[apparmor] How does ALIAS work?
J. R. Okajima
hooanon05g at gmail.com
Fri Dec 27 12:15:44 UTC 2019
Hello,
Would you kindly how to use ALIAS RULE?
Here is a shell script I am testing.
- prepare "/tmp/file"
- generate and enable a profile for cat(1), which allows opening
"/file".
- expecting a failure, run "cat /tmp/file"
- add an alias rule "alias / -> /tmp/,"
- expecting a success, run "cat /tmp/file" again, but it fails.
Environment
$ uname -a
Linux jrotkm 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux
ii apparmor 2.13.2-10
ii apparmor-utils 2.13.2-10
ii libapparmor1:amd64 2.13.2-10
ii python3-apparmor 2.13.2-10
ii python3-libapparmor 2.13.2-10
What is wrong with my script?
J. R. Okajima
----------------------------------------
#!/bin/sh
tmp=/tmp/$$
set -eu
cmd=$(readlink -f /bin/cat)
cmdprof=$tmp.AA/$(echo $cmd | cut -c2- | tr / .)
aliasprof=$tmp.AA/tunables/alias
testfile=/tmp/file
echo test > $testfile
rm -fr $tmp.AA
mkdir $tmp.AA
lndir -silent /etc/apparmor.d $tmp.AA
cp -p $aliasprof $aliasprof.tmp
mv $aliasprof.tmp $aliasprof
{
echo '#include <tunables/global>'
echo $cmd '{'
echo $cmd mr,
{
ldd $cmd |
fgrep -v linux-vdso
echo /etc/ld.so.cache
#echo $testfile
echo /$(basename $testfile)
} |
cut -f2 -d'>' |
cut -f1 -d'(' |
xargs -r -n1 readlink -f |
sed -e 's/$/ mr,/'
echo '}'
} |
tee $cmdprof #> /dev/null
do_test()
{
echo \# "$@"
set +e
set -x
strace -e trace=open,openat $cmd $testfile
set +x
set -e
true
}
do_test "should succeed"
sudo aa-status > $tmp.status
sudo aa-enforce $cmd -d $tmp.AA
sudo aa-status |
diff -qu $tmp.status - && false
do_test "should fail"
echo alias / '->' $(dirname $testfile)/, |
tee -a $aliasprof
sudo aa-disable $cmd -d $tmp.AA
sudo apparmor_parser --reload $tmp.AA
sudo aa-status |
diff -qu $tmp.status - && false
do_test "ALIAS should make it work"
# Restoration
sudo aa-disable $cmd -d $tmp.AA
sudo /etc/init.d/apparmor restart
sudo aa-status |
diff -qu $tmp.status -
rm -fr $tmp $tmp.*
More information about the AppArmor
mailing list