[apparmor] [PATCH] policy updates for ptrace and signal mediation
tyhicks at canonical.com
Tue Jun 24 16:36:48 UTC 2014
On 2014-06-24 07:54:54, Jamie Strandboge wrote:
> On 06/24/2014 06:34 AM, Christian Boltz wrote:
> > Hello,
> > Am Montag, 23. Juni 2014 schrieb Jamie Strandboge:
> >> - base-abstraction-ptrace-ipc.patch: adds policy to the base
> >> abstraction that is basically required on systems using targeted
> >> policy. Namely: - Allow reciprocal ptrace readby to everyone
> >> (requires peer unconfined or to ptrace read to us)
> >> - same for ptrace tracedby
> >> - allow us to ptrace read ourselves
> >> - receive all signals from unconfined
> >> - allow us to signal ourselves
> >> - allow sending and receiving "exists" (for pid existence)
> > Including these rule in the base abstractions looks like a good idea.
> > However I don't like that we force policy authors to use deny rules (or
> > rebuild 90% of abstractions/base) if they don't want the signal and
> > ptrace rules.
> > Things will get even more interesting if someone for example wants to
> > (only) allow
> > signal (receive) peer=unconfined set=("HUP")
> > The result will be a profile with lots of deny rules (one for each
> > signal that is not HUP) or, optimized version, a deny rule with a very
> > big set=(...).
> The deny rule is one way to handle it; people can always update their base
> abstraction for their site requirements.
> > IMHO it would be a good idea to split abstractions/base into
> > - abstractions/base-files (basically the "old" abstractions/base)
> > - abstractions/base-ptrace (ptrace rules from your patch)
> > - abstractions/base-signal (signal rules from your patch)
> > abstractions/base would then basically be:
> > #include <abstractions/base-files>
> > #include <abstractions/base-ptrace>
> > #include <abstractions/base-signal>
> I'm not sure how this would address your previous comment.
It would keep policy authors from having to rewrite abstractions/base.
If they didn't want to include all of the base abstraction, they could
pick and choose what they include. For example, they could include
base-files and base-ptrace, but could opt out of base-signal.
FWIW, I'm not advocating for or against the idea. I'm just thinking out
loud on what Christian's proposal would mean...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: Digital signature
More information about the AppArmor