[apparmor] apparmor.vim - profile format changes since 2.3?

John Johansen john.johansen at canonical.com
Tue Jan 11 03:17:56 UTC 2011 

On 01/10/2011 05:02 PM, Christian Boltz wrote:
> Hello,
> 
> Am Montag, 10. Januar 2011 schrieb John Johansen:
>> On 01/09/2011 08:58 AM, Christian Boltz wrote:
>>> Am Thursday 06 January 2011 schrieb John Johansen:
>>>> On 12/19/2010 07:04 AM, Christian Boltz wrote:
>>>>> Am Freitag, 17. Dezember 2010 schrieb John Johansen:
>>>>>> On 12/03/2010 07:37 AM, Christian Boltz wrote:
> 
>>>     flags=( foo )
>>>     flags= (foo)
>>>     flags = ( foo , bar )
>>
>> these all work
> 
> OK, then I have to allow "flags = ( ... )". Done.
> 
>>> Well, in theory even in 2.3 one could have used
>>> flags=(complain,audit) so I'd say: allow both space and comma, but
>>> document only space ;-)
>>
>> yeah I think this is the solution, I will go with an paran enclosed
>> list the comma will be allowed as the separator, and whitespace will
>> just get eaten.  So
>>   flags=( foo bar)
>>   flags=( foo, bar )
>> etc will just work
> 
> Please add this to some "syntax changelog" when you implement it ;-)
> Until then, I'l enforce the comma in apparmor.vim.
> 
>>> BTW: I have a "debug" flag in sdFlagKey, but not in sdFlags. Is
>>> "debug" a valid flag?
>>
>> hrmmm, it used to be but it isn't currently valid, though I can think
>> of a few places it would be nice to have extra debug output, so  I
>> can see it coming back in some form.
> 
> OK, then I leave it in its broken form - it will currently not validate, 
> but when it comes back it will get the color like complain.
> 
>>> Talking about file rules - I somewhat remember to have read that
>>> there is a fixed order for the owner, audit and deny keywords of
>>> file (and other?) rules. Am I right about this? If yes, which
>>> order?
>>
>> Yes there is
>>
>> [audit] [deny] [owner]
> 
> Implemented in apparmor.vim now, however I'd really like to have the 
> order handled less strict ;-)
> 
> 
> Which of the audit, deny, owner keywords are allowed for the non-file 
> rules? 
> My guess would be that audit and deny is allowed for all of them 
> (correct?). The question is: which of the following allow "owner"? And 
most

> does any of the following _not_ allow audit and deny?
> 
> - capability
audit deny

> - set capability
dead, and gone.  There where serious security issue with this that were to
easy to expose and would have needed fixing.  The recommended replacement
solution is using pam_capable in conjunction with pam_apparmor

> - network
audit deny

owner isn't currently supported but will be

> - change profile
currently none of them but audit and deny support will be added

> - rlimit
none of them currently, I am looking at expanding with audit and deny
> - link
it really just a flexible way of specifying the link file rule so

audit deny and owner

  owner link /tmp/** -> /home/**,

can be used to provide open wall style restrictions, ie. only allowing
creating links to files you own.

> - (did I miss anything?)
> 
hrmmm, I think you covered everything that is current.

> I'm only attaching an updated apparmor.vim today. You'll get the full 
> set again after I have added audit/deny/owner for non-file rules.
> 

thanks christian

More information about the AppArmor mailing list