[Apparmor-general] accumulation of x permission qualifiers

John Johansen jjohansen at suse.de
Fri Feb 9 15:19:34 MST 2007 

The accumulation of x permission qualifiers needs to be clarified and
properly documented.  Currently permission bits (mrwl) are accumulated
across all overlapping rules, however the X permission qualifiers
(pPuUi) are treated special.  For any given match there can only be a
single qualifier.  To facilitate the overlapping of rules containing X
qualifiers there is the notion of an exact match rule, which is a rule
that contains no pattern matching (*, **, ?, [], {}).   The X qualifiers
in an exact match rule take precedenc over qualifiers in a pattern rule.


ex. overlapping pattern and exact match rule
/foo** mrix,
/foobar px,

where /foobar will be granted permissions mrpx (the mr permissions are
accumulated and the px qualifier takes precedence over ix).

ex 2. overlapping pattern rules (invalid profile)
/foo** mrix,
/fooba? px,

The overlapping of these 2 rules results in an invalid profile.

ex. 3. overlapping exact match rules (invalid profile - shown only
       to be explicit about permission accumulation is done)
/foo/bar mrix,
/foo/bar mrpx,


however consider
ex 4.
/foo** mrix,
/foo{bar,blah}  px,

in this case both rules are considered pattern rules resulting in an
invalid profile, but if the rules were rewritten without the alternation
it would result in a valid profile.
ex 5.
/foo** mrix,
/foobar px,
/fooblah px,

this situation can be also created with character classes
ex 6.
/foo** mrix,
/foobar[1-9]  px,

I think it is pretty obvious that we don't want to treat alternations
are pattern rules.  Character classes are less clear to me, I am not
sure if we want to treat them like alternations, or * and ** or as
something in between.

To further complicate matters do we want to allow overlapping pattern
rules where the distinction is clear (and what is clear)?

ex 7.
/foo/** ix,
/foo/bar* px,

Here are some possible solutions to the current situation
1. move alternation to be part of the exact match definition (this is
   the dfa match engine currently does).
2. move alternation and character classes into the exact match definition
3. have more than 2 priority ordered classes
   ex.
   exact match
   character classes []
   ?
   *
   **
4. use longest left exact match (ie before the pattern part of the rule)
   for ex 7. /foo/bar is the longest left match so px would be used
   for the parts that overlap.
5. use some combination of 3 and 4.
6. Disallow any overlap of conflicting X qualifiers.

Another related issue is the pix permission that has been discussed.  The
pix permission would probably use a different notation (qualifier) but
the pix notation is appropriate for the discussion at hand.  The idea
behind the pix permission is to allow partial profile role out where
a profile is used if present and if not instead of failing the exec
it inherits the current profile.

If the pix permission is added does it alter how permission accumulation
is done.  Do overlapping px and ix permission combine to form a pix or
does accumulation continue to pick specific match.


I don't particularily care which solution is choosen for apparmor.  More
that we fix the current inconstency and document what is expected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070209/c244d265/attachment.pgp

More information about the Apparmor-general mailing list