On 8/7/20 1:12 PM, Christian Boltz wrote:
> Hello,
>
> Am Freitag, 7. August 2020, 19:07:41 CEST schrieb Jonas Große Sundrup:
>> I have one question left, when we're at it: If I do have conflicting
>> directives, such as
>>
>> /my/directory r,
>> /my/directory rw,
>>
>> which one takes precedence? the first, the last, the stricter or the
>> broader?
>
> They get added up - so in your example, you'll get rw.
>
> As another example,
>
> /foo rwl,
> /foo wk,
>
> will effectively give you /foo rwlk,
>
>> In case of nested I'd suspect that AppArmor will just nest the
>> policies accordingly, no matter in which order they occur, right?
>
> The rule order doesn't matter.
>
>
Let me expand on this a bit. AppArmor syntax is declarative so rule order
doesn't matter as Christian has said.
However its a little more complicated than they just added up.
1. They only add up where the rules overlap
/** rk,
/foo w,
will give /foo rwk, permissions, but the rest of the files that only match /**
will only have rk permissions
2. deny has priority. You can think of it as add up all the allow rules in one
set and all the deny in another and subtract the deny set from the allow set.
3. Exec rule qualifiers use a most specific match priority.
ix /**,
px /foo/bar,
the px rule is more specific, so px will be used for /foo/bar, while ix would
be used for everything else
3.1. Exec rule dominance is not fully implemented yet. So it only works with
exact match rules like in the above example.
ix /usr/**,
px /usr/bin/*,
currently will report a conflict because the /usr/bin/ being more specific is
not correctly resolved.
4. The most specific match applies to profile attachments, with a fallback to
longest left specific match for policy not sharing an attachment dfa.
profile usr /usr/** { }
profile bin /usr/bin/* { }
basically, this means the above will work as expected. But the conflict is
found in the kernel at runtime instead of during compile. The kernel can handle
overlapping rules to a point (its not perfect) and will fail the exec if its
heuristics can resolve the dominance. Also newer kernels are better at this
than older kernels.
5. There will be language extensions at some point allowing a form of rule
priority, but that is not available yet.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
