Re: [apparmor] IPC and sockets
On 02/15/2018 07:21 AM, Viacheslav Salnikov wrote: > OK, let me be more specific: > > does AppArmor complain about communication through the unix domain sockets > into dmesg? > yes > All I've got - AppArmor can restrict access to named unix socket as a file - > because it is a file - without using "deny unix". Actually, deny unix does > not work for me with named sockets. > > currently the unix fs sockets can only be mediated as files without typing info. This will be extended, but there hasn't been a decision as to whether it is done through a file conditional something like type=af_unix /foo rw, or whether its through the socket rules -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
Hi Slava, On Thu, Feb 15, 2018 at 05:21:43PM +0200, Viacheslav Salnikov wrote: > does AppArmor complain about communication through the unix domain > sockets into dmesg? AppArmor's kernel mediation uses the audit facility, which on most systems does go through dmesg, but with lossy rate-limiting output. Probably "yes" is the answer you're looking for here :) but I wanted to give a fuller picture. > All I've got - AppArmor can restrict access to named unix socket as a > file - because it is a file - without using "deny unix". Actually, deny > unix does not work for me with named sockets. Correct; the sockets in the filesystem have course rules compared to the sockets in the abstract and unnamed namespaces: Unix socket rules AppArmor supports fine grained mediation of unix domain abstract and anonymous sockets. Unix domain sockets with file system paths are mediated via file access rules. [...] Thanks signature.asc Description: PGP signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
OK, let me be more specific: does AppArmor complain about communication through the unix domain sockets into dmesg? All I've got - AppArmor can restrict access to named unix socket as a file - because it is a file - without using "deny unix". Actually, deny unix does not work for me with named sockets. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor