Re: [apparmor] IPC and sockets

Fri, 15 Dec 2017 01:21:07 -0800 

Hello Seth and John,

Thanks for your answers.
-----------------------------------------------------------------------------------------------------------------------------
It seems that used version of apparmor parser has support for unix sockets
(I use 2.11):

on this
*$ echo "profile p { unix, }" | apparmor_parser -Qd*

I got the following output





* Warning from stdin (line 1): apparmor_parser: cannot use or update cache,
disable, or force-complain via stdin ----- Debugging built structures -----
Name:         p Profile Mode: Enforce unix (),*

-----------------------------------------------------------------------------------------------------------------------------
Is it possible to back-port from v4.13 to the v4.4? There are a lot of
changes.
Well, it's not like I want you to do all the work for me, alright? Is it
possible to cooperate on this one?

I think that the main unix socket functionality was brought by this patch:
https://gitlab.com/apparmor/apparmor/blob/master/kernel-patches/v4.13/0017-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch

What else should be added to the kernel?


2017-12-08 22:37 GMT+01:00 John Johansen <john.johan...@canonical.com>:

> On 12/08/2017 08:20 AM, Viacheslav Salnikov wrote:
> > Hello,
> >
> > First of all, I googled and experimented. Didn't work out so well.
> >
> > I want to ensure that communication through unix socket is monitored by
> apparmor.
> > What should I do to make this happen?
> >
>
> As Seth mentioned you will need a kernel, and userspace that supports unix
> socket
> mediation.
>
> AppArmor 2.11 (latest release) supports unix socket rules.
>
> The Ubuntu kernels have supported unix socket mediation in some form since
> 14.10
>
> The patch does not currently exist in the upstream kernel but there is an
> out of tree patchset available, in the kernel-patches/ directory of the
> userspace project.
>
> You can find it in the release tarball, or gitlab.com/apparmor/apparmor
>
> you will want the v4.13 or v4.14 dir
>
>

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to