Re: [apparmor] [RFC] Apparmor: Add support for attaching profiles via xattr presence and value

2017-12-08 Thread Matthew Garrett 
On Fri, Dec 8, 2017 at 2:06 PM, Matthew Garrett  wrote:
> On Tue, Nov 28, 2017 at 5:45 PM, Seth Arnold  
> wrote:
>> Hello Matthew, thanks for this; I'll let John comment on the larger design
>> of the patch, I'll just nitpick one little piece:
>>
>> On Tue, Nov 28, 2017 at 04:08:15PM -0800, Matthew Garrett wrote:
>>> + kzfree(profile->xattrs);
>>> + kzfree(profile->xattr_lens);
>>> + kzfree(profile->xattr_values);
>>>   kzfree(profile->dirname);
>>>   aa_put_dfa(profile->xmatch);
>>>   aa_put_dfa(profile->policy.dfa);
>>
>> profile->xattr_values is a vector of strings, but only the pointers are
>> cleaned up here, leaking all the xattr values themselves when the profile
>> is freed.
>
> The strings in this case are pointers to the values in the loaded
> policy blob, I think? Eg, profile->attach is extracted with
> unpack_str() but not explicitly freed.

To clarify, if I should be freeing stuff here then I think there's
another bug in that I'm not copying it first :)

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [RFC] Apparmor: Add support for attaching profiles via xattr presence and value

2017-12-08 Thread Matthew Garrett 
On Tue, Nov 28, 2017 at 5:45 PM, Seth Arnold  wrote:
> Hello Matthew, thanks for this; I'll let John comment on the larger design
> of the patch, I'll just nitpick one little piece:
>
> On Tue, Nov 28, 2017 at 04:08:15PM -0800, Matthew Garrett wrote:
>> + kzfree(profile->xattrs);
>> + kzfree(profile->xattr_lens);
>> + kzfree(profile->xattr_values);
>>   kzfree(profile->dirname);
>>   aa_put_dfa(profile->xmatch);
>>   aa_put_dfa(profile->policy.dfa);
>
> profile->xattr_values is a vector of strings, but only the pointers are
> cleaned up here, leaking all the xattr values themselves when the profile
> is freed.

The strings in this case are pointers to the values in the loaded
policy blob, I think? Eg, profile->attach is extracted with
unpack_str() but not explicitly freed.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2017-12-08 Thread John Johansen 
On 12/08/2017 08:20 AM, Viacheslav Salnikov wrote:
> Hello,
> 
> First of all, I googled and experimented. Didn't work out so well.
> 
> I want to ensure that communication through unix socket is monitored by 
> apparmor.
> What should I do to make this happen?
> 

As Seth mentioned you will need a kernel, and userspace that supports unix 
socket
mediation.

AppArmor 2.11 (latest release) supports unix socket rules.

The Ubuntu kernels have supported unix socket mediation in some form since 14.10

The patch does not currently exist in the upstream kernel but there is an
out of tree patchset available, in the kernel-patches/ directory of the
userspace project.

You can find it in the release tarball, or gitlab.com/apparmor/apparmor

you will want the v4.13 or v4.14 dir


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2017-12-08 Thread Seth Arnold 
On Fri, Dec 08, 2017 at 06:20:01PM +0200, Viacheslav Salnikov wrote:
> I want to ensure that communication through unix socket is monitored by
> apparmor.
> What should I do to make this happen?

Hello Viacheslav,

This is actually slightly complicated to answer:

- Different kernels will have different kinds of mediation available.
  Hopefully this problem will be getting better in the future, but in the
  meantime, it's best to check the advertised features of the system in
  question:

  $ cat /sys/kernel/security/apparmor/features/network/af_unix
  yes

- Different parsers will have different kinds of mediation available. The
  easy test is to try:

  $ echo "profile p { unix, }" | apparmor_parser -Qd
  Warning from stdin (line 1): apparmor_parser: cannot use or update
  cache, disable, or force-complain via stdin
  - Debugging built structures -
  Name: p
  Profile Mode: Enforce
  unix (),

- Policy pinning via apparmor_parser's --features-file (-M) setting may
  influence what is actually compiled.

I hope this helps, please don't hesitate to ask for further help.

Thanks


signature.asc
Description: PGP signature
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] IPC and sockets

2017-12-08 Thread Viacheslav Salnikov 
Hello,

First of all, I googled and experimented. Didn't work out so well.

I want to ensure that communication through unix socket is monitored by
apparmor.
What should I do to make this happen?

Hope you will help me with that.

Thanks.
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor