I am a proponent of the idea of policy templates. Please feel free to
look through the FBAC-LSM policy abstractions for template ideas.
FBAC-LSM (an experimental LSM and policy tools) does some simple
analysis of the application to confine, then recommends abstractions and
adapts them to the application. Note that FBAC-LSM has an export to
AppArmor profile feature that will work better once AppArmor has profile
stacking.
http://schreuders.org/FBAC-LSM
Cheers,
Cliffe.
On 07/02/12 14:50, Jamie Strandboge wrote:
This patchset is to accomplish the code portion of the
security-p-app-isolation blueprint. aa-easyprof is a standalone CLI
application which can also be imported into developer SDKs. From the man
page:
"aa-easyprof provides an easy to use interface for AppArmor policy
generation. aa-easyprof supports the use of templates and policy groups
to quickly profile an application. Please note that while this tool can
help with policy generation, its utility is dependent on the quality of
the templates, policy groups and abstractions used. Also, this tool may
create policy which is less restricted than creating policy by hand or
with aa-genprof and aa-logprof."
In essence, aa-easyprof takes a different view on policy generation and
is useful when you already know how the application should behave and
want to create an initial policy based on this. As such, one can create
a template and any supporting policy groups (policy groups are similar
to abstractions or the old-style program-chunks in that they are simply
groupings of policy rules) then use aa-easyprof to generate a policy.
The CLI tool dumps the resulting policy to stdout and requires no
privileges.
This patchset is broken into 4 parts:
* 0001-aa-easyprof.patch: the application, library, documentation and
installation script
* 0002-aa-easyprof-policy.patch: the initial templates and policy
groups. This will undoubtedly need refinement as we get feedback from
users. Initial policy is based on Ubuntu's Application Review Board
(ARB) requirements[2].
* 0003-aa-easyprof-unittests.patch: tests for the library
* 0004-aa-easyprof-makefile.patch: Makefile integration
Templates are stored in /usr/share/apparmor/easyprof/templates and
policy groups in /usr/share/apparmor/easyprof/policygroups. This can be
adjusted via /etc/apparmor/easyprof.conf.
The aa-easyprof.pod has complete documentation on usage with some
additional information in utils/easyprof/README (mostly duplicated
here).
Example usage to achieve something approaching the ARB requirements[2]
is:
$ aa-easyprof --template=user-application \
--template-var="@{APPNAME}=foo" \
--policy-groups=opt-application,user-application \
/opt/foo/bin/foo
Testing can be performed in a number of ways:
$ cd utils ; make check # runs unit tests and pyflakes
Unit tests manually:
$ ./test/test-aa-easyprof.py
In source manual testing:
$ ./aa-easyprof --templates-dir=./easyprof/templates \
--policy-groups-dir=./easyprof/policygroups \
... \
/opt/foo/bin/foo
Post-install manual testing:
$ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install
$ cd /tmp/test
$ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \
--templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \
--policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \
/opt/bin/foo
(you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid
specifying --templates-dir and --policy-groups-dir).
[1]https://blueprints.launchpad.net/ubuntu/+spec/security-p-app-isolation
[2]http://developer.ubuntu.com/publish/my-apps-packages/
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
