[apparmor] IPC and sockets
Seth Arnold
seth.arnold at canonical.com
Fri Dec 8 21:00:35 UTC 2017
On Fri, Dec 08, 2017 at 06:20:01PM +0200, Viacheslav Salnikov wrote:
> I want to ensure that communication through unix socket is monitored by
> apparmor.
> What should I do to make this happen?
Hello Viacheslav,
This is actually slightly complicated to answer:
- Different kernels will have different kinds of mediation available.
Hopefully this problem will be getting better in the future, but in the
meantime, it's best to check the advertised features of the system in
question:
$ cat /sys/kernel/security/apparmor/features/network/af_unix
yes
- Different parsers will have different kinds of mediation available. The
easy test is to try:
$ echo "profile p { unix, }" | apparmor_parser -Qd
Warning from stdin (line 1): apparmor_parser: cannot use or update
cache, disable, or force-complain via stdin
----- Debugging built structures -----
Name: p
Profile Mode: Enforce
unix (),
- Policy pinning via apparmor_parser's --features-file (-M) setting may
influence what is actually compiled.
I hope this helps, please don't hesitate to ask for further help.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171208/b96706ae/attachment.sig>
More information about the AppArmor
mailing list