Hi Slava, On Thu, Feb 15, 2018 at 05:21:43PM +0200, Viacheslav Salnikov wrote: > does AppArmor complain about communication through the unix domain > sockets into dmesg?
AppArmor's kernel mediation uses the audit facility, which on most systems
does go through dmesg, but with lossy rate-limiting output. Probably
"yes" is the answer you're looking for here :) but I wanted to give a
fuller picture.
> All I've got - AppArmor can restrict access to named unix socket as a
> file - because it is a file - without using "deny unix". Actually, deny
> unix does not work for me with named sockets.
Correct; the sockets in the filesystem have course rules compared to
the sockets in the abstract and unnamed namespaces:
Unix socket rules
AppArmor supports fine grained mediation of unix domain
abstract and anonymous sockets. Unix domain sockets with file
system paths are mediated via file access rules.
[...]
Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
