[apparmor] IPC and sockets

Viacheslav Salnikov slavasalnikovv at gmail.com
Wed Feb 7 12:32:13 UTC 2018 

Hi guys,

I checked out Ubuntu 16.04 and got this output:
$ cat /sys/kernel/security/apparmor/features/network/af_unix
yes

But Ubuntu 16.04 based on 4.4 kernel
$ uname -a
Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux


I cloned xenial kernel for investigation and af_unit is in the kernel.
Does it mean that somebody did the backport or what? Maybe you know about
that.

Best regards, Slava.


2017-12-14 11:55 GMT+02:00 Viacheslav Salnikov <slavasalnikovv at gmail.com>:

> Hello Seth and John,
>
> Thanks for your answers.
> ------------------------------------------------------------
> -----------------------------------------------------------------
> It seems that used version of apparmor parser has support for unix sockets
> (I use 2.11):
>
> on this
> *$ echo "profile p { unix, }" | apparmor_parser -Qd*
>
> I got the following output
>
>
>
>
>
> * Warning from stdin (line 1): apparmor_parser: cannot use or update
> cache, disable, or force-complain via stdin ----- Debugging built
> structures ----- Name:         p Profile Mode: Enforce unix (),*
>
> ------------------------------------------------------------
> -----------------------------------------------------------------
> Is it possible to back-port from v4.13 to the v4.4? There are a lot of
> changes.
> Well, it's not like I want you to do all the work for me, alright? Is it
> possible to cooperate on this one?
>
> I think that the main unix socket functionality was brought by this patch:
> https://gitlab.com/apparmor/apparmor/blob/master/kernel-
> patches/v4.13/0017-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch
>
> What else should be added to the kernel?
>
>
> 2017-12-08 22:37 GMT+01:00 John Johansen <john.johansen at canonical.com>:
>
>> On 12/08/2017 08:20 AM, Viacheslav Salnikov wrote:
>> > Hello,
>> >
>> > First of all, I googled and experimented. Didn't work out so well.
>> >
>> > I want to ensure that communication through unix socket is monitored by
>> apparmor.
>> > What should I do to make this happen?
>> >
>>
>> As Seth mentioned you will need a kernel, and userspace that supports
>> unix socket
>> mediation.
>>
>> AppArmor 2.11 (latest release) supports unix socket rules.
>>
>> The Ubuntu kernels have supported unix socket mediation in some form
>> since 14.10
>>
>> The patch does not currently exist in the upstream kernel but there is an
>> out of tree patchset available, in the kernel-patches/ directory of the
>> userspace project.
>>
>> You can find it in the release tarball, or gitlab.com/apparmor/apparmor
>>
>> you will want the v4.13 or v4.14 dir
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180207/1740f1bf/attachment.html>

More information about the AppArmor mailing list