Re: [apparmor] IPC and sockets
Hello Seth and John,
Thanks for your answers.
-
It seems that used version of apparmor parser has support for unix sockets
(I use 2.11):
on this
*$ echo "profile p { unix, }" | apparmor_parser -Qd*
I got the following output
* Warning from stdin (line 1): apparmor_parser: cannot use or update cache,
disable, or force-complain via stdin - Debugging built structures -
Name: p Profile Mode: Enforce unix (),*
-
Is it possible to back-port from v4.13 to the v4.4? There are a lot of
changes.
Well, it's not like I want you to do all the work for me, alright? Is it
possible to cooperate on this one?
I think that the main unix socket functionality was brought by this patch:
https://gitlab.com/apparmor/apparmor/blob/master/kernel-patches/v4.13/0017-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch
What else should be added to the kernel?
2017-12-08 22:37 GMT+01:00 John Johansen <john.johan...@canonical.com>:
> On 12/08/2017 08:20 AM, Viacheslav Salnikov wrote:
> > Hello,
> >
> > First of all, I googled and experimented. Didn't work out so well.
> >
> > I want to ensure that communication through unix socket is monitored by
> apparmor.
> > What should I do to make this happen?
> >
>
> As Seth mentioned you will need a kernel, and userspace that supports unix
> socket
> mediation.
>
> AppArmor 2.11 (latest release) supports unix socket rules.
>
> The Ubuntu kernels have supported unix socket mediation in some form since
> 14.10
>
> The patch does not currently exist in the upstream kernel but there is an
> out of tree patchset available, in the kernel-patches/ directory of the
> userspace project.
>
> You can find it in the release tarball, or gitlab.com/apparmor/apparmor
>
> you will want the v4.13 or v4.14 dir
>
>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] AppArmor dependency on python
Hi guys, I have a question about apparmor and its dependency from python. I'm using it with Yocto, apparmor version is 2.11.0. Except* aa-easyprof*, does apparmor or its libraries and utilities use python for something? I am talking not only about execution but also about compilation, installing etc. Thanks! -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] AppArmor dependency on python
Hi Tyler and John, *The majority of the profile manipulation tools are now written in python.* Could you please provide more detailed information about these tools? Like a list, at least. *$ (cd libraries/libapparmor && ./autogen.sh && ./configure \&& make && make check) && \ (cd binutils && make && make check) && \ (cd parser && make)* Thank you, I will try. 2017-11-17 21:06 GMT+02:00 Tyler Hicks <tyhi...@canonical.com>: > On 11/17/2017 12:57 PM, John Johansen wrote: > > On 11/17/2017 01:33 AM, Viacheslav Salnikov wrote: > >> Hi guys, > >> > >> I have a question about apparmor and its dependency from python. > >> I'm using it with Yocto, apparmor version is 2.11.0. > >> > >> Except*aa-easyprof*, does apparmor or its libraries and utilities use > python for something? I am talking not only about execution but also about > compilation, installing etc. > >> > > the very base of apparmor, parser, libraries, some basic tools > aa-enabled, aa-exec do not use python, this allows for minimal installs > with very few dependencies. > > You should be able to build the library, parser, and binutils without > Python. Your build commands would look something like: > > $ (cd libraries/libapparmor && ./autogen.sh && ./configure \ >&& make && make check) && \ > (cd binutils && make && make check) && \ > (cd parser && make) > > You won't be able to run `make check` in parser/ as some of the tests > depend on Python (and some Perl). > > Tyler > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] IPC and sockets
Hello, First of all, I googled and experimented. Didn't work out so well. I want to ensure that communication through unix socket is monitored by apparmor. What should I do to make this happen? Hope you will help me with that. Thanks. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
Hi guys,
I checked out Ubuntu 16.04 and got this output:
$ cat /sys/kernel/security/apparmor/features/network/af_unix
yes
But Ubuntu 16.04 based on 4.4 kernel
$ uname -a
Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux
I cloned xenial kernel for investigation and af_unit is in the kernel.
Does it mean that somebody did the backport or what? Maybe you know about
that.
Best regards, Slava.
2017-12-14 11:55 GMT+02:00 Viacheslav Salnikov <slavasalnik...@gmail.com>:
> Hello Seth and John,
>
> Thanks for your answers.
>
> -
> It seems that used version of apparmor parser has support for unix sockets
> (I use 2.11):
>
> on this
> *$ echo "profile p { unix, }" | apparmor_parser -Qd*
>
> I got the following output
>
>
>
>
>
> * Warning from stdin (line 1): apparmor_parser: cannot use or update
> cache, disable, or force-complain via stdin - Debugging built
> structures - Name: p Profile Mode: Enforce unix (),*
>
>
> -
> Is it possible to back-port from v4.13 to the v4.4? There are a lot of
> changes.
> Well, it's not like I want you to do all the work for me, alright? Is it
> possible to cooperate on this one?
>
> I think that the main unix socket functionality was brought by this patch:
> https://gitlab.com/apparmor/apparmor/blob/master/kernel-
> patches/v4.13/0017-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch
>
> What else should be added to the kernel?
>
>
> 2017-12-08 22:37 GMT+01:00 John Johansen <john.johan...@canonical.com>:
>
>> On 12/08/2017 08:20 AM, Viacheslav Salnikov wrote:
>> > Hello,
>> >
>> > First of all, I googled and experimented. Didn't work out so well.
>> >
>> > I want to ensure that communication through unix socket is monitored by
>> apparmor.
>> > What should I do to make this happen?
>> >
>>
>> As Seth mentioned you will need a kernel, and userspace that supports
>> unix socket
>> mediation.
>>
>> AppArmor 2.11 (latest release) supports unix socket rules.
>>
>> The Ubuntu kernels have supported unix socket mediation in some form
>> since 14.10
>>
>> The patch does not currently exist in the upstream kernel but there is an
>> out of tree patchset available, in the kernel-patches/ directory of the
>> userspace project.
>>
>> You can find it in the release tarball, or gitlab.com/apparmor/apparmor
>>
>> you will want the v4.13 or v4.14 dir
>>
>>
>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
Thanks. May I ask you another portion of question about apparmor sockets? 1. Is there some kind of docs which describe *named stream socket *armoring? Because I tried to armor named socket. AppArmor complains only about connection. But I cannot deny send/receive data through such socket. There is a lot of info about anonymous sockets on the Internet, though. 2. So I tried anonymous datagram sockets. It is possible to deny send/receive and no data flow goes through the socket. And I have a question: is it possible to set up apparmor profile to complain every time when an app writes/reads from the socket? 2018-02-09 14:34 GMT+02:00 John Johansen <john.johan...@canonical.com>: > On 02/09/2018 04:05 AM, Viacheslav Salnikov wrote: > > Hi Jonh, > > > > But even if upstream backport from 4.10 to 4.4 does not contain > out-of-tree patches, Xenial 4.4 has sockets support (*and probably > namespaces support too*). > > > > Or am I wrong? > > > > correct for socket support, the network and af_unix mediation patches > are not present in the backport. > > as I noted > > the upstream backport series does not include the out of tree > patches but those can be > > obtained from the apparmor project tree in the kernel patches > directory > > > > https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches < > https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches> > > > as for policy namespace support it has existed in various forms since > apparmor was included in 2.6.36, its just a matter of what interfaces > are supported the 4.11, 4.12, and 4.13 kernels each added support for > newer interfaces and reworked apparmorfs to better support policy > namespaces. > > Full support of apparmor policy around linux namespaces (mount, user, > pid, ...) is still a wip > > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
Hi Jonh, But even if upstream backport from 4.10 to 4.4 does not contain out-of-tree patches, Xenial 4.4 has sockets support (*and probably namespaces support too*). Or am I wrong? 2018-02-07 15:59 GMT+02:00 John Johansen <john.johan...@canonical.com>: > On 02/07/2018 04:32 AM, Viacheslav Salnikov wrote: > > Hi guys, > > > > I checked out Ubuntu 16.04 and got this output: > > $ cat /sys/kernel/security/apparmor/features/network/af_unix > > yes > > > > But Ubuntu 16.04 based on 4.4 kernel > > $ uname -a > > Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 > x86_64 x86_64 x86_64 GNU/Linux > > > > > > I cloned xenial kernel for investigation and af_unit is in the kernel. > > Does it mean that somebody did the backport or what? Maybe you know > about that. > > > > yes ubuntu backported the 17.04 apparmor patches to the 4.4 kernel for > 16.04. You can find > the same basic backports against the upstream kernel at > > http://kernel.ubuntu.com/git/jj/linux-apparmor-backports/ > > specifically the branch series > > v4.10-aa3.6-backport-to-v4.X > > where X is covers 4.0 .. 4.9 > > there is also a v4.13 backport series, but it only backports which > backport 4.13 apparmor to > 4.12, 4.11, and 4.10 > > > the upstream backport series does not include the out of tree patches but > those can be > obtained from the apparmor project tree in the kernel patches directory > > https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches > > or from the ubuntu kernel git tree > > this comes with the standard disclaimer that out of tree patches and > interfaces may change > some as part of the upstreaming process > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
Many thanks, friends! You gave me information I was looking for. 2018-02-15 21:37 GMT+02:00 John Johansen <john.johan...@canonical.com>: > On 02/15/2018 07:21 AM, Viacheslav Salnikov wrote: > > OK, let me be more specific: > > > > does AppArmor complain about communication through the unix domain > sockets into dmesg? > > > yes > > > All I've got - AppArmor can restrict access to named unix socket as a > file - because it is a file - without using "deny unix". Actually, deny > unix does not work for me with named sockets. > > > > > currently the unix fs sockets can only be mediated as files without typing > info. This will be extended, but there hasn't been a decision as to whether > it is done through a file conditional > > something like > > type=af_unix /foo rw, > > or whether its through the socket rules > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] IPC and sockets
OK, let me be more specific: does AppArmor complain about communication through the unix domain sockets into dmesg? All I've got - AppArmor can restrict access to named unix socket as a file - because it is a file - without using "deny unix". Actually, deny unix does not work for me with named sockets. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
