[apparmor] environment variables
John Johansen
john.johansen at canonical.com
Sat Nov 12 13:28:47 UTC 2011
Alright so here is a second pass at a proposed syntax.
Profiles will be allowed to have env rules, that are a white listing of
what is allowed by a prospective profile. Environment variables that do
not match will be scrubbed, at the start of an execve. The rules will
not be applied for profile transitions and non-exec boundries (ie.
change_hat and change_profile).
env PATH=/home/*/bin/:/usr/bin/, # allow
There however will be two deny style possibilities, one to filter,
filter env PATH=/home/jj/,
and one to cause an exec to fail
deny env PATH=/home/bad/,
environment rules can be specified in a block
env {
PATH=/home/*/bin/:/usr/bin/,
filter PATH=/home/jj,
deny PATH=/home/bad/,
}
include rules can be user within a block
env { #include <abstractions/base-env-filter>
HOME=/home/jj,
}
In addition to a profile being able to specify the acceptable environment
variables, an exec rule can place further restrictions on the environment
by specifying an env block after the exec rule.
/bin/foo Ux env { PATH=/home/*:/usr/bin, HOME=/home/jj, },
/bin/bar px -> /bin/bash env {
PATH=/foo:/bar,
HOME=/home/jj,
},
To facilitate complex conditions an & operator will be allowed, where the
list of rules and be thought of as |
env PATH=/home/*/bin/:/usr/bin/ & HOME=/home/jj,
Expressions can be quoted
env "PATH=/home/path with a space/",
env "PATH=/home/path with a &" & "HOME=/home/jj",
The environment variable name is a string that can contain pattern matching
env "P*=/home/path",
In the future pcre style matching syntax will be allowed (on file rules
as well).
env ^PATH=/home/.*/bin:/usr/bin/$,
Please note:
I have used a trailing comma to separate rules as is customary for general
rule syntax. I am not opposed to getting rid of the trailing , but kept it
for consistency.
More information about the AppArmor
mailing list