AppArmor knows four different types of profiles: standard profiles,
unattached profiles, local profiles and hats. Standard and unattached
profiles are stand-alone profiles, each stored in a file under
/etc/apparmor.d/
. Local profiles and hats are
children profiles embedded inside of a parent profile used to provide
tighter or alternate confinement for a subtask of an application.
The default AppArmor profile is attached to a program by its name, so a profile name has to match the path to the application it is to confine.
/usr/bin/foo { ... }
This profile will be automatically used whenever an unconfined process
executes /usr/bin/foo
.
Unattached profiles do not reside in the file system namespace and
therefore are not automatically attached to an application. The name of
an unattached profile is preceded by the keyword
profile
. You can freely choose a profile name, except
for the following limitations: the name must not begin with a
:
or .
character. If it contains
whitespace, it must be quoted. If the name begins with a
/
, the profile is considered to be a standard
profile, so the following two profiles are identical:
profile /usr/bin/foo { ... } /usr/bin/foo { ... }
Unattached profiles are never used automatically, nor can they be
transitioned to through a px
rule. They need to be
attached to a program by either using a named profile transition (see
Section 2.8.7, “Named Profile Transitions”) or with the
change_profile
rule (see
Section 2.2.5, “Change rules”).
Unattached profiles are useful for specialized profiles for system
utilities that generally should not be confined by a system wide profile
(for example, /bin/bash
). They can also be used to
set up roles or to confine a user.
Local profiles provide a convenient way to provide specialized
confinement for utility programs launched by a confined application.
They are specified just like standard profiles except they are embedded
in a parent profile and begin with the profile
keyword:
/parent/profile { ... profile local/profile { ... } }
To transition to a local profile, either use a cx
rule (see Section 2.8.2, “Discrete Local Profile Execute Mode (cx)”) or a named
profile transition (see
Section 2.8.7, “Named Profile Transitions”).
AppArmor "hats" are a local profiles with some additional restrictions
and an implicit rule allowing for change_hat
to be
used to transition to them. Refer to Chapter 6, Profiling Your Web Applications Using ChangeHat for a
detailed description.
AppArmor provides change_hat
and
change_profile
rules that control domain
transitioning. change_hat
are specified by defining
hats in a profile, while change_profile
rules refer
to another profile and start with the keyword
change_profile
:
change_profile /usr/bin/foobar,
Both change_hat
and change_profile
provide for an application directed profile transition, without having
to launch a separate application. change_profile
provides a generic one way transition between any of the loaded
profiles. change_hat
provides for a returnable parent
child transition where an application can switch from the parent profile
to the hat profile and if it provides the correct secret key return to
the parent profile at a later time.
change_profile
is best used in situations where an
application goes through a trusted setup phase and then can lower its
privilege level. Any resources mapped or opened during the start-up
phase may still be accessible after the profile change, but the new
profile will restrict the opening of new resources, and will even limit
some of the resources opened before the switch. Specifically memory
resources will still be available while capability and file resources
(as long as they are not memory mapped) can be limited.
change_hat
is best used in situations where an
applications runs a virtual machine or an interpreter that does not
provide direct access to the applications resources (e.g. Apache's
mod_php
). Since change_hat
stores
the return secret key in the application's memory the phase of reduced
privilege should not have direct access to memory. It is also important
that file access is properly separated, since the hat can restrict
accesses to a file handle but does not close it. If an application does
buffering and provides access to the open files with buffering, the
accesses to these files may not be seen by the kernel and hence not
restricted by the new profile.
Safety of Domain Transitions | |
---|---|
The |