Re: [apparmor] Query about AppArmor's Profile Transitions

2019-10-07 Thread Abhishek Vijeev
Hi Christian, We have successfully setup Full System Policy. You're right, we're looking for full system confinement with profiles for specific programs, and a default profile for everything else. I'm not sure if this is directly possible since we don't have 'pcx' transitions at the moment. Tha

Re: [apparmor] Query about AppArmor's Profile Transitions

2019-10-02 Thread Abhishek Vijeev
rsection of 'program' and 'default'. Since 'default' is highly restrictive, this would result in the intersection of the 2 profiles becoming highly restrictive as well. From: Seth Arnold Sent: Tuesday, 01 October 2019 23:47 To: Abhi

[apparmor] Query about AppArmor's Profile Transitions

2019-10-01 Thread Abhishek Vijeev
g for a way by which we can specify the following policy: 'look for a specific profile, but if one doesn't exist, look for a child profile, otherwise inherit the current profile'. Are there any challenges to implementing this? Also, is this a feature that is planned for rel

Re: [apparmor] Help with AppArmor Full System Policy

2019-08-23 Thread Abhishek Vijeev
Thanks a lot for clarifying this, Seth. From: Seth Arnold Sent: 23 August 2019 05:48:52 To: Abhishek Vijeev Cc: apparmor@lists.ubuntu.com ; Rakesh Rajan Beck Subject: Re: [apparmor] Help with AppArmor Full System Policy On Wed, Aug 21, 2019 at 06:10:30AM

[apparmor] Help with AppArmor Full System Policy

2019-08-20 Thread Abhishek Vijeev
Hi, We have successfully confined init according to documentation on this page: https://gitlab.com/apparmor/apparmor/wikis/FullSystemPolicy, and verified that it is working with the help of ps -auxZ. Currently, we are trying to confine system daemons/services. But sometimes the confinement d

[apparmor] AppArmor Child Profiles

2019-08-13 Thread Abhishek Vijeev
Hi, We're looking for some help with respect to AppArmor child profiles. In a scenario where 'parent_process' spawns (fork and exec) a number of child processes, we would like to achieve the following - if a profile exists for any child process, use it. Otherwise, don't inherit the parent's

Re: [apparmor] Questions about AppArmor's Kernel Code

2019-07-31 Thread Abhishek Vijeev
ure what caused the null pointer de-reference (as suggested by the log file) since I have an explicit check against this. Is there a better way to obtain the destination IP address from struct msghdr *msg? From: Seth Arnold Sent: 31 July 2019 03:55:08 To: Abh

Re: [apparmor] Questions about AppArmor's Kernel Code

2019-07-30 Thread Abhishek Vijeev
To: Abhishek Vijeev ; apparmor@lists.ubuntu.com Cc: Rakesh Rajan Beck Subject: Re: [apparmor] Questions about AppArmor's Kernel Code I haven't tested if this is the cause of your failure but it could very well be + // Custom code begin + + if (unpack_nameX(e,

Re: [apparmor] Questions about AppArmor's Kernel Code

2019-07-29 Thread Abhishek Vijeev
code to function aa_free_profile( ) that frees the allocated memory From: John Johansen Sent: 27 July 2019 00:10:14 To: Abhishek Vijeev ; apparmor@lists.ubuntu.com Cc: Rakesh Rajan Beck Subject: Re: [apparmor] Questions about AppArmor's Kernel Code On 7/26/19 5

Re: [apparmor] Questions about AppArmor's Kernel Code

2019-07-29 Thread Abhishek Vijeev
Oh alright I understand, thank you Casey. From: Casey Schaufler Sent: 26 July 2019 21:59 To: Abhishek Vijeev ; apparmor@lists.ubuntu.com Cc: Rakesh Rajan Beck Subject: Re: [apparmor] Questions about AppArmor's Kernel Code On 7/26/2019 5:56 AM, Abh

[apparmor] Questions about AppArmor's Kernel Code

2019-07-26 Thread Abhishek Vijeev
Hi, I have a few questions about AppArmor's kernel code and would be grateful if you could kindly answer them. 1) Why does AppArmor maintain two separate security blobs in cred->security as well as task-security for processes? For a simple project that requires associating a security context

Re: [apparmor] Questions about AppArmor's Code

2019-06-19 Thread Abhishek Vijeev
Thank you very much. On Jun 19 2019, at 12:26 pm, John Johansen wrote: On 6/18/19 10:08 PM, Abhishek Vijeev wrote: Hi, I think I now understand the meaning of 'mediation points aren't in process context'. I've been trying to use Netfilter hooks to confine a process' n

Re: [apparmor] Questions about AppArmor's Code

2019-06-18 Thread Abhishek Vijeev
the network packet cannot be traced back to the process from which it originated. Since you mentioned mechanisms to cope with this, could you briefly list them? Thank you. On Jun 13 2019, at 5:48 pm, Abhishek Vijeev wrote: On Jun 13 2019, at 3:07 am, Seth Arnold wrote: On Wed, Jun 12,

Re: [apparmor] Questions about AppArmor's Code

2019-06-13 Thread Abhishek Vijeev
On Jun 13 2019, at 3:07 am, Seth Arnold wrote: On Wed, Jun 12, 2019 at 12:32:53PM +, Abhishek Vijeev wrote: Hi, I have a few questions about AppArmor's code and would be grateful if you could kindly answer them. [I've stripped your urls of some get-mail-spring style link

[apparmor] Questions about AppArmor's Code

2019-06-12 Thread Abhishek Vijeev
Hi, I have a few questions about AppArmor's code and would be grateful if you could kindly answer them. 1) The documentation at this link https://gitlab.com/apparmor/apparmor/wikis/AppArmor_Core_Policy_Reference#address-expr

Re: [apparmor] Help with extending struct aa_profile

2019-06-07 Thread Abhishek Vijeev
On Jun 7 2019, at 12:48 am, John Johansen wrote: On 6/6/19 1:21 AM, Abhishek Vijeev wrote: Hi, I'm looking for some help with modifying AppArmor's kernel code. Kindly let me know whether this is the right forum for such discussions (as I didn't think it would be appropriate

[apparmor] Help with extending struct aa_profile

2019-06-06 Thread Abhishek Vijeev
Hi, I'm looking for some help with modifying AppArmor's kernel code. Kindly let me know whether this is the right forum for such discussions (as I didn't think it would be appropriate to ask for help via the 'Issues' tab on GitLab). Onto my problem. Basically, I'm trying to add a custom field t