[apparmor] [PATCH] policy updates for ptrace and signal mediation

[Tyler Hicks]

On 2014-06-24 07:54:54, Jamie Strandboge wrote:
> On 06/24/2014 06:34 AM, Christian Boltz wrote:
> > Hello,
> > 
> > Am Montag, 23. Juni 2014 schrieb Jamie Strandboge:
> >>  - base-abstraction-ptrace-ipc.patch: adds policy to the base
> >> abstraction that is basically required on systems using targeted
> >> policy. Namely: - Allow reciprocal ptrace readby to everyone
> >> (requires peer unconfined or to ptrace read to us)
> >>    - same for ptrace tracedby
> >>    - allow us to ptrace read ourselves
> >>    - receive all signals from unconfined
> >>    - allow us to signal ourselves
> >>    - allow sending and receiving "exists" (for pid existence)
> > 
> > Including these rule in the base abstractions looks like a good idea.
> > 
> > However I don't like that we force policy authors to use deny rules (or 
> > rebuild 90% of abstractions/base) if they don't want the signal and 
> > ptrace rules.
> > 
> > Things will get even more interesting if someone for example wants to 
> > (only) allow
> >   signal (receive) peer=unconfined set=("HUP")
> > 
> > The result will be a profile with lots of deny rules (one for each 
> > signal that is not HUP) or, optimized version, a deny rule with a very 
> > big set=(...).
> > 
> 
> The deny rule is one way to handle it; people can always update their base
> abstraction for their site requirements.
> 
> > 
> > IMHO it would be a good idea to split abstractions/base into
> > - abstractions/base-files (basically the "old" abstractions/base)
> > - abstractions/base-ptrace (ptrace rules from your patch)
> > - abstractions/base-signal (signal rules from your patch)
> > 
> > abstractions/base would then basically be:
> >   #include <abstractions/base-files>
> >   #include <abstractions/base-ptrace>
> >   #include <abstractions/base-signal>
> > 
> 
> I'm not sure how this would address your previous comment.

It would keep policy authors from having to rewrite abstractions/base.
If they didn't want to include all of the base abstraction, they could
pick and choose what they include. For example, they could include
base-files and base-ptrace, but could opt out of base-signal.

FWIW, I'm not advocating for or against the idea. I'm just thinking out
loud on what Christian's proposal would mean...

Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140624/744e7597/attachment.pgp>