On Wed, Jul 18, 2018 at 02:14:08PM -0000, roc...@openmailbox.org wrote: > I have some questions for apparmor alias rules. Is it correct that an > alias rule won't directly have an influence on which files can be > accessed on a certain rewritten path, i.e. the actual profile for the > program is what matters more?
If I've understood the question correctly, you have to consider both a profile and whatever alias rules the profile may load when determining what resources the profiles allows processes to access. > Could you make a program less confined > just by alias rules? Sure you add another path, but on this path you are > still allowed to only access files as described in the original profile > of the program. Is this correct? There's two ways of looking at this: - "yes", even when "alias" rules are used, the profile is still confining any processes running within the profile, and all their access control decisions are made by consulting the profile. - "no", the "alias" rules *are* a loosening of privileges, since one path given in the profile can grant access to more files. I think you've got the correct understanding. > What is the reason a rewrite path for > "/" -> "/rw/" does not apply to all the rules, i.e. you have to > specifically rewrite other paths too, like "/var/" -> "/rw/var/" ? Are you sure about this? I couldn't find anything in the code that would forbid / -> /rw from working, and a simple test (using / -> /AAAA instead, so that it would stand out clearly in the dumps) seems to show it working as I expect: sarnold@hunt:~$ echo "alias / -> /AAAA, profile p { / r,}" | apparmor_parser -Q --dump=dfa-states Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin {1} <== (allow/deny/audit/quiet) {2} (0x 10004/0/0/0) {6} (0x 10004/0/0/0) {1} -> {2}: 0x2f / {2} (0x 10004/0/0/0) -> {3}: 0x41 A {3} -> {4}: 0x41 A {4} -> {5}: 0x41 A {5} -> {6}: 0x41 A {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {1} -> {2}: 0x2 {1} -> {2}: 0x4 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ {1} -> {3}: 0x34 4 {3} -> {4}: 0x0 {4} -> {2}: 0x31 1 Note that the compiled policy looks the same as what I would expect it to expand to: sarnold@hunt:~$ echo "profile p { /AAAA r, / r,}" | apparmor_parser -Q --dump=dfa-states Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin {1} <== (allow/deny/audit/quiet) {2} (0x 10004/0/0/0) {6} (0x 10004/0/0/0) {1} -> {2}: 0x2f / {2} (0x 10004/0/0/0) -> {3}: 0x41 A {3} -> {4}: 0x41 A {4} -> {5}: 0x41 A {5} -> {6}: 0x41 A {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {1} -> {2}: 0x2 {1} -> {2}: 0x4 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ {1} -> {3}: 0x34 4 {3} -> {4}: 0x0 {4} -> {2}: 0x31 1 If you have found a counter example, please share. :) Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor