[Apparmor-dev] [RFC] AppArmor 2.1 Feature Overview

Fri Aug 10 14:05:27 MDT 2007

On Fri, Aug 10, 2007 at 11:24:16AM -0600, Dominic Reynolds wrote:
> Per the irc discussion on #apparmor I wanted post for review the planned changes
> around the 2.1 release for AppArmor. This release will ship as part of
> openSUSE 10.3 and Ubuntu "gutsy". Feedback/corrections welcome :)
> 
> This version will be also released as tarballs and maintained in a branch on
> forge svn.
> 
> 
> Profile Language Features/Changes:
> ------------------------------
> 
> o Modification to change_hat syntax 
> 
>   The syntax for the hat syntax in a profile has been modified. The hat is still
>   specified within the profile but is specified as
> 
>     /PROFILE//HAT_NAME
>
>     rather than ^HATNAME
>
Sorry this is not quite right.  If a hat is to be specified within a profile
it must begin with the '^', which the parser will convert into a profile
with the name
/profile//HATNAME

a hat can be specified external to a profile by using the /profile//hatname
as the profile name directly.

Internally to the module all hats are flattened into a single default
namespace, and treated just like all other profiles.  The hat profiles
will not attach to an executable by name matching because of the //
in their name.

This has as resulted in a slight change to the reporting interface of
/sys/kerenl/security/apparmor/profiles, /proc/<pid>/attr/current
and log messages in that hat profiles are reported with // in the
name instead of seperating by '^'.  The log messages only report
a single profile instance instead of profile and active.

so for a hat profile /foo//bar
                                              OLD              NEW
cat /proc/<pid>/attr/current                  /foo^bar         /foo//bar
cat /sys/kerenel/security/apparmor/profiles   /foo^bar         /foo//bar

LOG message OLD style           profile="/foo" current="bar"
LOG message NEW style           profile="/foo//bar"

>   As a consequence - the '^' character can now be properly used in pathnames and
>   character classes 
> 
>   /foo[^b]   # used to be broken /foo[ and hat b] even if it was
>              # in a file rule instead of specifying a profile now it is handled
>              # correctly
>  
The '^' can be used as a regular character within the profile or filename
as a literal as well.  It is only special when used as the first character
of a character class indicating negation and the first character of
a name indicating a hat embedded in a profile.

Another minor change is that a ',' is no longer a valid character in a
filename if it is the last character before whitespace.
/foo,bar    #valid
/foobar,    #invalid

if you need a ',' at the end of a pathname put it in quotes.

> 
> Userspace Changes
> -----------------
> 
The log format has changed to name value pairs, and the type of operation
is encoded in the audit type.

#define AUDIT_APPARMOR_AUDIT	1501	/* AppArmor audited grants */
#define AUDIT_APPARMOR_ALLOWED	1502	/* Allowed Access for learning */
#define AUDIT_APPARMOR_DENIED	1503
#define AUDIT_APPARMOR_HINT	1504	/* Process Tracking information */
#define AUDIT_APPARMOR_STATUS	1505	/* Changes in config */
#define AUDIT_APPARMOR_ERROR	1506	/* Internal AppArmor Errors */

which will result in logs
type=APPARMOR_AUDIT ...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070810/025cf8c4/attachment.pgp