File permission access modes consist of combinations of the following modes:
|
Read mode |
|
Write mode (mutually exclusive to |
|
Append mode (mutually exclusive to |
|
File locking mode |
|
Link mode |
|
Link pair rule (cannot be combined with other access modes) |
Allows the program to have read access to the resource. Read access is required for shell scripts and other interpreted content and determines if an executing process can core dump.
Allows the program to have write access to the resource. Files must have this permission if they are to be unlinked (removed).
Allows a program to write to the end of a file. In contrast to the
w
mode, the append mode does not include the ability
to overwrite data, to rename, or to remove a file. The append permission
is typically used with applications who need to be able to write to log
files, but which should not be able to manipulate any existing data in
the log files. As the append permission is just a subset of the
permissions associated with the write mode, the w
and
a
permission flags cannot be used together and are
mutually exclusive.
The application can take file locks. Former versions of AppArmor allowed files to be locked if an application had access to them. By using a separate file locking mode, AppArmor makes sure locking is restricted only to those files which need file locking and tightens security as locking can be used in several denial of service attack scenarios.
The link mode mediates access to hard links. When a link is created, the target file must have the same access permissions as the link created (with the exception that the destination does not need link access).
The link mode grants permission to create links to arbitrary files,
provided the link has a subset of the permissions granted by the target
(subset permission test). By specifying origin and destination, the link
pair rule provides greater control over how hard links are created. Link
pair rules by default do not enforce the link subset permission test
that the standard rules link permission requires. To force the rule to
require the test the subset
keyword is used. The
following rules are equivalent:
/link l, link subset /link -> /**,
Currently link pair rules are not supported by YaST and the command line tools. Manually edit your profiles to use them. Updating such profiles using the tools is safe, because the link pair entries will not be touched. |
The file rules can be extended so that they can be conditional upon the
the user being the owner of the file (the fsuid has to match the file's
uid). For this purpose the owner
keyword is prepended
to the rule. Owner conditional rules accumulate just as regular file
rules.
owner /home/*/** rw
When using file ownership conditions with link rules the ownership test is done against the target file so the user must own the file to be able to link to it.
Precedence of Regular File Rules | |
---|---|
Owner conditional rules are considered a subset of regular file rules. If a regular file rule overlaps with an owner conditional file rule, the resultant permissions will be that of the regular file rule. |
Deny rules can be used to annotate or quiet known rejects. The profile
generating tools will not ask about a known reject treated with a deny
rule. Such a reject will also not show up in the audit logs when denied,
keeping the log files lean. If this is not desired, prepend the deny
entry with the keyword audit
.
It is also possible to use deny rules in combination with allow rules. This allows to specify a broad allow rule, and then subtract a few known files that should not be allowed. Deny rules can also be combined with owner rules, to deny files owned by the user. The following example allows read/write access to everything in a users directory except write access to the .ssh/ files:
deny /home/*/.ssh/** w, /home/*/** rw,
The extensive use of deny rules is generally not encouraged, because it makes it much harder to understand what a profile does. However a judicious use of deny rules can simplify profiles. Therefore the tools only generate profiles denying specific files and will not make use of globbing in deny rules. Manually edit your profiles to add deny rules using globbing. Updating such profiles using the tools is safe, because the deny entries will not be touched.