[apparmor] [Patch 0/1] RFC: apparmor profile directory

Christian Boltz apparmor at cboltz.de
Fri Jul 6 22:18:03 UTC 2012 

Hello,

Am Donnerstag, 5. Juli 2012 schrieb John Johansen:
> The best it could do is apply the same mapping to the tools apply. 

Sounds like a good idea, but it doesn't cover everything ;-) (see below)

> However I think Christian is
> right that passing through whitespace, etc could be problematic.

There are other characters that can also cause some "funny effects"[tm] 
;-)

> What I like about Christians proposal is it guarentees the ids are
> unique and different by prepending the sid but also gives the user a
> usable name to guide them.
> 
> However I don't think using just alphanumeric values will be enough as
> it makes unamed profiles like /** { } real ugly.

Just curious - how would that profile name look as filename for 
/etc/apparmor.d/ ? Hmm, let's try...

# aa-genprof '/**'
/** does not exist, please double-check the path.

OK, I'm feeling adventurous ;-)

# touch '/**'
# aa-genprof '/**'

The result was the file /etc/apparmor.d/** with 
/** flags=() { ... }

In other words: genprof doesn't seem to replace any special character. 
Maybe it better should :-/

It should probably also do some escaping in the profile name. My example 
was a bit ;-) extreme, but imagine someone is crazy enough to have a 
binary called '/bin/b*' and wants to create a profile for it (which is 
basically a good idea with such a filename ;-)

The result will be a profile for '/bin/b*' which includes things like 
/bin/bash... Do I need to say more? ;-)

(needless to say that I practised unloading the /** profile via the 
/sys/kernel/security/apparmor/.remove interface afterwards because it 
was the only working option ;-)

> What I was thinking of doing is a broader isgraph() or maybe something
> a little more restricted, but wider than isalnum().

I prefer the "better safe than sorry" way ;-) - therefore I don't think 
isgraph() (anything except whitespace) is a good idea. I know it might 
look ugly if we replace too many characters, but looking ugly is much 
better than breaking tools that read /sys/ ;-)

That all said - what do you think how the /sys/ entry/directory for the 
/** profile should be named?


Regards,

Christian Boltz
-- 
Bash ist zwar nur trocken Brot und Wasser,
aber Tcl ist Nutella mit Maggi ;)
[Christian Perle in d.c.o.u.l.m]

More information about the AppArmor mailing list