[apparmor] [PATCH] policy updates for ptrace and signal mediation
Jamie Strandboge
jamie at canonical.com
Tue Jun 24 12:54:54 UTC 2014
On 06/24/2014 06:34 AM, Christian Boltz wrote:
> Hello,
>
> Am Montag, 23. Juni 2014 schrieb Jamie Strandboge:
>> - base-abstraction-ptrace-ipc.patch: adds policy to the base
>> abstraction that is basically required on systems using targeted
>> policy. Namely: - Allow reciprocal ptrace readby to everyone
>> (requires peer unconfined or to ptrace read to us)
>> - same for ptrace tracedby
>> - allow us to ptrace read ourselves
>> - receive all signals from unconfined
>> - allow us to signal ourselves
>> - allow sending and receiving "exists" (for pid existence)
>
> Including these rule in the base abstractions looks like a good idea.
>
> However I don't like that we force policy authors to use deny rules (or
> rebuild 90% of abstractions/base) if they don't want the signal and
> ptrace rules.
>
> Things will get even more interesting if someone for example wants to
> (only) allow
> signal (receive) peer=unconfined set=("HUP")
>
> The result will be a profile with lots of deny rules (one for each
> signal that is not HUP) or, optimized version, a deny rule with a very
> big set=(...).
>
The deny rule is one way to handle it; people can always update their base
abstraction for their site requirements.
>
> IMHO it would be a good idea to split abstractions/base into
> - abstractions/base-files (basically the "old" abstractions/base)
> - abstractions/base-ptrace (ptrace rules from your patch)
> - abstractions/base-signal (signal rules from your patch)
>
> abstractions/base would then basically be:
> #include <abstractions/base-files>
> #include <abstractions/base-ptrace>
> #include <abstractions/base-signal>
>
I'm not sure how this would address your previous comment.
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140624/777d3732/attachment.pgp>
More information about the AppArmor
mailing list