[Apparmor-general] wildcards as prefix

Steve Beattie sbeattie at suse.de
Sat Feb 17 01:00:32 MST 2007 

On Fri, Feb 16, 2007 at 04:11:29AM -0700, S Kalyanasundaram wrote:
> Thanks Crispin,
>    BTW, the method of having /**/ was working for only if i replaced
>    the ** with some text other wise it is not working. If my conf
>    files are exists at /var/lib/etc/app/conffile then it goes file. If
>    suppose i replace the ** with zero characters (/etc/app/confile)
>    it takes as //etc/app/conffile and says operation not permitted
>    for //etc/app/conffile

I suspect you're correct on how this is getting evaluated.

> So I changed the rule to /**etc/app/myconf then it goes fine. Am i doing correct?

That's okay, though potentially a more open policy than you might
desire. If you know all the possible prefixes your app will be prefix
with you could do one of two things:

  (1) Use the alternation syntax to match the possible locations, like so:

	/{,var/lib/,var/mnt/}etc/app/conffile

      That pattern will match exactly the three locations you mentioned
      previously.

  (2) Use set variables. Create /etc/apparmor.d/tunables/appname with
      the following contents:

	@{PREFIX}=/ /var/lib/ /var/mnt/

      Then in your app's profile, add '#include <tunables/appname>' before
      anything else (except comments). Then write your rule(s) as:

	@{PREFIX}etc/app/conffile

      This will also match exactly the three locations you mentioned
      prior. The advantage to using variables this way is that you can
      run apparmor_parser -dd on your profile to see exactly how the
      rules get expanded. The disadvantage of this approach is that the
      genprof/logprof tools barely tolerate the existence of variables.

-- 
Steve Beattie
SUSE Labs, Novell Inc. 
<sbeattie at suse.de>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070217/d763b54a/attachment.pgp

More information about the Apparmor-general mailing list