[apparmor] IPC and sockets

Viacheslav Salnikov slavasalnikovv at gmail.com
Tue Feb 13 15:52:01 UTC 2018 

Thanks.

May I ask you another portion of question about apparmor sockets?


   1. Is there some kind of docs which describe *named stream socket *armoring?
   Because I tried to armor named socket. AppArmor complains only about
   connection. But I cannot deny send/receive data through such socket. There
   is a lot of info about anonymous sockets on the Internet, though.
   2. So I tried anonymous datagram sockets. It is possible to deny
   send/receive and no data flow goes through the socket. And I have a
   question: is it possible to set up apparmor profile to complain every time
   when an app writes/reads from the socket?




2018-02-09 14:34 GMT+02:00 John Johansen <john.johansen at canonical.com>:

> On 02/09/2018 04:05 AM, Viacheslav Salnikov wrote:
> > Hi Jonh,
> >
> > But even if upstream backport from 4.10 to 4.4 does not contain
> out-of-tree patches, Xenial 4.4 has sockets support (*and probably
> namespaces support too*).
> >
> > Or am I wrong?
> >
>
> correct for socket support, the network and af_unix mediation patches
> are not present in the backport.
>
> as I noted
> >     the upstream backport series does not include the out of tree
> patches but those can be
> >     obtained from the apparmor project tree in the kernel patches
> directory
> >
> >     https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches <
> https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches>
>
>
> as for policy namespace support it has existed in various forms since
> apparmor was included in 2.6.36, its just a matter of what interfaces
> are supported the 4.11, 4.12, and 4.13 kernels each added support for
> newer interfaces and reworked apparmorfs to better support policy
> namespaces.
>
> Full support of apparmor policy around linux namespaces (mount, user,
> pid, ...) is still a wip
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180213/b58fe345/attachment.html>

More information about the AppArmor mailing list