<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body> <div>Hi,</div> <br> <div>I think I now understand the meaning of 'mediation points aren't in process context'. I've been trying to use Netfilter hooks to confine a process' network capabilities, but realized that the point at which the hook is invoked is not in process context, and thus, the network packet cannot be traced back to the process from which it originated. </div> <br> <div>Since you mentioned mechanisms to cope with this, could you briefly list them?</div> <br> <div>Thank you.</div> <br> <div class="gmail_quote_attribution">On Jun 13 2019, at 5:48 pm, Abhishek Vijeev <abhishekvijeev@iisc.ac.in> wrote:</div> <blockquote> <div><br> <br> <div class="gmail_quote_attribution">On Jun 13 2019, at 3:07 am, Seth Arnold <seth.arnold@canonical.com> wrote:</div> <blockquote> <div> <div>On Wed, Jun 12, 2019 at 12:32:53PM +0000, Abhishek Vijeev wrote:</div> <blockquote> <div>Hi,</div> <br> <div>I have a few questions about AppArmor's code and would be grateful if</div> <div>you could kindly answer them.</div> </blockquote> <br> <div>[I've stripped your urls of some get-mail-spring style links]</div> <br> <blockquote> <div>1) The documentation at this link</div> <div>https://gitlab.com/apparmor/apparmor/wikis/AppArmor_Core_Policy_Reference#address-expr</div> <div>mentions the possibility of specifying a network rule as "network tcp</div> <div>src 192.168.1.1:80 dst 170.1.1.0:80". However this doesn't work, and</div> <div>after a little digging, I found out that the productions rules for this</div> <div>policy were available only in the grammar specification of AppArmor 2.1</div> <div>(line number 670 of</div> <div>https://gitlab.com/apparmor/apparmor/blob/apparmor-2.1/parser/parser_yacc.y</div> <div>). I find this extremely useful, and am considering trying to add this</div> <div>to AppArmor as part of a larger project. Could you kindly clarify the</div> <div>reason for its removal? Were there any hurdles that made it difficult to</div> <div>accomplish this?</div> </blockquote> <br> <div>Fine-grained networking controls have been on the most often desired</div> <div>features for perhaps fifteen years.</div> <br> <div>Some small portions of fine-grained networking may be simple enough to</div> <div>implement as a project. Controlling bind, listen, and connect might be</div> <div>straight forward enough. However, a more fully-featured implementation</div> <div>that mediates sockets passed in, or sockets shared among multiple domains,</div> <div>etc., would require significantly more work to implement.</div> <br> <div>Quite a lot of the mediation points available in the Linux kernel aren't</div> <div>in process context. There's mechanisms available to cope with this, but</div> <div>they're not nearly as easy to use as doing the mediation when running in</div> <div>process context.</div> </div> </blockquote> <br> <div>According to my current understanding, the mediation points used by AppArmor and other security modules are the hooks made available by the LSM hook interface. Could you kindly clarify the meaning of 'mediation points aren't in process context'?</div> <br> <div>Also, could you briefly list the other mechanisms to cope with this problem?</div> <br> <blockquote> <div><br> <div>I'm rusty on this at this point, but if you search lwn for secmark, secid,</div> <div>you'll probably find some useful articles. (Figuring out which ones are</div> <div>useful is left as an exercise for the reader. :)</div> </div> </blockquote> <br> <div>Sure, thank you. I'll look up secmark and secid.</div> <br> <blockquote> <div><br> <blockquote> <div>2) At what stage during the kernel boot process does AppArmor load the</div> <div>profiles? And from where does it obtain them? (am I correct in</div> <div>understanding that the profiles are stored in</div> <div>/sys/kernel/security/apparmor/policy ?)</div> </blockquote> <br> <div>The kernel boot process does not load any apparmor policy. Policy is</div> <div>loaded by userspace.</div> <br> <div>If you want to have a confined init, you'll need to modify your initramfs</div> <div>to load policy before switching to the system init.</div> <br> <div>Most distributions use the sysv-initscripts, or a fork from them from</div> <div>years ago, and some systemd unit files to call the initscripts. These</div> <div>usually load policy from /etc/apparmor.d/ but packaging systems like click</div> <div>and snap loaded policy from elsewhere, and libvirt and snapd (among</div> <div>others) will dynamically generate and load policy as needed.</div> <br> </div> </blockquote> <br> <div>I see. Is it not possible to confine init by just changing the set_init_ctx( ) function (<a href="https://link.getmailspring.com/link/AD408D62-3B92-4D3B-AD7B-961E64EADFD3@getmailspring.com/0?redirect=https%3A%2F%2Fgithub.com%2Ftorvalds%2Flinux%2Fblob%2Fmaster%2Fsecurity%2Fapparmor%2Flsm.c%23L1522&recipient=YXBwYXJtb3JAbGlzdHMudWJ1bnR1LmNvbQ%3D%3D" title="https://github.com/torvalds/linux/blob/master/security/apparmor/lsm.c#L1522">https://github.com/torvalds/linux/blob/master/security/apparmor/lsm.c#L1522</a> ) to set a different profile by default?</div> <br> <blockquote> <div> <blockquote> <div>3) Why does function 'aa_alloc_profile( )' allocate extra memory ? It</div> <div>seems to be allocating memory for 3 objects of type 'struct aa_profile'.</div> <div>(line number 262 of</div> <div>https://github.com/torvalds/linux/blob/master/security/apparmor/policy.c</div> <div>)</div> </blockquote> <br> <div>This is allocating space for a single struct aa_profile and two pointers:</div> <br> <div>https://github.com/torvalds/linux/blob/master/security/apparmor/include/policy.h#L162</div> <br> <div>struct aa_profile {</div> <div>struct aa_policy base;</div> <div>struct aa_profile __rcu *parent;</div> <div>/* ... */</div> <div>aa_label label;</div> <div>};</div> <br> <div>https://github.com/torvalds/linux/blob/master/security/apparmor/include/label.h#L134</div> <br> <div>struct aa_label {</div> <div>struct kref count;</div> <div>struct rb_node node;</div> <div>/* ... */</div> <div>struct aa_profile *vec[];</div> <div>};</div> <br> <div>The pointers are for the final vec: https://en.wikipedia.org/wiki/Flexible_array_member</div> <br> </div> </blockquote> <br> <div>Thank you. I did not know about flexible arrays.</div> <br> <blockquote> <div> <div>Thanks</div> </div> </blockquote> </div> </blockquote> <img class="mailspring-open" alt="Sent from Mailspring" width="0" height="0" style="border:0; width:0; height:0;" src="https://link.getmailspring.com/open/AD408D62-3B92-4D3B-AD7B-961E64EADFD3@getmailspring.com?recipient=YXBwYXJtb3JAbGlzdHMudWJ1bnR1LmNvbQ%3D%3D"> </body> </html>