User manual NOVELL APPARMOR QUICK START CARD

[. . . ] Profiles and confinement are applied to any application started after this command was executed. Processes already running at the time AppArmor is started continue to run unconfined. 1 Manually activating enforce mode (using the command line) removes mode flags from the top of the profile /bin/foo flags=(complain) becomes /bin/foo. If the specified program is not an absolute path, genprof searches the $PATH variable. [. . . ] Program chunks are access controls for specific programs that a system administrator might want to control based on local site policy. When used in a profile, these variables expand to a value that can be changed without changing the entire profile. Therefore your profiles become portable to different environments. Capability Entries (POSIX. 1e) Capabilities statements are simply the word "capability" followed by the name of the POSIX. 1e capability as defined in the capabilities(7) man page. Rules: General Options for Files and Directories Option read write link file locking File r w l k file append (mutually exclusive to w) a Rules: Link Pair The link mode grants permission to create links to arbitrary files, provided the link has a subset of the permissions granted by the target (subset permission test). By specifying origin and destination, the link pair rule provides greater control over how hard links are created. Link pair rules by default do not enforce the link subset permission test that the standard rules link permission requires. The following rules are equivalent: /link l, link subset /link -> /**, Local Variables Local variables are defined at the head of a profile. Use local variables to create shortcuts for paths, for example to provide the base for a chrooted path: @{CHROOT_BASE}=/tmp/foo /sbin/syslog-ng { . . . # chrooted applications @{CHROOT_BASE}/var/lib/*/dev/log w, @{CHROOT_BASE}/var/log/** w, . . . } Rules: Denying rules AppArmor provides deny rules which are standard rules but with the keyword deny prepended. They are used to remember known rejects, and quiet them so the reject messages don't fill up the log files. For more information see Part "Confining Privileges with Novell AppArmor" (Security Guide). Aliases Alias rules provide an alternative form of path rewriting to using variables, and are done post variable resolution: alias /home/ -> /mnt/users/ 3 Rules: Owner Conditional Rules The file rules can be extended so that they can be conditional upon the the user being the owner of the file. Owner conditional rules accumulate just as regular file rules and are considered a subset of regular file rules. If a regular file rule overlaps with an owner conditional file rule, the resultant permissions will be that of the regular file rule. /some/random/example/* r Allow read access to files in the /some/random/ example directory. /some/random/example/** r Give read access to files and directories under /some/ random/example. /some/random/example/**[^/] r Give read access to files under /some/random/ example. To spare users from specifying similar paths all over again, AppArmor supports basic globbing: Glob * ** ?[ abc ] [ a-c ] { ab, cd } [ ^a ] Description Substitutes for any number of characters, except /. Substitutes for any character except a. Rules: Defining Execute Permissions For executables that may be called from the confined programs, the profile creating tools ask you for an appropriate mode, which is also reflected directly in the profile itself: Option Inherit Profile File ix px Description Stay in the same (parent's) profile. Avoid running programs in unconstrained or unconfined mode for security reasons. allow PROT_EXEC with mmap(2) calls Local profile cx Unconstrained ux Allow Exem cutable Mapping WARNING: Running in ux Mode Avoid running programs in ux mode as much as possible. A program running in ux mode is not only totally unprotected by AppArmor, but child processes inherit certain environment variables from the parent that might influence the child's execution behavior and create possible security risks. For more information about the different file execute modes, refer to the apparmor. d(5) man page. [. . . ] By reproducing, duplicating or distributing this manual you explicitly agree to conform to the terms and conditions of this license agreement. This manual may be freely reproduced, duplicated and distributed either as such or as part of a bundled package in electronic and/or printed format, provided however that the following conditions are fulfilled: 5 That this copyright notice and the names of authors and contributors appear clearly and distinctively on all reproduced, duplicated and distributed copies. That this manual, specifically for the printed format, is reproduced and/or distributed for noncommercial use only. The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. [. . . ]