Re: [apparmor] [RFC] Apparmor: Add support for attaching profiles via xattr presence and value
On Fri, Dec 8, 2017 at 2:06 PM, Matthew Garrettwrote: > On Tue, Nov 28, 2017 at 5:45 PM, Seth Arnold > wrote: >> Hello Matthew, thanks for this; I'll let John comment on the larger design >> of the patch, I'll just nitpick one little piece: >> >> On Tue, Nov 28, 2017 at 04:08:15PM -0800, Matthew Garrett wrote: >>> + kzfree(profile->xattrs); >>> + kzfree(profile->xattr_lens); >>> + kzfree(profile->xattr_values); >>> kzfree(profile->dirname); >>> aa_put_dfa(profile->xmatch); >>> aa_put_dfa(profile->policy.dfa); >> >> profile->xattr_values is a vector of strings, but only the pointers are >> cleaned up here, leaking all the xattr values themselves when the profile >> is freed. > > The strings in this case are pointers to the values in the loaded > policy blob, I think? Eg, profile->attach is extracted with > unpack_str() but not explicitly freed. To clarify, if I should be freeing stuff here then I think there's another bug in that I'm not copying it first :) -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [RFC] Apparmor: Add support for attaching profiles via xattr presence and value
On Tue, Nov 28, 2017 at 5:45 PM, Seth Arnoldwrote: > Hello Matthew, thanks for this; I'll let John comment on the larger design > of the patch, I'll just nitpick one little piece: > > On Tue, Nov 28, 2017 at 04:08:15PM -0800, Matthew Garrett wrote: >> + kzfree(profile->xattrs); >> + kzfree(profile->xattr_lens); >> + kzfree(profile->xattr_values); >> kzfree(profile->dirname); >> aa_put_dfa(profile->xmatch); >> aa_put_dfa(profile->policy.dfa); > > profile->xattr_values is a vector of strings, but only the pointers are > cleaned up here, leaking all the xattr values themselves when the profile > is freed. The strings in this case are pointers to the values in the loaded policy blob, I think? Eg, profile->attach is extracted with unpack_str() but not explicitly freed. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
On 12/08/2017 08:20 AM, Viacheslav Salnikov wrote: > Hello, > > First of all, I googled and experimented. Didn't work out so well. > > I want to ensure that communication through unix socket is monitored by > apparmor. > What should I do to make this happen? > As Seth mentioned you will need a kernel, and userspace that supports unix socket mediation. AppArmor 2.11 (latest release) supports unix socket rules. The Ubuntu kernels have supported unix socket mediation in some form since 14.10 The patch does not currently exist in the upstream kernel but there is an out of tree patchset available, in the kernel-patches/ directory of the userspace project. You can find it in the release tarball, or gitlab.com/apparmor/apparmor you will want the v4.13 or v4.14 dir -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
On Fri, Dec 08, 2017 at 06:20:01PM +0200, Viacheslav Salnikov wrote: > I want to ensure that communication through unix socket is monitored by > apparmor. > What should I do to make this happen? Hello Viacheslav, This is actually slightly complicated to answer: - Different kernels will have different kinds of mediation available. Hopefully this problem will be getting better in the future, but in the meantime, it's best to check the advertised features of the system in question: $ cat /sys/kernel/security/apparmor/features/network/af_unix yes - Different parsers will have different kinds of mediation available. The easy test is to try: $ echo "profile p { unix, }" | apparmor_parser -Qd Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin - Debugging built structures - Name: p Profile Mode: Enforce unix (), - Policy pinning via apparmor_parser's --features-file (-M) setting may influence what is actually compiled. I hope this helps, please don't hesitate to ask for further help. Thanks signature.asc Description: PGP signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] IPC and sockets
Hello, First of all, I googled and experimented. Didn't work out so well. I want to ensure that communication through unix socket is monitored by apparmor. What should I do to make this happen? Hope you will help me with that. Thanks. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor