[apparmor] [PATCH] policy updates for ptrace and signal mediation

Jamie Strandboge jamie at canonical.com
Tue Jun 24 12:54:54 UTC 2014

On 06/24/2014 06:34 AM, Christian Boltz wrote:
> Hello,
> Am Montag, 23. Juni 2014 schrieb Jamie Strandboge:
>>  - base-abstraction-ptrace-ipc.patch: adds policy to the base
>> abstraction that is basically required on systems using targeted
>> policy. Namely: - Allow reciprocal ptrace readby to everyone
>> (requires peer unconfined or to ptrace read to us)
>>    - same for ptrace tracedby
>>    - allow us to ptrace read ourselves
>>    - receive all signals from unconfined
>>    - allow us to signal ourselves
>>    - allow sending and receiving "exists" (for pid existence)
> Including these rule in the base abstractions looks like a good idea.
> However I don't like that we force policy authors to use deny rules (or 
> rebuild 90% of abstractions/base) if they don't want the signal and 
> ptrace rules.
> Things will get even more interesting if someone for example wants to 
> (only) allow
>   signal (receive) peer=unconfined set=("HUP")
> The result will be a profile with lots of deny rules (one for each 
> signal that is not HUP) or, optimized version, a deny rule with a very 
> big set=(...).

The deny rule is one way to handle it; people can always update their base
abstraction for their site requirements.

> IMHO it would be a good idea to split abstractions/base into
> - abstractions/base-files (basically the "old" abstractions/base)
> - abstractions/base-ptrace (ptrace rules from your patch)
> - abstractions/base-signal (signal rules from your patch)
> abstractions/base would then basically be:
>   #include <abstractions/base-files>
>   #include <abstractions/base-ptrace>
>   #include <abstractions/base-signal>

I'm not sure how this would address your previous comment.

Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140624/777d3732/attachment.pgp>

More information about the AppArmor mailing list