="sec.apparmor.profiles.flags">
   <title>Profile Flags</title>
   <para>
    Profile flags control the behavior of the related profile. You can add
    profile flags to the profile definition by editing it manually, see the
    following syntax:
   </para>
<screen>/path/to/profiled/binary flags=(list_of_flags) {
  [...]
}</screen>
   <para>
    You can use multiple flags separated by a comma ',' or space ' '. There
    are three basic types of profile flags: mode, relative, and attach
    flags.
   </para>
   <para>
    <emphasis>Mode</emphasis> flags are <literal>enforce</literal> (enforces
    the policy) or <literal>complain</literal> (illegal accesses are allowed
    and logged). They are mutually exclusive.
<!-- there's no "enforce" flag. Profiles are enforced if they don't have a
 "complain" flag (or if a symlink in force-complain exists) -->
   </para>
   <tip>
    <para>
     More flexible way of setting the whole profile into complain mode is to
     create a symbolic link from the profile file inside the
     <filename>/etc/apparmor.d/force-complain/</filename> directory.
    </para>
<screen>ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/force-complain/bin.ping</screen>
   </tip>
   <para>
    <emphasis>Relative</emphasis> flags are
    <literal>chroot_relative</literal> (states that the profile is relative
    to the chroot instead of namespace) or
    <literal>namespace_relative</literal> (the default, with path being
    relative to outside the chroot). They are mutually exclusive.
   </para>
   <para>
    <emphasis>Attach</emphasis> flags consist of two pairs of mutually
    exclusive flags: <literal>attach_disconnected</literal> or
    <literal>no_attach_disconnected</literal> (determine if pathnames
    resolved to be outside of the namespace are attached to the root, which
    means they have the '/' character prepended), and
    <literal>chroot_attach</literal> or <literal>chroot_no_attach</literal>
    (controls pathname generation when in a chroot environment while a file
    is accessed that is exernal to the chroot but within the namespace).
   </para>
  </sect2>


Regards,

Christian Boltz
-- 
> Anyway, what does our mission statement say?
"Have a lot of fun..."
[> Per Jessen and Kreg KH in opensuse-factory]

More information about the AppArmor mailing list