'Re: [apparmor] [PATCH] 02/04 abstraction updates for abstract, anonymous and netlink'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apparmor-dev
Subject:    Re: [apparmor] [PATCH] 02/04 abstraction updates for abstract, anonymous and netlink
From:       John Johansen <john.johansen () canonical ! com>
Date:       2014-08-29 22:20:04
Message-ID: 5400FC94.106 () canonical ! com
[Download RAW message or body]

On 08/27/2014 03:55 PM, Seth Arnold wrote:
> On Wed, Aug 27, 2014 at 04:47:01PM -0500, Jamie Strandboge wrote:
>> On 08/27/2014 04:34 PM, Jamie Strandboge wrote:
>>
>>> Starting a subthread for some additions to John's patches. This series assumes
>>> John's 12 patches are applied and includes updates to the apparmor.d man page
>>> and some policy updates. I expect I might have to adjust this a bit, but wanted
>>> to send it up for comment. Let's have an ACK mean to apply it once it is safe to
>>> do so.
>>>
>>
>> Attached is a patch for:
>>  - the base abstraction for common abstract and anonymous rules (comments
>>    included per rule)
>>  - dbus-session-strict to add a rule for connecting to the dbus session abstract
>>    socket. I used 'peer=(label=unconfined)' here, but I could probably lose the
>>    explicit label if people preferred that
> 
> I don't like the label=unconfined on the dbus socket -- that would make it
> harder to confine dbus.
> 
>>  - X to add a rule for connecting to the X abstract socket. Same as for
>>    dbus-session-strict
>>  - nameservice to add a rule for connecting to a netlink raw. This change could
>>    possibly be excluded, but applications using networking (at least on Ubuntu)
>>    all seem to need it. Excluding it would mean systems using nscd would need to
>>    add this and ones not using it would have a noisy denial
> 
> Hmm. Netlink grants a lot. Can we make this any finer?
> 
Not yet but soon, the af_unix patch series lays the ground work. We now can properly
select between old and new etc. Is all we have to do is add an extended mediation
rule for netlink.  It will follow a pattern similar to af_unix but with address
and such changes matching what netlink does.

In addition to netlink there will be ipv4, and ipv6 extensions and we can add others
as we see fit.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread] 