On Tue, 2012-02-07 at 08:50 -0600, Jamie Strandboge wrote: > This patchset is to accomplish the code portion of the > security-p-app-isolation blueprint. aa-easyprof is a standalone CLI > application which can also be imported into developer SDKs. From the man > page: ... > * 0002-aa-easyprof-policy.patch: the initial templates and policy > groups. This will undoubtedly need refinement as we get feedback from > users. Initial policy is based on Ubuntu's Application Review Board > (ARB) requirements[2].
This patch add the policy for aa-easyprof (ie, the templates and policy groups). The policy is not complete, but should be a decent starting point until we get more feedback from users. It consists of: - utils/easyprof/policygroups/* - utils/easyprof/templates/* -- Jamie Strandboge | http://www.canonical.com
diff -Naurp -x .bzr -x common apparmor-trunk/utils/easyprof/policygroups/networking apparmor-trunk-easyprof/utils/easyprof/policygroups/networking
--- apparmor-trunk/utils/easyprof/policygroups/networking 1969-12-31 18:00:00.000000000 -0600
+++ apparmor-trunk-easyprof/utils/easyprof/policygroups/networking 2012-02-06 16:39:38.000000000 -0600
@@ -0,0 +1,2 @@
+# Policygroup to allow networking
+#include <abstractions/nameservice>
diff -Naurp -x .bzr -x common apparmor-trunk/utils/easyprof/policygroups/opt-application apparmor-trunk-easyprof/utils/easyprof/policygroups/opt-application
--- apparmor-trunk/utils/easyprof/policygroups/opt-application 1969-12-31 18:00:00.000000000 -0600
+++ apparmor-trunk-easyprof/utils/easyprof/policygroups/opt-application 2012-02-06 16:39:38.000000000 -0600
@@ -0,0 +1,3 @@
+# Policy group for applications installed in /opt
+/opt/@{APPNAME}/ r,
+/opt/@{APPNAME}/** mrlk,
diff -Naurp -x .bzr -x common apparmor-trunk/utils/easyprof/policygroups/user-application apparmor-trunk-easyprof/utils/easyprof/policygroups/user-application
--- apparmor-trunk/utils/easyprof/policygroups/user-application 1969-12-31 18:00:00.000000000 -0600
+++ apparmor-trunk-easyprof/utils/easyprof/policygroups/user-application 2012-02-06 16:39:38.000000000 -0600
@@ -0,0 +1,7 @@
+# Policy group allowing various writes to standard directories in @{HOMEDIRS}
+owner @{HOMEDIRS}/.cache/@{APPNAME}/ rw,
+owner @{HOMEDIRS}/.cache/@{APPNAME}/** rwkl,
+owner @{HOMEDIRS}/.config/@{APPNAME}/ rw,
+owner @{HOMEDIRS}/.config/@{APPNAME}/** rwkl,
+owner @{HOMEDIRS}/.local/share/@{APPNAME}/ rw,
+owner @{HOMEDIRS}/.local/share/@{APPNAME}/** rwkl,
diff -Naurp -x .bzr -x common apparmor-trunk/utils/easyprof/templates/default apparmor-trunk-easyprof/utils/easyprof/templates/default
--- apparmor-trunk/utils/easyprof/templates/default 1969-12-31 18:00:00.000000000 -0600
+++ apparmor-trunk-easyprof/utils/easyprof/templates/default 2012-02-06 16:39:45.000000000 -0600
@@ -0,0 +1,26 @@
+#
+# Example usage:
+# $ aa-easyprof --policy-groups=user-application /usr/bin/foo
+#
+###ENDUSAGE###
+# vim:syntax=apparmor
+# AppArmor policy for ###NAME###
+# ###AUTHOR###
+# ###COPYRIGHT###
+# ###COMMENT###
+
+#include <tunables/global>
+
+###VAR###
+
+###BINARY### {
+ #include <abstractions/base>
+
+ ###ABSTRACTIONS###
+
+ ###POLICYGROUPS###
+
+ ###READS###
+
+ ###WRITES###
+}
diff -Naurp -x .bzr -x common apparmor-trunk/utils/easyprof/templates/user-application apparmor-trunk-easyprof/utils/easyprof/templates/user-application
--- apparmor-trunk/utils/easyprof/templates/user-application 1969-12-31 18:00:00.000000000 -0600
+++ apparmor-trunk-easyprof/utils/easyprof/templates/user-application 2012-02-06 16:39:45.000000000 -0600
@@ -0,0 +1,29 @@
+#
+# Example usage for a program named 'foo' which is installed in /opt/foo
+# $ aa-easyprof --template=user-application \
+# --template-var="@{APPNAME}=foo" \
+# --policy-groups=opt-application,user-application \
+# /opt/foo/bin/foo
+#
+###ENDUSAGE###
+# vim:syntax=apparmor
+# AppArmor policy for ###NAME###
+# ###AUTHOR###
+# ###COPYRIGHT###
+# ###COMMENT###
+
+#include <tunables/global>
+
+###VAR###
+
+###BINARY### {
+ #include <abstractions/base>
+
+ ###ABSTRACTIONS###
+
+ ###POLICYGROUPS###
+
+ ###READS###
+
+ ###WRITES###
+}
signature.asc
Description: This is a digitally signed message part
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
