[Apparmor-dev] apparmor.vim
John Johansen
jjohansen at suse.de
Mon Sep 3 18:08:46 MDT 2007
On Mon, Sep 03, 2007 at 02:46:48PM +0200, Christian Boltz wrote:
> Hello,
>
> Am Freitag, 31. August 2007 schrieb Crispin Cowan:
> > Christian Boltz wrote:
> > > A small question remains that Seth couldn't answer:
> > > Which keywords for "network" are dangerous (things like raw
> > > packages)? Currently I flag "raw" in red. Are there more I should
> > > mark this way?
> >
> > Some shoot-from-the-hip proposals:
> >
> > * any low-numbered port is yellow
> > * port 22 is red
>
> How would the profile syntax for those look like? I know only keywords
> yet...
>
it isn't supported yet, so I wouldn't worry about it just yet. Below
is the proposed syntax of which support only a very small subset.
The proposed syntax is open to debate and discussion, but is
modeled somewhat after iptables, partly because that is what admins
are used to, and partly because it needs to be mapped internally
into iptables since we will be leveraging secmark on the backend.
rule = "network" [ [ <domain> ] [ <type> ] [ <protocol> ]
[ <proto_expr> ] ] ","
domain = "inet" | "ax25" | "ipx" | "appletalk" | "netrom" |
"bridge" | "atmpvc" | "x25" | "inet6" | "rose" |
"netbeui" | "security" | "key" | "packet" | "ash" |
"econet" | "atmsvc" | "sna" | "irda" | "pppox" |
"wanpipe" | "bluetooth"
*note: "unix", "local" and "netlink" are not allowed
type = "stream" | "dgram" | "seqpacket" | "rdm" | "raw" | "packet" |
"dccp"
protocol = "tcp" | "udp" | "icmp" | "ftp" | ...
proto_expr = <ip_expr> | ...
ip_expr = [ <ip_action> ] [ <ip_host_expr> ] [ <ip_expr_tail> ]
ip_action = <tcp_action> | <udp_action>
tcp_action = "connect" | "accept" | "connected"
udp_action = ( "send" | "recv" ) [ "&" <udp_action> ]
ip host_expr = <direction> <ip_expr>
direction = "to" | "from" | "endpoint"
ip_expr = <ipv4_expr> | <ipv6_expr>
ip_expr_tail= ( <ip_iface | <limit> | "conntrack")*
ipv4_expr = <ipv4_addr> [ ":" <port_expr> ]
ipv4_addr = <ipv4_quad> | (<ipv4_quad> "/" <ipv4_quad>) |
(ipv4_quad "/" DIGIT{1,2}
ipv4_quad = DIGIT{1,3} ("." DIGIT{1,3}){3,3}
ipv6_expr = "[" <ipv6_addr> "]" [ ":" <port_expr> ]
ipv6_addr = <ipv6_part> [ "/" 1*2DIGIT ]
ipv6_part = <hexseq> / <hexseq> "::" [ <hexseq> ] | "::" [ <hexseq> ]
hexseq = hex4 ( ":" hex4)*
hex4 = HEXDIG{1,4}
port_expr = DIGIT{1,5} [ "-" DIGIT{1,5} ]
iface = "via" REGEXP
limit = "limit" DIGIT+ ["b" / "B" / "k" / "K" / "m" / "M"]
Currently we only support
rule = "network" [ [ <domain> ] [ <type> ] [ <protocol> ] ","
where protocol is limited to "tcp", "udp", "icmp" and can only be specified
if one of <domain> or <type> is not.
NOTE: when protocols are specified with out type or domain the matching
code makes certain assumption and does mapping. See tcp and udp
examples below.
eg.
network inet stream, # allow inet stream == tcp
network inet raw,
network inet tcp, # allow inet stream == tcp, NOT inet raw tcp
network inet udp, # allow inet dgram == udp, NOT inet raw udp
network inet, # allow all inet type and protocols
network tcp, # allow all family's that support tcp, so
# currently this matches both inet, and inet6
# ie.
# network inet stream,
# network inet6 stream,
# BUT NOT
# network inet raw tcp,
# network inet6 raw tcp,
network, # allow any and all networking
some examples of what we will support
network tcp accept from 192.168.0.1/8:22,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070903/09eb1c3a/attachment.pgp
More information about the Apparmor-dev
mailing list