[apparmor] [PATCH] policy updates for ptrace and signal mediation

Christian Boltz apparmor at cboltz.de
Tue Jun 24 11:34:46 UTC 2014


Am Montag, 23. Juni 2014 schrieb Jamie Strandboge:
>  - base-abstraction-ptrace-ipc.patch: adds policy to the base
> abstraction that is basically required on systems using targeted
> policy. Namely: - Allow reciprocal ptrace readby to everyone
> (requires peer unconfined or to ptrace read to us)
>    - same for ptrace tracedby
>    - allow us to ptrace read ourselves
>    - receive all signals from unconfined
>    - allow us to signal ourselves
>    - allow sending and receiving "exists" (for pid existence)

Including these rule in the base abstractions looks like a good idea.

However I don't like that we force policy authors to use deny rules (or 
rebuild 90% of abstractions/base) if they don't want the signal and 
ptrace rules.

Things will get even more interesting if someone for example wants to 
(only) allow
  signal (receive) peer=unconfined set=("HUP")

The result will be a profile with lots of deny rules (one for each 
signal that is not HUP) or, optimized version, a deny rule with a very 
big set=(...).

IMHO it would be a good idea to split abstractions/base into
- abstractions/base-files (basically the "old" abstractions/base)
- abstractions/base-ptrace (ptrace rules from your patch)
- abstractions/base-signal (signal rules from your patch)

abstractions/base would then basically be:
  #include <abstractions/base-files>
  #include <abstractions/base-ptrace>
  #include <abstractions/base-signal>

>  - dnsmasq-libvirtd-signal-ptrace.patch: allow libvirtd to signal and
> ptrace us

Acked-by: Christian Boltz <apparmor at cboltz.de>


Christian Boltz
[ComputerBild] Allerdings wird wahrscheinlich eher die Hölle zufrieren
als das dieses Organ der Presselandschaft, deren Inhalt einer jeden
Ausgabe locker auf einer Briefmarke Platz hätte, [für die Etikette]
eine Spalte hergibt. [Thomas Templin in suse-linux]

More information about the AppArmor mailing list