[apparmor] Apparmor policy hide?
John Johansen
john.johansen at canonical.com
Fri Mar 26 10:33:46 UTC 2021
On 3/26/21 3:17 AM, Jacek wrote:
> Thanks
>
> A little test:
>
> # G1 Gentuś ### Fri Mar 26 11:10:44 localhost : /home/duch
>
> # root ~> tail /etc/apparmor.d/bin.ping
> network netlink raw,
> network unix stream,
>
> signal receive set=cont peer=unconfined,
> signal receive set=term peer=unconfined,
>
> hide w /bin/ping,
> ### mrix,
> kill w /bin/ping6,
> }
>
> # G1 Gentuś ### Fri Mar 26 11:10:57 localhost : /home/duch
>
> # root ~> apparmor_parser -r /etc/apparmor.d/bin.ping
> AppArmor parser error for /etc/apparmor.d/bin.ping in profile /etc/apparmor.d/bin.ping at line 34: missing an end of line character? (entry: hide)
>
>
> Can I request a more precise example of the syntax for this entry?
>
sorry I should have clarified. The extended perm work has not landed yet, it is landing soon, so it is not available yet
> ;)
>
> Cheers
>
>
> W dniu 26.03.2021 o 09:57, John Johansen pisze:
>> it helps some times, but is very much still an error code and dependent on how the application is handling returned errors. With that said hiding via returning ENOENT instead of EACCES is part of the extended perm work that should be landing upstream over the next cycle or two. Eg.
>>
>> hide w /foo/bar,
>>
>> This of course doesn't stop an application from being able to discover something isn't right, eg. if you give directory read access the dir listing will show the entry that is being hidden, this as you said is more about trying not to break certain applications.
>>
>> The other option you have is the heavy hammer of killing the task instead. Currently that is limited to a profile flag but the extended perm work will make that possible to specify at the rule level.
>>
>> kill w /etc/password,
>
More information about the AppArmor
mailing list