Re: [apparmor] How does ALIAS work?
On 1/5/20 8:47 AM, J. R. Okajima wrote: > John Johansen: >> currently it works poorly. What it does it rule rewriting so that >> the leading elements of a rule "should" be replaced. > ::: >> It is possible to fix this, so that the compiler can do the rewrite >> against the generated state machine. This has even been prototyped >> but is currently buggy and needs a lot more work before we can land >> it. > > Thank you for the reply. > But I still don't get it. Do you mean that >>> - add an alias rule "alias / -> /tmp/," > in my test script (attached to previous mail) doesn't work at all? And > it won't be fixed easily? > Could you try reproducing the problem by my test script if you have not > tried? > > sorry for the delayed response. Yes I will try but it may take me a while to get to it. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] How does ALIAS work?
John Johansen: > currently it works poorly. What it does it rule rewriting so that > the leading elements of a rule "should" be replaced. ::: > It is possible to fix this, so that the compiler can do the rewrite > against the generated state machine. This has even been prototyped > but is currently buggy and needs a lot more work before we can land > it. Thank you for the reply. But I still don't get it. Do you mean that > > - add an alias rule "alias / -> /tmp/," in my test script (attached to previous mail) doesn't work at all? And it won't be fixed easily? Could you try reproducing the problem by my test script if you have not tried? J. R. Okajima -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] How does ALIAS work?
On 12/27/19 4:15 AM, J. R. Okajima wrote:
> Hello,
>
> Would you kindly how to use ALIAS RULE?
>
currently it works poorly. What it does it rule rewriting so that
the leading elements of a rule "should" be replaced.
To quote from the man page
AppArmor also provides alias rules for remapping paths for site-
specific layouts. They are an alternative form of path rewriting to
using variables, and are done after variable resolution. Alias rules
must occur within the preamble of the profile. System-wide aliases are
found in /etc/apparmor.d/tunables/alias, which is included by
/etc/apparmor.d/tunables/global. /etc/apparmor.d/tunables/global is
typically included at the beginning of an AppArmor profile.
this unfortunately doesn't give an example, so
alias /bin/ -> /usr/bin/,
would rewrite a rule
/bin/bash pix,
to
/usr/bin/bash pix,
as noted in the man page this is done after variable expansion and
before the backend of the compile. It should make any profile compiled
with the alias rule behave as if rules written to match /bin/
as if they were written using /usr/bin/
unfortunately currently the rule rewriting is based on absolute path
matching. So the beginning of a path rule needs to be an exact string
match.
/bin/bash/ pix,
is an exact match and will be updated, but
/bin** r,
is not and will not be.
It is possible to fix this, so that the compiler can do the rewrite
against the generated state machine. This has even been prototyped
but is currently buggy and needs a lot more work before we can land
it.
> Here is a shell script I am testing.
> - prepare "/tmp/file"
> - generate and enable a profile for cat(1), which allows opening
> "/file".
> - expecting a failure, run "cat /tmp/file"
> - add an alias rule "alias / -> /tmp/,"
> - expecting a success, run "cat /tmp/file" again, but it fails.
>
> Environment
> $ uname -a
> Linux jrotkm 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11)
> x86_64 GNU/Linux
>
> ii apparmor 2.13.2-10
> ii apparmor-utils2.13.2-10
> ii libapparmor1:amd642.13.2-10
> ii python3-apparmor 2.13.2-10
> ii python3-libapparmor 2.13.2-10
>
> What is wrong with my script?
>
> J. R. Okajima
>
>
> #!/bin/sh
>
> tmp=/tmp/$$
> set -eu
>
> cmd=$(readlink -f /bin/cat)
> cmdprof=$tmp.AA/$(echo $cmd | cut -c2- | tr / .)
> aliasprof=$tmp.AA/tunables/alias
> testfile=/tmp/file
> echo test > $testfile
>
> rm -fr $tmp.AA
> mkdir $tmp.AA
> lndir -silent /etc/apparmor.d $tmp.AA
> cp -p $aliasprof $aliasprof.tmp
> mv $aliasprof.tmp $aliasprof
>
> {
> echo '#include '
> echo $cmd '{'
> echo $cmd mr,
> {
> ldd $cmd |
> fgrep -v linux-vdso
> echo /etc/ld.so.cache
> #echo $testfile
> echo /$(basename $testfile)
> } |
> cut -f2 -d'>' |
> cut -f1 -d'(' |
> xargs -r -n1 readlink -f |
> sed -e 's/$/ mr,/'
> echo '}'
> } |
> tee $cmdprof #> /dev/null
>
> do_test()
> {
> echo \# "$@"
> set +e
> set -x
> strace -e trace=open,openat $cmd $testfile
> set +x
> set -e
> true
> }
>
> do_test "should succeed"
>
> sudo aa-status > $tmp.status
> sudo aa-enforce $cmd -d $tmp.AA
> sudo aa-status |
> diff -qu $tmp.status - && false
>
> do_test "should fail"
>
> echo alias / '->' $(dirname $testfile)/, |
> tee -a $aliasprof
> sudo aa-disable $cmd -d $tmp.AA
> sudo apparmor_parser --reload $tmp.AA
> sudo aa-status |
> diff -qu $tmp.status - && false
>
> do_test "ALIAS should make it work"
>
> # Restoration
> sudo aa-disable $cmd -d $tmp.AA
> sudo /etc/init.d/apparmor restart
> sudo aa-status |
> diff -qu $tmp.status -
>
> rm -fr $tmp $tmp.*
>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] How does ALIAS work?
Hello,
Would you kindly how to use ALIAS RULE?
Here is a shell script I am testing.
- prepare "/tmp/file"
- generate and enable a profile for cat(1), which allows opening
"/file".
- expecting a failure, run "cat /tmp/file"
- add an alias rule "alias / -> /tmp/,"
- expecting a success, run "cat /tmp/file" again, but it fails.
Environment
$ uname -a
Linux jrotkm 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
GNU/Linux
ii apparmor 2.13.2-10
ii apparmor-utils2.13.2-10
ii libapparmor1:amd642.13.2-10
ii python3-apparmor 2.13.2-10
ii python3-libapparmor 2.13.2-10
What is wrong with my script?
J. R. Okajima
#!/bin/sh
tmp=/tmp/$$
set -eu
cmd=$(readlink -f /bin/cat)
cmdprof=$tmp.AA/$(echo $cmd | cut -c2- | tr / .)
aliasprof=$tmp.AA/tunables/alias
testfile=/tmp/file
echo test > $testfile
rm -fr $tmp.AA
mkdir $tmp.AA
lndir -silent /etc/apparmor.d $tmp.AA
cp -p $aliasprof $aliasprof.tmp
mv $aliasprof.tmp $aliasprof
{
echo '#include '
echo $cmd '{'
echo $cmd mr,
{
ldd $cmd |
fgrep -v linux-vdso
echo /etc/ld.so.cache
#echo $testfile
echo /$(basename $testfile)
} |
cut -f2 -d'>' |
cut -f1 -d'(' |
xargs -r -n1 readlink -f |
sed -e 's/$/ mr,/'
echo '}'
} |
tee $cmdprof #> /dev/null
do_test()
{
echo \# "$@"
set +e
set -x
strace -e trace=open,openat $cmd $testfile
set +x
set -e
true
}
do_test "should succeed"
sudo aa-status > $tmp.status
sudo aa-enforce $cmd -d $tmp.AA
sudo aa-status |
diff -qu $tmp.status - && false
do_test "should fail"
echo alias / '->' $(dirname $testfile)/, |
tee -a $aliasprof
sudo aa-disable $cmd -d $tmp.AA
sudo apparmor_parser --reload $tmp.AA
sudo aa-status |
diff -qu $tmp.status - && false
do_test "ALIAS should make it work"
# Restoration
sudo aa-disable $cmd -d $tmp.AA
sudo /etc/init.d/apparmor restart
sudo aa-status |
diff -qu $tmp.status -
rm -fr $tmp $tmp.*
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
