[apparmor] [patch 19/21] Add the ability to mediate signals.

Jamie Strandboge jamie at canonical.com
Mon Mar 24 20:39:25 UTC 2014


On 03/21/2014 08:25 PM, John Johansen wrote:
> On 03/21/2014 05:48 PM, Seth Arnold wrote:
>> On Mon, Mar 17, 2014 at 04:29:29PM -0700, john.johansen at canonical.com wrote:
>>> Add signal rules and make sure the parser encodes support for them
>>> if the supported feature set reports supporting them.
>>>
>>> The current format of the signal rule is
>>>
>>>   [audit] [deny] signal [<signal_perms>] [<signal_set>] <target_profile>,
>>>
>>>   signal_perm  := 'send'|'receive'|'r'|'w'|'rw'
>>>   signal_perms := <signal_perm> | '(' <signal_perm> ([,]<signal_perm>)* ')'
>>>   signal := ("hup"|"int"|"quit"|"ill"|"trap"|"abrt"|"bus"|"fpe"|"kill"|
>>>              "usr1"|"segv"|"usr2"|"pipe"|"alrm"|"term"|"tkflt"|"chld"|
>>
>> Note that the signal you've got in here as "tkflt" should actually be
>> "stkflt" here and throughout the code.
>>
>>>              "cont"|"stop"|"stp"|"ttin"|"ttou"|"urg"|"xcpu"|"xfsz"|"vtalrm"|
>>>              "prof"|"winch"|"io"|"pwr"|"sys"|"emt"|"exists")
>>>   signal_set   := set=<signal> | '(' <signal> ([,]<signal>)* ')'
>>>
>>>
>>> it does not currently follow the peer=() format, and there is some question
>>> as to whether it should or not. Input welcome.
>>
>> The peer=() stuff would feel so useless on these rules. I won't whine if
>> we don't do it, there's no "local" interfaces that could logically have
>> the same names, unlike dbus or networking.
>>
> heh, I really don't like the peer=() syntax and it really is pointless on
> this type of rule. That said going without it introduces an inconsistency.
> 
> currently we have
> 
>   signal (send,receive) set=(kill) /profile/foo,
> 
> which doesn't feel right either
> 
>   signal (send,receive) set=(kill) label=/profile/foo,
> 
> might be better.
> 
>   signal (send,receive) set=(kill) peer=(/profile/foo),
> 
> could work.
> 
> But I really dislike
> 
>   signal (send,receive) set=(kill) peer=(label=/profile/foo),
> 
> I could be convinced to go with it for consistency but basically  
> we need to look at it a little more, and decide what we want to do.
> 
Running the kernel and userspace from the dbus-dev ppa[1], I finally got around
to profiling with the current syntax. In general, I like it and it is
straightforward, but I don't really like having the target profile hanging off
the end. I think I prefer this best:

   signal (send,receive) set=(kill) label=/profile/foo,

It is more explicit and hearkens to the peer=() syntax without adding something
meaningless. If we leave the syntax as is, I think something like this rule is
potentially confusing:

   signal (receive) /usr/sbin/libvirtd,

I think people might wonder if '/usr/sbin/libvirtd' is referring to an
executable (which may or may not have a profile) or a profile name (label).

[1]https://launchpad.net/~apparmor-dev/+archive/dbus-dev/+packages

-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140324/5abe6e2b/attachment.pgp>


More information about the AppArmor mailing list