[apparmor] [patch] apparmor.d.pod: document 'deny x'

Christian Boltz apparmor at cboltz.de
Sun Jan 10 17:32:49 UTC 2016 

Hello,

deny rules don't allow ix, Px, Ux etc. - only 'deny /foo x,' is allowed.

(Well, mostly - see https://bugs.launchpad.net/apparmor/+bug/1532578 )


I propose this patch for trunk and 2.10
(it doesn't apply on the 2.9 apparmor.d.pod, and I'm too lazy to backport it ;-)


[ apparmor.d.pod-deny-x.diff ]

=== modified file ./parser/apparmor.d.pod
--- parser/apparmor.d.pod       2016-01-10 18:02:11.060675379 +0100
+++ parser/apparmor.d.pod       2016-01-10 18:00:49.985190030 +0100
@@ -251,7 +251,7 @@
 
 B<ACCESS> = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | I<EXEC TRANSITION> )+  (not all combinations are allowed; see below.)
 
-B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' )
+B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x' )  ('x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier)
 
 B<EXEC TARGET> = name  (requires I<EXEC TRANSITION> specified)
 
@@ -366,6 +366,10 @@
 
 - transition to subprofile on execute with fallback to unconfined -- scrub the environment
 
+=item B<deny x>
+
+- disallow execute (in rules with the deny qualifier)
+
 =item B<m>
 
 - allow PROT_EXEC with mmap(2) calls
@@ -428,7 +432,7 @@
 run unconfined and LD_PRELOAD must be used. Any profile using this mode
 provides negligible security. Use at your own risk.
 
-Incompatible with other exec transition modes.
+Incompatible with other exec transition modes and the deny qualifier.
 
 =item B<Ux - unconfined execute -- scrub the environment>
 
@@ -442,7 +446,7 @@
 Use this mode only if the child absolutely must be run unconfined. Use
 at your own risk.
 
-Incompatible with other exec transition modes.
+Incompatible with other exec transition modes and the deny qualifier.
 
 =item B<px - Discrete Profile execute mode>
 
@@ -454,7 +458,7 @@
 LD_PRELOAD; as a result, the calling domain may have an undue amount of
 influence over the callee.
 
-Incompatible with other exec transition modes.
+Incompatible with other exec transition modes and the deny qualifier.
 
 =item B<Px - Discrete Profile execute mode -- scrub the environment>
 
@@ -463,7 +467,7 @@
 the environment, similar to setuid programs. (See ld.so(8) for some
 information on setuid/setgid environment scrubbing.)
 
-Incompatible with other exec transition modes.
+Incompatible with other exec transition modes and the deny qualifier.
 
 =item B<cx - Transition to Subprofile execute mode>
 
@@ -475,7 +479,7 @@
 LD_PRELOAD; as a result, the calling domain may have an undue amount of
 influence over the callee.
 
-Incompatible with other exec transition modes.
+Incompatible with other exec transition modes and the deny qualifier.
 
 =item B<Cx - Transition to Subprofile execute mode -- scrub the environment>
 
@@ -484,7 +488,7 @@
 the environment, similar to setuid programs. (See ld.so(8) for some
 information on setuid/setgid environment scrubbing.)
 
-Incompatible with other exec transition modes.
+Incompatible with other exec transition modes and the deny qualifier.
 
 =item B<ix - Inherit execute mode>
 
@@ -498,7 +502,7 @@
 version to scrub the environment because 'ix' executions don't change
 privileges.
 
-Incompatible with other exec transition modes.
+Incompatible with other exec transition modes and the deny qualifier.
 
 =item B<Profile transition with inheritance fallback execute mode>
 
@@ -512,7 +516,7 @@
   'Cix' == 'Cx' with fallback to 'ix'
   'cix' == 'cx' with fallback to 'ix'
 
-Incompatible with other exec transition modes.
+Incompatible with other exec transition modes and the deny qualifier.
 
 =item B<Profile transition with unconfined fallback execute mode>
 
@@ -527,7 +531,14 @@
   'CUx' == 'Cx' with fallback to 'Ux'
   'cux' == 'cx' with fallback to 'ux'
 
-Incompatible with other exec transition modes.
+Incompatible with other exec transition modes and the deny qualifier.
+
+=item B<deny x - Deny execute>
+
+For rules including the deny modifier, only 'x' is allowed to deny execute.
+
+The 'ix', 'Px', 'px', 'Cx', 'cx' and the fallback modes conflict with the deny
+modifier.
 
 =item B<Directed profile transitions>
 
 


Regards,

Christian Boltz
-- 
Dann siehst du nämlich ganz genau, daß der Cursor blinkt, und er
hat feuerrote tote Augen, mit denen er dich anstarrt und brüllt:
"..  UND WENN DU DICH VERTIPPST, DANN FRESSE ICH DICH MITSAMT
DEINEM MAUSZEIGER!!!!"            [Ratti in suse-programming]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160110/5a3f8bff/attachment-0001.pgp>

More information about the AppArmor mailing list