Re: [apparmor] IPC and sockets
Many thanks, friends! You gave me information I was looking for. 2018-02-15 21:37 GMT+02:00 John Johansen <john.johan...@canonical.com>: > On 02/15/2018 07:21 AM, Viacheslav Salnikov wrote: > > OK, let me be more specific: > > > > does AppArmor complain about communication through the unix domain > sockets into dmesg? > > > yes > > > All I've got - AppArmor can restrict access to named unix socket as a > file - because it is a file - without using "deny unix". Actually, deny > unix does not work for me with named sockets. > > > > > currently the unix fs sockets can only be mediated as files without typing > info. This will be extended, but there hasn't been a decision as to whether > it is done through a file conditional > > something like > > type=af_unix /foo rw, > > or whether its through the socket rules > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
OK, let me be more specific: does AppArmor complain about communication through the unix domain sockets into dmesg? All I've got - AppArmor can restrict access to named unix socket as a file - because it is a file - without using "deny unix". Actually, deny unix does not work for me with named sockets. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
Thanks. May I ask you another portion of question about apparmor sockets? 1. Is there some kind of docs which describe *named stream socket *armoring? Because I tried to armor named socket. AppArmor complains only about connection. But I cannot deny send/receive data through such socket. There is a lot of info about anonymous sockets on the Internet, though. 2. So I tried anonymous datagram sockets. It is possible to deny send/receive and no data flow goes through the socket. And I have a question: is it possible to set up apparmor profile to complain every time when an app writes/reads from the socket? 2018-02-09 14:34 GMT+02:00 John Johansen <john.johan...@canonical.com>: > On 02/09/2018 04:05 AM, Viacheslav Salnikov wrote: > > Hi Jonh, > > > > But even if upstream backport from 4.10 to 4.4 does not contain > out-of-tree patches, Xenial 4.4 has sockets support (*and probably > namespaces support too*). > > > > Or am I wrong? > > > > correct for socket support, the network and af_unix mediation patches > are not present in the backport. > > as I noted > > the upstream backport series does not include the out of tree > patches but those can be > > obtained from the apparmor project tree in the kernel patches > directory > > > > https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches < > https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches> > > > as for policy namespace support it has existed in various forms since > apparmor was included in 2.6.36, its just a matter of what interfaces > are supported the 4.11, 4.12, and 4.13 kernels each added support for > newer interfaces and reworked apparmorfs to better support policy > namespaces. > > Full support of apparmor policy around linux namespaces (mount, user, > pid, ...) is still a wip > > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
Hi Jonh, But even if upstream backport from 4.10 to 4.4 does not contain out-of-tree patches, Xenial 4.4 has sockets support (*and probably namespaces support too*). Or am I wrong? 2018-02-07 15:59 GMT+02:00 John Johansen <john.johan...@canonical.com>: > On 02/07/2018 04:32 AM, Viacheslav Salnikov wrote: > > Hi guys, > > > > I checked out Ubuntu 16.04 and got this output: > > $ cat /sys/kernel/security/apparmor/features/network/af_unix > > yes > > > > But Ubuntu 16.04 based on 4.4 kernel > > $ uname -a > > Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 > x86_64 x86_64 x86_64 GNU/Linux > > > > > > I cloned xenial kernel for investigation and af_unit is in the kernel. > > Does it mean that somebody did the backport or what? Maybe you know > about that. > > > > yes ubuntu backported the 17.04 apparmor patches to the 4.4 kernel for > 16.04. You can find > the same basic backports against the upstream kernel at > > http://kernel.ubuntu.com/git/jj/linux-apparmor-backports/ > > specifically the branch series > > v4.10-aa3.6-backport-to-v4.X > > where X is covers 4.0 .. 4.9 > > there is also a v4.13 backport series, but it only backports which > backport 4.13 apparmor to > 4.12, 4.11, and 4.10 > > > the upstream backport series does not include the out of tree patches but > those can be > obtained from the apparmor project tree in the kernel patches directory > > https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches > > or from the ubuntu kernel git tree > > this comes with the standard disclaimer that out of tree patches and > interfaces may change > some as part of the upstreaming process > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
Hi guys, I checked out Ubuntu 16.04 and got this output: $ cat /sys/kernel/security/apparmor/features/network/af_unix yes But Ubuntu 16.04 based on 4.4 kernel $ uname -a Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux I cloned xenial kernel for investigation and af_unit is in the kernel. Does it mean that somebody did the backport or what? Maybe you know about that. Best regards, Slava. 2017-12-14 11:55 GMT+02:00 Viacheslav Salnikov <slavasalnik...@gmail.com>: > Hello Seth and John, > > Thanks for your answers. > > - > It seems that used version of apparmor parser has support for unix sockets > (I use 2.11): > > on this > *$ echo "profile p { unix, }" | apparmor_parser -Qd* > > I got the following output > > > > > > * Warning from stdin (line 1): apparmor_parser: cannot use or update > cache, disable, or force-complain via stdin - Debugging built > structures - Name: p Profile Mode: Enforce unix (),* > > > - > Is it possible to back-port from v4.13 to the v4.4? There are a lot of > changes. > Well, it's not like I want you to do all the work for me, alright? Is it > possible to cooperate on this one? > > I think that the main unix socket functionality was brought by this patch: > https://gitlab.com/apparmor/apparmor/blob/master/kernel- > patches/v4.13/0017-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch > > What else should be added to the kernel? > > > 2017-12-08 22:37 GMT+01:00 John Johansen <john.johan...@canonical.com>: > >> On 12/08/2017 08:20 AM, Viacheslav Salnikov wrote: >> > Hello, >> > >> > First of all, I googled and experimented. Didn't work out so well. >> > >> > I want to ensure that communication through unix socket is monitored by >> apparmor. >> > What should I do to make this happen? >> > >> >> As Seth mentioned you will need a kernel, and userspace that supports >> unix socket >> mediation. >> >> AppArmor 2.11 (latest release) supports unix socket rules. >> >> The Ubuntu kernels have supported unix socket mediation in some form >> since 14.10 >> >> The patch does not currently exist in the upstream kernel but there is an >> out of tree patchset available, in the kernel-patches/ directory of the >> userspace project. >> >> You can find it in the release tarball, or gitlab.com/apparmor/apparmor >> >> you will want the v4.13 or v4.14 dir >> >> > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
Hello Seth and John, Thanks for your answers. - It seems that used version of apparmor parser has support for unix sockets (I use 2.11): on this *$ echo "profile p { unix, }" | apparmor_parser -Qd* I got the following output * Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin - Debugging built structures - Name: p Profile Mode: Enforce unix (),* - Is it possible to back-port from v4.13 to the v4.4? There are a lot of changes. Well, it's not like I want you to do all the work for me, alright? Is it possible to cooperate on this one? I think that the main unix socket functionality was brought by this patch: https://gitlab.com/apparmor/apparmor/blob/master/kernel-patches/v4.13/0017-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch What else should be added to the kernel? 2017-12-08 22:37 GMT+01:00 John Johansen <john.johan...@canonical.com>: > On 12/08/2017 08:20 AM, Viacheslav Salnikov wrote: > > Hello, > > > > First of all, I googled and experimented. Didn't work out so well. > > > > I want to ensure that communication through unix socket is monitored by > apparmor. > > What should I do to make this happen? > > > > As Seth mentioned you will need a kernel, and userspace that supports unix > socket > mediation. > > AppArmor 2.11 (latest release) supports unix socket rules. > > The Ubuntu kernels have supported unix socket mediation in some form since > 14.10 > > The patch does not currently exist in the upstream kernel but there is an > out of tree patchset available, in the kernel-patches/ directory of the > userspace project. > > You can find it in the release tarball, or gitlab.com/apparmor/apparmor > > you will want the v4.13 or v4.14 dir > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] IPC and sockets
Hello, First of all, I googled and experimented. Didn't work out so well. I want to ensure that communication through unix socket is monitored by apparmor. What should I do to make this happen? Hope you will help me with that. Thanks. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] AppArmor dependency on python
Hi Tyler and John, *The majority of the profile manipulation tools are now written in python.* Could you please provide more detailed information about these tools? Like a list, at least. *$ (cd libraries/libapparmor && ./autogen.sh && ./configure \&& make && make check) && \ (cd binutils && make && make check) && \ (cd parser && make)* Thank you, I will try. 2017-11-17 21:06 GMT+02:00 Tyler Hicks <tyhi...@canonical.com>: > On 11/17/2017 12:57 PM, John Johansen wrote: > > On 11/17/2017 01:33 AM, Viacheslav Salnikov wrote: > >> Hi guys, > >> > >> I have a question about apparmor and its dependency from python. > >> I'm using it with Yocto, apparmor version is 2.11.0. > >> > >> Except*aa-easyprof*, does apparmor or its libraries and utilities use > python for something? I am talking not only about execution but also about > compilation, installing etc. > >> > > the very base of apparmor, parser, libraries, some basic tools > aa-enabled, aa-exec do not use python, this allows for minimal installs > with very few dependencies. > > You should be able to build the library, parser, and binutils without > Python. Your build commands would look something like: > > $ (cd libraries/libapparmor && ./autogen.sh && ./configure \ >&& make && make check) && \ > (cd binutils && make && make check) && \ > (cd parser && make) > > You won't be able to run `make check` in parser/ as some of the tests > depend on Python (and some Perl). > > Tyler > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] AppArmor dependency on python
Hi guys, I have a question about apparmor and its dependency from python. I'm using it with Yocto, apparmor version is 2.11.0. Except* aa-easyprof*, does apparmor or its libraries and utilities use python for something? I am talking not only about execution but also about compilation, installing etc. Thanks! -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor