On 12/27/19 4:15 AM, J. R. Okajima wrote:
> Hello,
>
> Would you kindly how to use ALIAS RULE?
>
currently it works poorly. What it does it rule rewriting so that
the leading elements of a rule "should" be replaced.
To quote from the man page
AppArmor also provides alias rules for remapping paths for site-
specific layouts. They are an alternative form of path rewriting to
using variables, and are done after variable resolution. Alias rules
must occur within the preamble of the profile. System-wide aliases are
found in /etc/apparmor.d/tunables/alias, which is included by
/etc/apparmor.d/tunables/global. /etc/apparmor.d/tunables/global is
typically included at the beginning of an AppArmor profile.
this unfortunately doesn't give an example, so
alias /bin/ -> /usr/bin/,
would rewrite a rule
/bin/bash pix,
to
/usr/bin/bash pix,
as noted in the man page this is done after variable expansion and
before the backend of the compile. It should make any profile compiled
with the alias rule behave as if rules written to match /bin/
as if they were written using /usr/bin/
unfortunately currently the rule rewriting is based on absolute path
matching. So the beginning of a path rule needs to be an exact string
match.
/bin/bash/ pix,
is an exact match and will be updated, but
/bin** r,
is not and will not be.
It is possible to fix this, so that the compiler can do the rewrite
against the generated state machine. This has even been prototyped
but is currently buggy and needs a lot more work before we can land
it.
> Here is a shell script I am testing.
> - prepare "/tmp/file"
> - generate and enable a profile for cat(1), which allows opening
> "/file".
> - expecting a failure, run "cat /tmp/file"
> - add an alias rule "alias / -> /tmp/,"
> - expecting a success, run "cat /tmp/file" again, but it fails.
>
> Environment
> $ uname -a
> Linux jrotkm 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11)
> x86_64 GNU/Linux
>
> ii apparmor 2.13.2-10
> ii apparmor-utils 2.13.2-10
> ii libapparmor1:amd64 2.13.2-10
> ii python3-apparmor 2.13.2-10
> ii python3-libapparmor 2.13.2-10
>
> What is wrong with my script?
>
> J. R. Okajima
>
> ----------------------------------------
> #!/bin/sh
>
> tmp=/tmp/$$
> set -eu
>
> cmd=$(readlink -f /bin/cat)
> cmdprof=$tmp.AA/$(echo $cmd | cut -c2- | tr / .)
> aliasprof=$tmp.AA/tunables/alias
> testfile=/tmp/file
> echo test > $testfile
>
> rm -fr $tmp.AA
> mkdir $tmp.AA
> lndir -silent /etc/apparmor.d $tmp.AA
> cp -p $aliasprof $aliasprof.tmp
> mv $aliasprof.tmp $aliasprof
>
> {
> echo '#include <tunables/global>'
> echo $cmd '{'
> echo $cmd mr,
> {
> ldd $cmd |
> fgrep -v linux-vdso
> echo /etc/ld.so.cache
> #echo $testfile
> echo /$(basename $testfile)
> } |
> cut -f2 -d'>' |
> cut -f1 -d'(' |
> xargs -r -n1 readlink -f |
> sed -e 's/$/ mr,/'
> echo '}'
> } |
> tee $cmdprof #> /dev/null
>
> do_test()
> {
> echo \# "$@"
> set +e
> set -x
> strace -e trace=open,openat $cmd $testfile
> set +x
> set -e
> true
> }
>
> do_test "should succeed"
>
> sudo aa-status > $tmp.status
> sudo aa-enforce $cmd -d $tmp.AA
> sudo aa-status |
> diff -qu $tmp.status - && false
>
> do_test "should fail"
>
> echo alias / '->' $(dirname $testfile)/, |
> tee -a $aliasprof
> sudo aa-disable $cmd -d $tmp.AA
> sudo apparmor_parser --reload $tmp.AA
> sudo aa-status |
> diff -qu $tmp.status - && false
>
> do_test "ALIAS should make it work"
>
> # Restoration
> sudo aa-disable $cmd -d $tmp.AA
> sudo /etc/init.d/apparmor restart
> sudo aa-status |
> diff -qu $tmp.status -
>
> rm -fr $tmp $tmp.*
>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
