[apparmor] [PATCH 07/10] Update exec transition documentation.
John Johansen
john.johansen at canonical.com
Sat Mar 21 10:12:13 UTC 2015
On 03/20/2015 11:23 AM, Christian Boltz wrote:
> Hallo Leute,
>
> Am Freitag, 20. März 2015 schrieb John Johansen:
>> Add miss ix and ux fallback permission modes, named profile
>> transitions. Also fix the file access modes and rule pattern to
>> properly reflect what is allowed.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> ---
>> parser/apparmor.d.pod | 100
>> +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 90
>> insertions(+), 10 deletions(-)
>>
>> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
>> index 08407de..d44fe33 100644
>> --- a/parser/apparmor.d.pod
>> +++ b/parser/apparmor.d.pod
>> @@ -195,13 +195,17 @@ B<UNIX ATTR COND> 'attr' '=' ( I<AARE> | '(' '"'
>> I<AARE> '"' | I<AARE> ')' )
>>
>> B<UNIX OPT COND> 'opt' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE>
>> ')' )
>>
>> -B<FILE RULE> = I<FILE QUALIFIERS> ( '"' I<FILEGLOB> '"' | I<FILEGLOB>
>> ) I<ACCESS> ','
>> +B<FILE RULE> = I<FILE QUALIFIERS> ( '"' I<FILEGLOB>
>
> As in 5/10, please change this to ... = l<QUALIFIERS> [ 'owner' ] ...
> and ...
>
>> '"' | I<FILEGLOB> ) I<ACCESS> [ -E<gt> <EXEC TARGET> ] ',' +
>> +B<FILE QUALIFIERS> = [ I<QUALIFIERS> ] [ 'owner' ] [ 'file' ]
>
> ... drop the <FILE QUALIFIERS defnition.
>
>> B<FILEGLOB> = (must start with '/' (after variable expansion),
>> B<AARE> have special meanings; see below. May include I<VARIABLE>.
>> Rules with embedded spaces or tabs must be quoted. Rules must end
>> with '/' to apply to directories.)
>>
>> -B<FILE QUALIFIERS> [ I<QUALIFIERS> ] [ 'owner' ]
>> +B<ACCESS> = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | I<EXEC TRANSITION>
>> )+ (not all combinations are allowed; see below.) +
>> +B<EXEC TRANSITION> = ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' |
>> 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'Pux' | 'cux' | 'Cux'
>> )
>
> Is the mixed upper-/lowercase in Pux and Cux correct or should it be
> PUx/CUx?
>
> I seem to remember that the first letter decides about scrubbing the
> environment, so this should probably be PUx and CUx (with Ux as their
> fallback)
>
so the parser accepts either, but the back end only supports a single
bit indicating whether or not to use safe exec so it should be pux, cux,
and PUx, CUx.
I think probably we should add a patch to the parser to warn about
Pux, Cux. As it could be confusing for users to get environment
scrubbing with the unconfined fallback.
> [...]
>> +=item B<Pux>
>
> PUx?
>
>> +- discrete profile execute with fallback to unconfined -- scrub the
>> environment +
>> +=item B<cux>
>> +
>> +- transition to subprofile on execute with fallback to unconfined
>> +
>> +=item B<Cux>
>
> CUx?
>
> [...]
>> +=item B<Profile transition with inheritance fallback execute mode>
>> +
>> +These modes attempt to preform a domain transition as specified by
>
> Should this be p_er_form instead of p_re_form?
>
perform
> [...]
>> +=item B<Profile transition with unconfined fallback execute mode>
>> +
>> +These modes attempt to preform a domain transition as specified by
>> +the matching permission (shown below) and if that transition fails
>> +to find the matching profile the domain transition proceeds using
>> +the 'ux' transition mode if 'pux', 'cux' or the 'Ux' transition mode
>> +if 'Pux', 'Cux' is used.
>> +
>> + 'Pux' == 'Px' with fallback to 'ux'
>> + 'pux' == 'px' with fallback to 'ux'
>> + 'Cux' == 'Cx' with fallback to 'ux'
>> + 'cux' == 'cx' with fallback to 'ux'
>
> PUx/CUx instead of Pux/Cux?
>
>> +Incompatible with other exec transition modes.
>> +
>> +=item B<Directed profile transitions>
>> +
>> +The directed ('px', 'Px', 'pix', 'Pix', 'pux', 'Pux') profile and
>> +subprofile ('cx', 'Cx', 'cix', 'Cix', 'cux', 'Cux') transitions
>
> PUx/CUx instead of Pux/Cux?
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list