[opensuse-packaging] AppArmor features/changes for openSUSE10.3
Hi All, Below is an overview of changes/features for AppArmor in the openSUSE 10.3 release. ------------------------------------------- Profile Language Features/Changes: ------------------------------ o File Locking Mediation Mediation of advisory and mandatory file locking by applications has been added with this release. This feature introduces a new permission character "k" in the profile language to indicate that the specified resource is allowed to perform the relevant locking operation. o File Append Mediation Mediation of appending writes has been added. This feature introduces a new permission character "a" to indicated this operation is allowed. The "a" permission is mutually exclusive to the "w" permission, i.e. the a given rule may include "w" or "a" but not both. o Network Mediation Coarse grained network access control has been added to this release. This feature allows mediation of network access based on address type and family. syntax 'network' [[<domain>] [<type>] [<protocol>]] ',' The protocol specification is very limited and in the general case 'network <domain> <type>' will be emitted by the module in access denied messages, and output by the profile generation tools. <domain> = "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25", "inet6", "rose", "netbeui", "security", "key", "packet", "ash", "econet", "atmsvc", "sna", "irda", "pppox", "wanpipe", "bluetooth", The domains "llc", "iucv", "tipc" are currently mediated but can not be specified. Too allow them wide open networking must be used. ie the rule network, this will be fixed <type> = "stream", "dgram", "seqpacket", "rdm", "raw", "packet" The type "dccp" is currently not allowed but this will get fixed <protocol> = "tcp", "udp", "icmp" eg. network, # allow all networking network inet, # allow use of all inet networking network inet stream, # allow tcp network inet tcp, # dito network tcp, # allow inet and inet6 tcp, Note: The tools currently support family and type specification only. This however fully supports the feature as only type and family are emitted by the module and allows full generation of profiles to mediate network behavior supported by the module. o Modification to Directory handling New syntax to distinguish directories from files. The previous behavior made no explicit handling for directories. The new kernel module makes access to directories explicit and distinguished by the addition of a trailing '/' to a rule that identifies it as a directory. Old Behavior: /path/to/somewhere r, # Gives read access to the path # whether a file or directory /path/to/somewhere/* r, # Read access to all files and directories # in /path/to/somewhere /path/to/somewhere/** r, # Read access to all files and directories # under /path/to/somewhere New Behavior: /path/to/somewhere/* r, # Gives read access to files in the directory /path/to/somewhere/ r, # Gives read access to the directory # element only /path/**/ r, # Gives read access to all directory entries # under /path /path/to/somewhere/** r, # Gives access to files and directories under # /path/to/somewhere o Message format changes The messages emitted by the AppArmor kernel module have changed in this relase. These changes make AppArmor more consistent with standard usage of the Linux Audit Framework and utilize the message typing available to make log file parsing and the profile management tool development less complex. The updated message format utlizes the following message (operation) types: #define AUDIT_APPARMOR_AUDIT 1501 /* AppArmor audited grants */ #define AUDIT_APPARMOR_ALLOWED 1502 /* Allowed Access for learning */ #define AUDIT_APPARMOR_DENIED 1503 #define AUDIT_APPARMOR_HINT 1504 /* Process Tracking information */ #define AUDIT_APPARMOR_STATUS 1505 /* Changes in config */ #define AUDIT_APPARMOR_ERROR 1506 /* Internal AppArmor Errors */ Other data is provided in the body of the message in name value pairs. The AppArmor module will still default to syslog if the Linux Audit Framework infrastructure is not availalble. o Modification to change_hat The reporting of chang_hat related events and information has changed. The log messages and profile state (as available via /proc/<pid>/attr/current) are reported as: /profile//hat This change should be transparent to most users from the last release. o Minor Syntax Bug Fixes: * The '^' character can now be properly used in pathnames and character classes. /foo[^b] # used to be broken /foo[ and hat b] even if it was # in a file rule instead of specifying a profile now it is handled # correctly * The , character is no longer a valud character in a filename in the case it is the last character before whitespace: /foo,bar #valid /foobar, #invalid o Change Profile Feature A new change_profile policy specification was added. Change_profile is similar to change_hat but allows changing to any profile (including hats), not just hats. The restriction is that the profiles that can be changed to must be specified. To change to a hat via change_profile instead of change_hat the hat name is specified by separating the profile and hat_name with // syntax 'change_profile' <profile> ',' eg. change_profile /bin/foo, #allow change_profile to /bin/foo change_profile /bin/foo//hat # allow change_profile to ^hat in /bin/foo Note: this feature is not configurable via the profiling tools. Userspace Changes ----------------- o AppArmor LAF dispatcher for DBUS A dispatcher for the Linux Audit Framework that sends AppArmor events to consumer applications via DBUS message bus. This must be configured via the auditd.conf file in order to be registered as a dispatcher for audit events. For more info: https://forgesvn1.novell.com/svn/apparmor/trunk/management/apparmor-dbus/REA... o AppArmor logparsing library A library which provides an api to access AppArmor data from system log files. The library supports the Linux Audit Framework format and the standard syslog format. o Support for Network Repository for profile storage The AppArmor profile tools now interact with local and remote repositories of profiles to supply the user with profiles when profiles are needed for applications and to allow central storage of AppArmor profiles accross multiple machines. * Selecting profiles from a repository: The user is prompted to select a profile from one or more users in the network repository or from the local inactive profile repository (/etc/apparmor/profiles/extras). * Storing profiles in a repository The user has the option of storing profiles in a remote repository. The user is reqiured to supply a username, password, and email address to create/access an account on the repository server and then the new/changed profiles can be stored on the remote server. o AppArmor Desktop Applet for Gnome A desktop applet for gnome that AppArmor events via dbus. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
participants (1)
-
Dominic Reynolds