[apparmor] [patch] apparmor.d.pod: document 'deny x'

Seth Arnold seth.arnold at canonical.com
Thu Feb 11 19:03:19 UTC 2016 

On Sun, Jan 10, 2016 at 06:32:49PM +0100, Christian Boltz wrote:
> Hello,
> 
> deny rules don't allow ix, Px, Ux etc. - only 'deny /foo x,' is allowed.
> 
> (Well, mostly - see https://bugs.launchpad.net/apparmor/+bug/1532578 )
> 
> 
> I propose this patch for trunk and 2.10
> (it doesn't apply on the 2.9 apparmor.d.pod, and I'm too lazy to backport it ;-)

The portion with =item B<deny x> feels out of place; I'd recommend
dropping that portion. The rest looks good though.

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> 
> [ apparmor.d.pod-deny-x.diff ]
> 
> === modified file ./parser/apparmor.d.pod
> --- parser/apparmor.d.pod       2016-01-10 18:02:11.060675379 +0100
> +++ parser/apparmor.d.pod       2016-01-10 18:00:49.985190030 +0100
> @@ -251,7 +251,7 @@
>  
>  B<ACCESS> = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | I<EXEC TRANSITION> )+  (not all combinations are allowed; see below.)
>  
> -B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' )
> +B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x' )  ('x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier)
>  
>  B<EXEC TARGET> = name  (requires I<EXEC TRANSITION> specified)
>  
> @@ -366,6 +366,10 @@
>  
>  - transition to subprofile on execute with fallback to unconfined -- scrub the environment
>  
> +=item B<deny x>
> +
> +- disallow execute (in rules with the deny qualifier)
> +
>  =item B<m>
>  
>  - allow PROT_EXEC with mmap(2) calls
> @@ -428,7 +432,7 @@
>  run unconfined and LD_PRELOAD must be used. Any profile using this mode
>  provides negligible security. Use at your own risk.
>  
> -Incompatible with other exec transition modes.
> +Incompatible with other exec transition modes and the deny qualifier.
>  
>  =item B<Ux - unconfined execute -- scrub the environment>
>  
> @@ -442,7 +446,7 @@
>  Use this mode only if the child absolutely must be run unconfined. Use
>  at your own risk.
>  
> -Incompatible with other exec transition modes.
> +Incompatible with other exec transition modes and the deny qualifier.
>  
>  =item B<px - Discrete Profile execute mode>
>  
> @@ -454,7 +458,7 @@
>  LD_PRELOAD; as a result, the calling domain may have an undue amount of
>  influence over the callee.
>  
> -Incompatible with other exec transition modes.
> +Incompatible with other exec transition modes and the deny qualifier.
>  
>  =item B<Px - Discrete Profile execute mode -- scrub the environment>
>  
> @@ -463,7 +467,7 @@
>  the environment, similar to setuid programs. (See ld.so(8) for some
>  information on setuid/setgid environment scrubbing.)
>  
> -Incompatible with other exec transition modes.
> +Incompatible with other exec transition modes and the deny qualifier.
>  
>  =item B<cx - Transition to Subprofile execute mode>
>  
> @@ -475,7 +479,7 @@
>  LD_PRELOAD; as a result, the calling domain may have an undue amount of
>  influence over the callee.
>  
> -Incompatible with other exec transition modes.
> +Incompatible with other exec transition modes and the deny qualifier.
>  
>  =item B<Cx - Transition to Subprofile execute mode -- scrub the environment>
>  
> @@ -484,7 +488,7 @@
>  the environment, similar to setuid programs. (See ld.so(8) for some
>  information on setuid/setgid environment scrubbing.)
>  
> -Incompatible with other exec transition modes.
> +Incompatible with other exec transition modes and the deny qualifier.
>  
>  =item B<ix - Inherit execute mode>
>  
> @@ -498,7 +502,7 @@
>  version to scrub the environment because 'ix' executions don't change
>  privileges.
>  
> -Incompatible with other exec transition modes.
> +Incompatible with other exec transition modes and the deny qualifier.
>  
>  =item B<Profile transition with inheritance fallback execute mode>
>  
> @@ -512,7 +516,7 @@
>    'Cix' == 'Cx' with fallback to 'ix'
>    'cix' == 'cx' with fallback to 'ix'
>  
> -Incompatible with other exec transition modes.
> +Incompatible with other exec transition modes and the deny qualifier.
>  
>  =item B<Profile transition with unconfined fallback execute mode>
>  
> @@ -527,7 +531,14 @@
>    'CUx' == 'Cx' with fallback to 'Ux'
>    'cux' == 'cx' with fallback to 'ux'
>  
> -Incompatible with other exec transition modes.
> +Incompatible with other exec transition modes and the deny qualifier.
> +
> +=item B<deny x - Deny execute>
> +
> +For rules including the deny modifier, only 'x' is allowed to deny execute.
> +
> +The 'ix', 'Px', 'px', 'Cx', 'cx' and the fallback modes conflict with the deny
> +modifier.
>  
>  =item B<Directed profile transitions>
>  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160211/682afe74/attachment.pgp>

More information about the AppArmor mailing list