[apparmor] Exporting to AppArmor syntax

Cliffe cliffe at ii.net
Fri Jan 21 07:32:16 UTC 2011 

Hi guys,

As I have mentioned in the past, I am (slowly) adding "export to
AppArmor profile" features to FBAC-LSM policy manager.
(http://schreuders.org/FBAC-LSM) The main features more or less work at
the moment, The FBAC-LSM gui can export to and manage FBAC-LSM created
AppArmor profiles. However, I have a few questions about syntax and the
audit logs.

I am using OpenSUSE 11.3, and I am using the standard OpenSUSE kernel
(and whatever version of AppArmor comes standard, therefore likely an
older version). At the moment, I am not using any of the AppArmor libs
since I don't want the dependencies.

FBAC policy stores a list of executable paths that specify which
processes are restricted by an application policy.
For example:

    /usr/bin/opera
    /usr/bin/X11/opera
    /usr/lib/opera/**


What would the AppArmor profile name look like?
This seems to work:

    /{usr/bin/opera,usr/bin/X11/opera,usr/lib/opera/**}

Is this globbing correct, or should it be regex? What are the special
characters for this match?

I am thinking of making the FBAC-LSM learning mode also work with AppArmor.
With my current version of AppArmor I get messages in this format in
/var/log/audit/audit.log
> type=APPARMOR_DENIED msg=audit(1295431719.156:15924): operation="open"
> pid=18946 parent=2607
> profile="/{usr/bin/vlc,usr/bin/X11/vlc,usr/lib/vlc/**}"
> requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000
> name="/home/cliffe/.config/Trolltech.conf"
> type=APPARMOR_DENIED msg=audit(1295431719.168:15927): operation="open"
> pid=18946 parent=2607
> profile="/{usr/bin/vlc,usr/bin/X11/vlc,usr/lib/vlc/**}"
> requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0
> name="/etc/udev/udev.conf"

What is the difference between mask="r::" and mask="::r"? Is there any
documentation that describes this?

Also, out of curiosity, how are the policy intersection features coming
along? By default FBAC intersects most policies (for example, so that
helper programs can't exceed the privileges of the programs they are
working for), so an intersection permission rule would help with the export.

Thanks,

Cliffe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110121/8fe02ee2/attachment.html>

More information about the AppArmor mailing list