[apparmor] Apparmor rules for dconf confinement
William Hua
william.hua at canonical.com
Wed May 27 17:22:16 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
Currently, there's no way in Apparmor to sandbox applications from
accessing any setting in a user's dconf database other than preventing
access altogether. We want to add a new rule to the policy format to
permit this. Here's the proposed syntax:
[audit] dconf <dconf-path> [r|rw],
We need to make some small changes to the Ubuntu kernel for this due
to the internal workings of dconf. When the application starts, dconf
needs to know on the full list of readable/read-writable paths, so the
aa_query_label() function and its kernel implementation don't quite
fulfil this need.
I'm proposing for review the attached kernel patch. There is also the
corresponding Launchpad Apparmor branch at
https://code.launchpad.net/~attente/apparmor/dconf-rules-3, which
currently works with the patch, but is still a WIP (missing docs, and
we're considering adding label query support as well).
Thanks,
Will
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVZf1IAAoJEGaNijJ4Mbw+aUoH/jKYMHLCIcFCLpU3T0ZkqhtH
xQJHetSx0z0tHrv4ZRcCXpqG6MtuAHEiKZojAMpwFdyr5NEDhJ0zMDeLQAPjWp7N
6EJXyAwHkDQxpihNhEQ2OpjyO5zp8xPAORZVhOdElit370eavFbRI+HnihB+EHm1
v7bC/pOIQuFa+us0xh2QtUo00v0sWYN9PG7LXIGoY/5be4gpMEyxDvSde9f0lS8M
Za6f1kjpoHT5Az8Z6tMSQNGRv+reHaZ4bDV7RM1Ywa8QAVT5y+UnRqOCWz73N0fW
i9ztw10dOWamDxQAYilrzYAwVwaZjpJFYjRCrIs5ceJwrwVC7KC0mxBzNYgW0Wk=
=2VxM
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-add-dconf-query-support.patch
Type: text/x-patch
Size: 11817 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150527/fc424b76/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-add-dconf-query-support.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150527/fc424b76/attachment.pgp>
More information about the AppArmor
mailing list