[Apparmor-dev] Profile syntax changes?

John Johansen jjohansen at suse.de
Thu Aug 9 20:24:41 MDT 2007 

On Wed, Aug 08, 2007 at 06:06:33PM -0700, John Johansen wrote:
> On Thu, Aug 09, 2007 at 02:24:54AM +0200, Christian Boltz wrote:
> a very crude subset of our networking rules was added.  It allows
> screening of networking based on type and family.  Also the tools
> beyond the parser currently only support a subset of the subset :(
> 
>   syntax
>   'network' [[<domain>] [<type>] [<protocol>]] ','
> 
>   <domain> comes from the AF_NAMES with exclusions for local, unix,
>            netlink
>   <type> stream, dgram, seqpacket, rdm, raw, packet
>   <protocol> tcp, udp, icmp
> 
>   The protocol specification is very limited currently in that it only
>   allows those 3 and only if <type> is not specified.
> 
>   eg.
>   network,		# allow all networking
>   network inet,		# allow use of all inet networking
>   network inet stream,	# allow tcp
>   network inet tcp,	# dito
>   network tcp,		# allow inet and inet6 tcp,
> 

just a little extra info

<domain> = "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc",
         "x25", "inet6", "rose", "netbeui", "security", "key", "packet",
	 "ash", "econet", "atmsvc", "sna", "irda", "pppox", "wanpipe",
	 "bluetooth",

the domains "llc", "iucv", "tipc" are currently mediated but can not
            be specified.  Too allow them wide open networking
            must be used. ie the rule
  network,
	    this will be fixed

<type> = "stream", "dgram", "seqpacket", "rdm", "raw", "packet"

the type "dccp" is currently not allowed but this will get fixed

<protocol> = "tcp", "udp", "icmp"

the protocol currently isn't properly supported, can only be specified
if <domain> or <protocol> or both are not specified.  They currently
just map to <domain> <type> pairs.  When the network controls
are finished then there will be a lot more protocols directly
supported.

Also note that
network inet tcp, maps to   network inet stream,  not network inet raw tcp,
network inet udp, maps to   network inet dgram,   not network inet raw dgram,
network inet icmp, maps to  network inet raw,  and will when full networking
is finished map to network inet raw icmp,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070809/c6fbb8d2/attachment.pgp

More information about the Apparmor-dev mailing list