Execute modes, also named profile transitions, consist of the following modes:
|
Discrete profile execute mode |
|
Discrete local profile execute mode |
|
Unconstrained execute mode |
|
Inherit execute mode |
|
Allow |
This mode requires that a discrete security profile is defined for a resource executed at an AppArmor domain transition. If there is no profile defined, the access is denied.
Using the Discrete Profile Execute Mode | |
---|---|
|
Incompatible with Ux
, ux
,
Px
, and ix
.
As px
, but instead of searching the global profile
set, cx
only searches the local profiles of the
current profile. This profile transition provides a way for an
application to have alternate profiles for helper applications.
Limitations of the Discrete Local Profile Execute Mode (cx) | |
---|---|
Currently cx transitions are limited to top level profiles and can not be used in hats and children profiles. This restriction will be removed in the future. |
Incompatible with Ux
, ux
,
Px
, px
, Cx
, and
ix
.
Allows the program to execute the resource without any AppArmor profile
applied to the executed resource. This mode is useful when a confined
program needs to be able to perform a privileged operation, such as
rebooting the machine. By placing the privileged section in another
executable and granting unconstrained execution rights, it is possible
to bypass the mandatory constraints imposed on all confined processes.
For more information about what is constrained, see the
apparmor(7)
man page.
Using Unconstrained Execute Mode (ux) | |
---|---|
Use |
This mode is incompatible with Ux
,
px
, Px
, and ix
.
The clean exec modes allows the named program to run in
px
, cx
and ux
mode, but AppArmor invokes the Linux kernel's unsafe_exec
routines to scrub the environment, similar to setuid programs. The clean
exec modes are specified with an uppercase letter:
Px
, Cx
and Ux
.
See the man page of ld.so(8) for some information
about setuid and setgid environment scrubbing.
ix
prevents the normal AppArmor domain transition on
execve(2) when the profiled program executes the
named program. Instead, the executed resource inherits the current
profile.
This mode is useful when a confined program needs to call another
confined program without gaining the permissions of the target's profile
or losing the permissions of the current profile. There is no version to
scrub the environment because ix
executions do not
change privileges.
Incompatible with cx
, ux
, and
px
. Implies m
.
This mode allows a file to be mapped into memory using
mmap(2)'s PROT_EXEC
flag. This flag
marks the pages executable. It is used on some architectures to provide
non executable data pages, which can complicate exploit attempts. AppArmor
uses this mode to limit which files a well-behaved program (or all
programs on architectures that enforce non executable memory access
controls) may use as libraries, to limit the effect of invalid
-L
flags given to ld(1) and
LD_PRELOAD
, LD_LIBRARY_PATH
, given to
ld.so(8).
By default the px
and cx
(and
their clean exec variants, too) transition to a profile who's name
matches the executable name. With named profile transitions, you can
specify a profile to be transitioned to. This is useful if multiple
binaries should share a single profile, or if they should use a
different profile than their name would specify. Named profile
transitions can be used in conjunction with cx
,
Cx
, px
and Px
.
Currently there is a limit of twelve named profile transitions per
profile.
Named profile transitions use ->
to indicate the name
of the profile that should be transitioned to:
/usr/bin/foo { /bin/** px -> shared_profile, ... /usr/*bash cx -> local_profile, ... profile local_profile { ... } }
Difference Between Normal and Named Transitions | |
---|---|
When used with globbing, normal transitions provide a “one to
many” relationship— Named transitions provide a “many to one” relationship—all programs that match the rule regardless of their name will transition to the specified profile.
Named profile transitions show up in the log as having the mode
|
The px
and cx
transitions specify
a hard dependency—if the specified profile does not exist, the
exec will fail. With the inheritance fallback, the execution will
succeed but inherit the current profile. To specify inheritance
fallback, ix
is combined with cx
,
Cx
, px
and Px
into the modes cix
, Cix
,
pix
and Pix
. The fallback modes
can be used with named profile transitions, too.
When choosing one of the Px, Cx or Ux execution modes, take into account that the following environment variables are removed from the environment before the child process inherits it. As a consequence, applications or processes relying on any of these variables do not work anymore if the profile applied to them carries Px, Cx or Ux flags:
GCONV_PATH
GETCONF_DIR
HOSTALIASES
LD_AUDIT
LD_DEBUG
LD_DEBUG_OUTPUT
LD_DYNAMIC_WEAK
LD_LIBRARY_PATH
LD_ORIGIN_PATH
LD_PRELOAD
LD_PROFILE
LD_SHOW_AUXV
LD_USE_LOAD_BIAS
LOCALDOMAIN
LOCPATH
MALLOC_TRACE
NLSPATH
RESOLV_HOST_CONF
RES_OPTIONS
TMPDIR
TZDIR