[apparmor] IPC and sockets
Seth Arnold
seth.arnold at canonical.com
Thu Feb 15 19:32:02 UTC 2018
Hi Slava,
On Thu, Feb 15, 2018 at 05:21:43PM +0200, Viacheslav Salnikov wrote:
> does AppArmor complain about communication through the unix domain
> sockets into dmesg?
AppArmor's kernel mediation uses the audit facility, which on most systems
does go through dmesg, but with lossy rate-limiting output. Probably
"yes" is the answer you're looking for here :) but I wanted to give a
fuller picture.
> All I've got - AppArmor can restrict access to named unix socket as a
> file - because it is a file - without using "deny unix". Actually, deny
> unix does not work for me with named sockets.
Correct; the sockets in the filesystem have course rules compared to
the sockets in the abstract and unnamed namespaces:
Unix socket rules
AppArmor supports fine grained mediation of unix domain
abstract and anonymous sockets. Unix domain sockets with file
system paths are mediated via file access rules.
[...]
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180215/4cbfe1bc/attachment.sig>
More information about the AppArmor
mailing list