[apparmor] aa chapter in suse security guide - all the received reviews implemented
Christian Boltz
apparmor at cboltz.de
Tue Feb 25 18:12:37 UTC 2014
Hello,
Am Montag, 24. Februar 2014 schrieb Tomáš Bažant:
> I added 2 new sections - aa-notify + profile flags. I hope it's the
> last major change in the aa chapter for now. Would you be so kind and
> have a look at the added text if it's correct? Mainly the flags, the
> wording is too technical and even I dont understand it well...so
> suggestions welcome. I believe that diff-based inspection is
> sufficient?
Yes, diff-based is ok and yes, some of the flags _are_ technical ;-)
@John: can you please review the flags section? The text looks correct
to me (except for the part where I added a comment), however you know
the details about attach_disconnected etc. better than I do ;-)
I pasted the section below the diff so that you can just review it in
this mail.
@Tomáš: your changes look mostly good, but "as usual" ;-) I have some
comments.
Index: xml/apparmor_profiles.xml
===================================================================
--- xml/apparmor_profiles.xml (Revision 12153)
+++ xml/apparmor_profiles.xml (Arbeitskopie)
@@ -980,6 +980,8 @@
<emphasis>Mode</emphasis> flags are <literal>enforce</literal> (enforces
the policy) or <literal>complain</literal> (illegal accesses are allowed
and logged). They are mutually exclusive.
+<!-- there's no "enforce" flag. Profiles are enforced if they don't have a
+ "complain" flag (or if a symlink in force-complain exists) -->
</para>
<tip>
<para>
Index: xml/apparmor_profiles_man.xml
===================================================================
--- xml/apparmor_profiles_man.xml (Revision 12153)
+++ xml/apparmor_profiles_man.xml (Arbeitskopie)
@@ -1979,6 +1982,8 @@
X System display number you are currently using, such as
<literal>:0</literal>. The process is run in the background, and shows
notification each time a deny event happens.
+<!-- typically "--display $DISPLAY" is what users want -->
+
</para>
<figure>
<title><command>aa-notify Message in GNOME</command></title>
Flags section:
<sect2 id="sec.apparmor.profiles.flags">
<title>Profile Flags</title>
<para>
Profile flags control the behavior of the related profile. You can add
profile flags to the profile definition by editing it manually, see the
following syntax:
</para>
<screen>/path/to/profiled/binary flags=(list_of_flags) {
[...]
}</screen>
<para>
You can use multiple flags separated by a comma ',' or space ' '. There
are three basic types of profile flags: mode, relative, and attach
flags.
</para>
<para>
<emphasis>Mode</emphasis> flags are <literal>enforce</literal> (enforces
the policy) or <literal>complain</literal> (illegal accesses are allowed
and logged). They are mutually exclusive.
<!-- there's no "enforce" flag. Profiles are enforced if they don't have a
"complain" flag (or if a symlink in force-complain exists) -->
</para>
<tip>
<para>
More flexible way of setting the whole profile into complain mode is to
create a symbolic link from the profile file inside the
<filename>/etc/apparmor.d/force-complain/</filename> directory.
</para>
<screen>ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/force-complain/bin.ping</screen>
</tip>
<para>
<emphasis>Relative</emphasis> flags are
<literal>chroot_relative</literal> (states that the profile is relative
to the chroot instead of namespace) or
<literal>namespace_relative</literal> (the default, with path being
relative to outside the chroot). They are mutually exclusive.
</para>
<para>
<emphasis>Attach</emphasis> flags consist of two pairs of mutually
exclusive flags: <literal>attach_disconnected</literal> or
<literal>no_attach_disconnected</literal> (determine if pathnames
resolved to be outside of the namespace are attached to the root, which
means they have the '/' character prepended), and
<literal>chroot_attach</literal> or <literal>chroot_no_attach</literal>
(controls pathname generation when in a chroot environment while a file
is accessed that is exernal to the chroot but within the namespace).
</para>
</sect2>
Regards,
Christian Boltz
--
> Anyway, what does our mission statement say?
"Have a lot of fun..."
[> Per Jessen and Kreg KH in opensuse-factory]
More information about the AppArmor
mailing list