|| ||John@suse.de, Johansen@suse.de|
|| ||[AppArmor 00/47] AppArmor security module overview|
|| ||Thu, 20 Dec 2007 06:09:10 -0800|
|| ||email@example.com, firstname.lastname@example.org|
This submission of the AppArmor security module is based against 2.6.24-rc4-mm.
Any comments and feedback to improve implementation are appreciated.
Changes since previous submission
- added apparmor security goal document.
- removed DAC style permissions in favor of a simpler file owner
- include the fgetattr and fsetattr patches by Miklos Szeredi
<email@example.com>, and update them to use ATTR_FILE to enable LSMs to
distinguish file descriptor operations
- fix error where a NULL sock passed to socket_getsocket_getpeersec_dgram()
was not correctly handled.
- fix error in link permission subset test
- use of d_namespace_path and buffer allocation to obtain a pathname for
- conditional passing of the vfsmnt. This can be addressed by rebasing
on the lookup intent patches but that has not been done for this
- ipc and signal mediation are a wip and not included.
- fine grained network mediation
- system confinement from boot is a wip and not included.
- documentation needs to be updated to include newest features
The patch series consists of five areas:
(1) Pass struct vfsmount through to LSM hooks.
(2) Fixes and improvements to __d_path():
(a) make it unambiguous and exclude unreachable paths from
(b) make its result consistent in the face of remounts,
(c) introduce d_namespace_path(), a variant of d_path that goes up
to the namespace root instead of the chroot.
(d) the behavior of d_path() and getcwd() remain unchanged, and
there is no hidding of unreachable paths in /proc/mounts. The
patches addressing these have been seperated from the AppArmor
submission and will be introduced at a later date.
Part (a) has been in the -mm tree for a while; this series includes
an updated copy of the -mm patch. Parts (b) and (c) shouldn't be too
(3) Be able to distinguish file descriptor access from access by name
in LSM hooks.
Applications expect different behavior from file descriptor
accesses and accesses by name in some cases. We need to pass this
information down the LSM hooks to allow AppArmor to tell which is
(4) Convert the selinux sysctl pathname computation code into a standalone
(5) The AppArmor LSM itself.
A tarball of the kernel patches, base user-space utilities, example
profiles, and technical documentation (including a walk-through) are
Only the most recent features are covered in brief here for a more
complete explaination please refere to the technical documentation.
File ownership permissions
The DAC style permissions mask allowing the specification of permission
for each of user, group, and other have been removed, after further feed
back and discussion, in favor of a simpler permission set that allows
specifying permissions for file ownership as determined by fsuid.
Traditional AppArmor rules map to specifying permissions for files
all files, to reduce the permissions grant the owner keyword can
be added to a rule.
/foo rw, # allow access to file /foo
owner /foo rw, # allow access to file /foo only if its uid == fsuid
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to firstname.lastname@example.org
More majordomo info at http://vger.kernel.org/majordomo-info.html