Re: [apparmor] IPC and sockets

2018-02-16 Thread Viacheslav Salnikov 
Many thanks, friends!

You gave me information I was looking for.

2018-02-15 21:37 GMT+02:00 John Johansen :

> On 02/15/2018 07:21 AM, Viacheslav Salnikov wrote:
> > OK, let me be more specific:
> >
> > does AppArmor complain about communication through the unix domain
> sockets into dmesg?
> >
> yes
>
> > All I've got - AppArmor can restrict access to named unix socket as a
> file - because it is a file - without using "deny unix". Actually, deny
> unix does not work for me with named sockets.
> >
> >
> currently the unix fs sockets can only be mediated as files without typing
> info. This will be extended, but there hasn't been a decision as to whether
> it is done through a file conditional
>
> something like
>
>   type=af_unix /foo rw,
>
> or whether its through the socket rules
>
>
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2018-02-15 Thread John Johansen 
On 02/15/2018 07:21 AM, Viacheslav Salnikov wrote:
> OK, let me be more specific:
> 
> does AppArmor complain about communication through the unix domain sockets 
> into dmesg?
> 
yes

> All I've got - AppArmor can restrict access to named unix socket as a file - 
> because it is a file - without using "deny unix". Actually, deny unix does 
> not work for me with named sockets.
> 
> 
currently the unix fs sockets can only be mediated as files without typing 
info. This will be extended, but there hasn't been a decision as to whether it 
is done through a file conditional

something like

  type=af_unix /foo rw,

or whether its through the socket rules


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2018-02-15 Thread Seth Arnold 
Hi Slava,

On Thu, Feb 15, 2018 at 05:21:43PM +0200, Viacheslav Salnikov wrote:
> does AppArmor complain about communication through the unix domain
> sockets into dmesg?

AppArmor's kernel mediation uses the audit facility, which on most systems
does go through dmesg, but with lossy rate-limiting output. Probably
"yes" is the answer you're looking for here :) but I wanted to give a
fuller picture.

> All I've got - AppArmor can restrict access to named unix socket as a
> file - because it is a file - without using "deny unix". Actually, deny
> unix does not work for me with named sockets.

Correct; the sockets in the filesystem have course rules compared to
the sockets in the abstract and unnamed namespaces:

   Unix socket rules
   AppArmor supports fine grained mediation of unix domain
   abstract and anonymous sockets. Unix domain sockets with file
   system paths are mediated via file access rules.
   [...]

Thanks


signature.asc
Description: PGP signature
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2018-02-15 Thread Viacheslav Salnikov 
OK, let me be more specific:

does AppArmor complain about communication through the unix domain sockets
into dmesg?

All I've got - AppArmor can restrict access to named unix socket as a file
- because it is a file - without using "deny unix". Actually, deny unix
does not work for me with named sockets.
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2018-02-13 Thread Viacheslav Salnikov 
Thanks.

May I ask you another portion of question about apparmor sockets?


   1. Is there some kind of docs which describe *named stream socket *armoring?
   Because I tried to armor named socket. AppArmor complains only about
   connection. But I cannot deny send/receive data through such socket. There
   is a lot of info about anonymous sockets on the Internet, though.
   2. So I tried anonymous datagram sockets. It is possible to deny
   send/receive and no data flow goes through the socket. And I have a
   question: is it possible to set up apparmor profile to complain every time
   when an app writes/reads from the socket?




2018-02-09 14:34 GMT+02:00 John Johansen :

> On 02/09/2018 04:05 AM, Viacheslav Salnikov wrote:
> > Hi Jonh,
> >
> > But even if upstream backport from 4.10 to 4.4 does not contain
> out-of-tree patches, Xenial 4.4 has sockets support (*and probably
> namespaces support too*).
> >
> > Or am I wrong?
> >
>
> correct for socket support, the network and af_unix mediation patches
> are not present in the backport.
>
> as I noted
> > the upstream backport series does not include the out of tree
> patches but those can be
> > obtained from the apparmor project tree in the kernel patches
> directory
> >
> > https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches <
> https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches>
>
>
> as for policy namespace support it has existed in various forms since
> apparmor was included in 2.6.36, its just a matter of what interfaces
> are supported the 4.11, 4.12, and 4.13 kernels each added support for
> newer interfaces and reworked apparmorfs to better support policy
> namespaces.
>
> Full support of apparmor policy around linux namespaces (mount, user,
> pid, ...) is still a wip
>
>
>
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2018-02-09 Thread John Johansen 
On 02/09/2018 04:05 AM, Viacheslav Salnikov wrote:
> Hi Jonh,
> 
> But even if upstream backport from 4.10 to 4.4 does not contain out-of-tree 
> patches, Xenial 4.4 has sockets support (*and probably namespaces support 
> too*).
> 
> Or am I wrong?
> 

correct for socket support, the network and af_unix mediation patches
are not present in the backport.

as I noted
> the upstream backport series does not include the out of tree patches but 
> those can be
> obtained from the apparmor project tree in the kernel patches directory
> 
> https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches 
> 


as for policy namespace support it has existed in various forms since
apparmor was included in 2.6.36, its just a matter of what interfaces
are supported the 4.11, 4.12, and 4.13 kernels each added support for
newer interfaces and reworked apparmorfs to better support policy
namespaces.

Full support of apparmor policy around linux namespaces (mount, user,
pid, ...) is still a wip



-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2018-02-09 Thread Viacheslav Salnikov 
Hi Jonh,

But even if upstream backport from 4.10 to 4.4 does not contain out-of-tree
patches, Xenial 4.4 has sockets support (*and probably namespaces support
too*).

Or am I wrong?


2018-02-07 15:59 GMT+02:00 John Johansen :

> On 02/07/2018 04:32 AM, Viacheslav Salnikov wrote:
> > Hi guys,
> >
> > I checked out Ubuntu 16.04 and got this output:
> > $ cat /sys/kernel/security/apparmor/features/network/af_unix
> > yes
> >
> > But Ubuntu 16.04 based on 4.4 kernel
> > $ uname -a
> > Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018
> x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> > I cloned xenial kernel for investigation and af_unit is in the kernel.
> > Does it mean that somebody did the backport or what? Maybe you know
> about that.
> >
>
> yes ubuntu backported the 17.04 apparmor patches to the 4.4 kernel for
> 16.04. You can find
> the same basic backports against the upstream kernel at
>
> http://kernel.ubuntu.com/git/jj/linux-apparmor-backports/
>
> specifically the branch series
>
>   v4.10-aa3.6-backport-to-v4.X
>
> where X is covers 4.0 .. 4.9
>
> there is also a v4.13 backport series, but it only backports which
> backport 4.13 apparmor to
> 4.12, 4.11, and 4.10
>
>
> the upstream backport series does not include the out of tree patches but
> those can be
> obtained from the apparmor project tree in the kernel patches directory
>
> https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches
>
> or from the ubuntu kernel git tree
>
> this comes with the standard disclaimer that out of tree patches and
> interfaces may change
> some as part of the upstreaming process
>
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2018-02-08 Thread Viacheslav Salnikov 
Hi guys,

I checked out Ubuntu 16.04 and got this output:
$ cat /sys/kernel/security/apparmor/features/network/af_unix
yes

But Ubuntu 16.04 based on 4.4 kernel
$ uname -a
Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux


I cloned xenial kernel for investigation and af_unit is in the kernel.
Does it mean that somebody did the backport or what? Maybe you know about
that.

Best regards, Slava.


2017-12-14 11:55 GMT+02:00 Viacheslav Salnikov :

> Hello Seth and John,
>
> Thanks for your answers.
> 
> -
> It seems that used version of apparmor parser has support for unix sockets
> (I use 2.11):
>
> on this
> *$ echo "profile p { unix, }" | apparmor_parser -Qd*
>
> I got the following output
>
>
>
>
>
> * Warning from stdin (line 1): apparmor_parser: cannot use or update
> cache, disable, or force-complain via stdin - Debugging built
> structures - Name: p Profile Mode: Enforce unix (),*
>
> 
> -
> Is it possible to back-port from v4.13 to the v4.4? There are a lot of
> changes.
> Well, it's not like I want you to do all the work for me, alright? Is it
> possible to cooperate on this one?
>
> I think that the main unix socket functionality was brought by this patch:
> https://gitlab.com/apparmor/apparmor/blob/master/kernel-
> patches/v4.13/0017-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch
>
> What else should be added to the kernel?
>
>
> 2017-12-08 22:37 GMT+01:00 John Johansen :
>
>> On 12/08/2017 08:20 AM, Viacheslav Salnikov wrote:
>> > Hello,
>> >
>> > First of all, I googled and experimented. Didn't work out so well.
>> >
>> > I want to ensure that communication through unix socket is monitored by
>> apparmor.
>> > What should I do to make this happen?
>> >
>>
>> As Seth mentioned you will need a kernel, and userspace that supports
>> unix socket
>> mediation.
>>
>> AppArmor 2.11 (latest release) supports unix socket rules.
>>
>> The Ubuntu kernels have supported unix socket mediation in some form
>> since 14.10
>>
>> The patch does not currently exist in the upstream kernel but there is an
>> out of tree patchset available, in the kernel-patches/ directory of the
>> userspace project.
>>
>> You can find it in the release tarball, or gitlab.com/apparmor/apparmor
>>
>> you will want the v4.13 or v4.14 dir
>>
>>
>
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2018-02-07 Thread John Johansen 
On 02/07/2018 04:32 AM, Viacheslav Salnikov wrote:
> Hi guys,
> 
> I checked out Ubuntu 16.04 and got this output:
> $ cat /sys/kernel/security/apparmor/features/network/af_unix
> yes
> 
> But Ubuntu 16.04 based on 4.4 kernel
> $ uname -a
> Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 
> x86_64 x86_64 GNU/Linux
> 
> 
> I cloned xenial kernel for investigation and af_unit is in the kernel.
> Does it mean that somebody did the backport or what? Maybe you know about 
> that.
> 

yes ubuntu backported the 17.04 apparmor patches to the 4.4 kernel for 16.04. 
You can find
the same basic backports against the upstream kernel at

http://kernel.ubuntu.com/git/jj/linux-apparmor-backports/

specifically the branch series

  v4.10-aa3.6-backport-to-v4.X

where X is covers 4.0 .. 4.9

there is also a v4.13 backport series, but it only backports which backport 
4.13 apparmor to
4.12, 4.11, and 4.10


the upstream backport series does not include the out of tree patches but those 
can be
obtained from the apparmor project tree in the kernel patches directory

https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches

or from the ubuntu kernel git tree

this comes with the standard disclaimer that out of tree patches and interfaces 
may change
some as part of the upstreaming process

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2017-12-15 Thread Viacheslav Salnikov 
Hello Seth and John,

Thanks for your answers.
-
It seems that used version of apparmor parser has support for unix sockets
(I use 2.11):

on this
*$ echo "profile p { unix, }" | apparmor_parser -Qd*

I got the following output





* Warning from stdin (line 1): apparmor_parser: cannot use or update cache,
disable, or force-complain via stdin - Debugging built structures -
Name: p Profile Mode: Enforce unix (),*

-
Is it possible to back-port from v4.13 to the v4.4? There are a lot of
changes.
Well, it's not like I want you to do all the work for me, alright? Is it
possible to cooperate on this one?

I think that the main unix socket functionality was brought by this patch:
https://gitlab.com/apparmor/apparmor/blob/master/kernel-patches/v4.13/0017-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch

What else should be added to the kernel?


2017-12-08 22:37 GMT+01:00 John Johansen :

> On 12/08/2017 08:20 AM, Viacheslav Salnikov wrote:
> > Hello,
> >
> > First of all, I googled and experimented. Didn't work out so well.
> >
> > I want to ensure that communication through unix socket is monitored by
> apparmor.
> > What should I do to make this happen?
> >
>
> As Seth mentioned you will need a kernel, and userspace that supports unix
> socket
> mediation.
>
> AppArmor 2.11 (latest release) supports unix socket rules.
>
> The Ubuntu kernels have supported unix socket mediation in some form since
> 14.10
>
> The patch does not currently exist in the upstream kernel but there is an
> out of tree patchset available, in the kernel-patches/ directory of the
> userspace project.
>
> You can find it in the release tarball, or gitlab.com/apparmor/apparmor
>
> you will want the v4.13 or v4.14 dir
>
>
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2017-12-15 Thread John Johansen 
On 12/14/2017 01:55 AM, Viacheslav Salnikov wrote:
> Hello Seth and John,
> 
> Thanks for your answers.
> -
> It seems that used version of apparmor parser has support for unix sockets (I 
> use 2.11):
> 
> on this *
> *
> *$ echo "profile p { unix, }" | apparmor_parser -Qd*
> 
> I got the following output
> *Warning from stdin (line 1): apparmor_parser: cannot use or update
> cache, disable, or force-complain via stdin
> - Debugging built structures -
> Name:         p
> Profile Mode: Enforce
> unix (),*
> 
> -
> Is it possible to back-port from v4.13 to the v4.4? There are a lot of 
> changes.
> Well, it's not like I want you to do all the work for me, alright? Is it 
> possible to cooperate on this one?
> 
> I think that the main unix socket functionality was brought by this patch:
> https://gitlab.com/apparmor/apparmor/blob/master/kernel-patches/v4.13/0017-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch
> 
> What else should be added to the kernel?
> 
> 
the change set is huge, the unix socket patch depends on the network patch and 
the core label mediation rework.

That is not to say that a backport isn't possible. I have done several (all the 
way back to 3.0 for one set), and there are plans to do a new backport but I 
just haven't had time yet.

There is a backports tree, 
http://kernel.ubuntu.com/git/jj/linux-apparmor-backports/ but it does not take 
the newest patches back to 4.4 (4.13 back to 4.10 is the newest). Hopefully we 
will be able to get a new backport set together soon.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2017-12-08 Thread John Johansen 
On 12/08/2017 08:20 AM, Viacheslav Salnikov wrote:
> Hello,
> 
> First of all, I googled and experimented. Didn't work out so well.
> 
> I want to ensure that communication through unix socket is monitored by 
> apparmor.
> What should I do to make this happen?
> 

As Seth mentioned you will need a kernel, and userspace that supports unix 
socket
mediation.

AppArmor 2.11 (latest release) supports unix socket rules.

The Ubuntu kernels have supported unix socket mediation in some form since 14.10

The patch does not currently exist in the upstream kernel but there is an
out of tree patchset available, in the kernel-patches/ directory of the
userspace project.

You can find it in the release tarball, or gitlab.com/apparmor/apparmor

you will want the v4.13 or v4.14 dir


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2017-12-08 Thread Seth Arnold 
On Fri, Dec 08, 2017 at 06:20:01PM +0200, Viacheslav Salnikov wrote:
> I want to ensure that communication through unix socket is monitored by
> apparmor.
> What should I do to make this happen?

Hello Viacheslav,

This is actually slightly complicated to answer:

- Different kernels will have different kinds of mediation available.
  Hopefully this problem will be getting better in the future, but in the
  meantime, it's best to check the advertised features of the system in
  question:

  $ cat /sys/kernel/security/apparmor/features/network/af_unix
  yes

- Different parsers will have different kinds of mediation available. The
  easy test is to try:

  $ echo "profile p { unix, }" | apparmor_parser -Qd
  Warning from stdin (line 1): apparmor_parser: cannot use or update
  cache, disable, or force-complain via stdin
  - Debugging built structures -
  Name: p
  Profile Mode: Enforce
  unix (),

- Policy pinning via apparmor_parser's --features-file (-M) setting may
  influence what is actually compiled.

I hope this helps, please don't hesitate to ask for further help.

Thanks


signature.asc
Description: PGP signature
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] IPC and sockets

2017-12-08 Thread Viacheslav Salnikov 
Hello,

First of all, I googled and experimented. Didn't work out so well.

I want to ensure that communication through unix socket is monitored by
apparmor.
What should I do to make this happen?

Hope you will help me with that.

Thanks.
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor