2012-03-20 11:45:13 -07:00
|
|
|
# This publication is intellectual property of Canonical Ltd. Its contents
|
|
|
|
|
# can be duplicated, either in part or in whole, provided that a copyright
|
|
|
|
|
# label is visibly located on each copy.
|
|
|
|
|
#
|
|
|
|
|
# All information found in this book has been compiled with utmost
|
|
|
|
|
# attention to detail. However, this does not guarantee complete accuracy.
|
|
|
|
|
# Neither Canonical Ltd, the authors, nor the translators shall be held
|
|
|
|
|
# liable for possible errors or the consequences thereof.
|
|
|
|
|
#
|
|
|
|
|
# Many of the software and hardware descriptions cited in this book
|
|
|
|
|
# are registered trademarks. All trade names are subject to copyright
|
|
|
|
|
# restrictions and may be registered trade marks. Canonical Ltd
|
|
|
|
|
# essentially adheres to the manufacturer's spelling.
|
|
|
|
|
#
|
|
|
|
|
# Names of products and trademarks appearing in this book (with or without
|
|
|
|
|
# specific notation) are likewise subject to trademark and trade protection
|
|
|
|
|
# laws and may thus fall under copyright restrictions.
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=pod
|
|
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
|
|
aa-exec - confine a program with the specified AppArmor profile
|
|
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
|
|
B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
|
|
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
|
|
B<aa-exec> is used to launch a program confined by the specified profile
|
|
|
|
|
and or namespace. If both a profile and namespace are specified command
|
|
|
|
|
will be confined by profile in the new policy namespace. If only a namespace
|
|
|
|
|
is specified, the profile name of the current confinement will be used. If
|
|
|
|
|
neither a profile or namespace is specified command will be run using
|
|
|
|
|
standard profile attachment (ie. as if run without the aa-exec command).
|
|
|
|
|
|
|
|
|
|
If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
|
|
|
|
|
by aa-exec then -- should be used to separate aa-exec arguments from the
|
|
|
|
|
command.
|
|
|
|
|
aa-exec -p profile1 -- ls -l
|
|
|
|
|
|
|
|
|
|
=head1 OPTIONS
|
|
|
|
|
B<aa-exec> accepts the following arguments:
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
|
|
=item -p PROFILE, --profile=PROFILE
|
|
|
|
|
|
|
|
|
|
confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
|
|
|
|
|
use the current profile name (likely unconfined).
|
|
|
|
|
|
|
|
|
|
=item -n NAMESPACE, --namespace=NAMESPACE
|
|
|
|
|
|
|
|
|
|
use profiles in NAMESPACE. This will result in confinement transitioning
|
|
|
|
|
to using the new profile namespace.
|
|
|
|
|
|
|
|
|
|
=item -i, --immediate
|
|
|
|
|
|
|
|
|
|
transition to PROFILE before doing executing I<E<lt>commandE<gt>>. This
|
|
|
|
|
subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
|
|
|
|
|
of the current profile.
|
|
|
|
|
|
|
|
|
|
=item -v, --verbose
|
|
|
|
|
|
|
|
|
|
show commands being performed
|
|
|
|
|
|
|
|
|
|
=item -d, --debug
|
|
|
|
|
|
|
|
|
|
show commands and error codes
|
|
|
|
|
|
|
|
|
|
=item --
|
|
|
|
|
|
|
|
|
|
Signal the end of options and disables further option processing. Any
|
|
|
|
|
arguments after the -- are treated as arguments of the command. This is
|
|
|
|
|
useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
|
|
|
|
|
aa-exec.
|
|
|
|
|
|
2012-04-11 11:16:47 -05:00
|
|
|
=back
|
|
|
|
|
|
2025-03-08 23:05:59 -08:00
|
|
|
=head1 RESTRICTIONS
|
|
|
|
|
|
|
|
|
|
aa-exec uses I<aa_change_profile(3)> to change application confinement.
|
|
|
|
|
The use of I<aa_change_profile(3)> may be restricted by policy in ways
|
|
|
|
|
that will cause failure or results different than expected.
|
|
|
|
|
|
|
|
|
|
Even when using I<aa-exec> from unconfined restrictions in policy can
|
|
|
|
|
causes failure or the confinement entered to be different than requested
|
|
|
|
|
|
|
|
|
|
See the unpriviled unconfined restriction documentation for more detail.
|
|
|
|
|
https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction
|
|
|
|
|
|
|
|
|
|
=head1 STACKING
|
|
|
|
|
|
|
|
|
|
aa-exec can be used to setup a stack of profiles as confinement. When an
|
|
|
|
|
application is confined by a stack, all profiles in the stack are checked
|
|
|
|
|
as if they were the profile confining the application. The resulting
|
|
|
|
|
mediation is the intersection of what is allowed by each profile in the
|
|
|
|
|
stack.
|
|
|
|
|
|
|
|
|
|
The profiles in a stack are treated independently. Each profile can have
|
|
|
|
|
its own flags and profile transitions. During an exec each profile gets
|
|
|
|
|
to specify its transition and the results brought together to form a
|
|
|
|
|
new canonicalized stack.
|
|
|
|
|
|
|
|
|
|
The profile separator indicating a stack is the character sequence I<//&>.
|
|
|
|
|
Thus a stack can be expressed using
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
|
|
$ aa-exec -p "unconfined//&firefox" -- bash
|
|
|
|
|
$ ps -Z
|
|
|
|
|
LABEL PID TTY TIME CMD
|
|
|
|
|
unconfined 30714 pts/12 00:00:00 bash
|
|
|
|
|
firefox//&unconfined (unconfined) 31160 pts/12 00:00:00 bash
|
|
|
|
|
firefox//&unconfined (unconfined) 31171 pts/12 00:00:00 ps
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
=head1 NAMESPACES
|
|
|
|
|
|
|
|
|
|
aa-exec can be used to enter confinement in another policy namespace
|
|
|
|
|
if the policy namespaces exists, is visible, and the profile exists in
|
|
|
|
|
the namespace. Note applications launched within the namespace will
|
|
|
|
|
not be able to exit the namespace, and may be restricted by additional
|
|
|
|
|
confinement around namespacing. Files and resources visible to the
|
|
|
|
|
parent that launches the application may not be visible in the policy
|
2025-03-18 22:06:57 +01:00
|
|
|
namespace resulting in access denials.
|
2025-03-08 23:05:59 -08:00
|
|
|
|
|
|
|
|
To enter a policy namespace the profile is prefixed with the namespace's
|
|
|
|
|
name, using a I<:> prefix and suffix.
|
|
|
|
|
|
|
|
|
|
Eg.
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
|
|
$ aa-exec -p :ex1:unconfined -- bash
|
|
|
|
|
$ ps -Z
|
|
|
|
|
LABEL PID TTY TIME CMD
|
|
|
|
|
- 30714 pts/12 00:00:00 bash
|
|
|
|
|
unconfined 34372 pts/12 00:00:00 bash
|
|
|
|
|
unconfined 34379 pts/12 00:00:00 ps
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
Confinement of processes outside of the namespace may not be visible
|
|
|
|
|
in which case the confinement will be represented with a -. If policy
|
|
|
|
|
is stacked only part of the confinement might be visible. However
|
|
|
|
|
confinement is usually fully visible from the parent policy namespace.
|
|
|
|
|
|
|
|
|
|
Eg. the confinement of the child can be queried in the parent to see
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
|
|
$ ps -Z 34372
|
|
|
|
|
LABEL PID TTY STAT TIME COMMAND
|
|
|
|
|
:ex1:unconfined 34372 pts/12 S+ 0:00 bash
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
And in the case of stacking with namespaces
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
|
|
$ aa-exec -p "unconfined//&:ex1:unconfined" -- bash
|
|
|
|
|
$ ps -Z
|
|
|
|
|
LABEL PID TTY TIME CMD
|
|
|
|
|
- 30714 pts/12 00:00:00 bash
|
|
|
|
|
unconfined 36298 pts/12 00:00:00 bash
|
|
|
|
|
unconfined 36305 pts/12 00:00:00 ps
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
while from the parent namespace the full confinement can be seen
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
|
|
$ ps -Z 36298
|
|
|
|
|
LABEL PID TTY STAT TIME COMMAND
|
|
|
|
|
unconfined//&:ex1:unconfined 36298 pts/12 S+ 0:00 bash
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
2012-03-20 11:45:13 -07:00
|
|
|
=head1 BUGS
|
|
|
|
|
|
|
|
|
|
If you find any bugs, please report them at
|
2020-05-02 20:40:55 -07:00
|
|
|
L<https://gitlab.com/apparmor/apparmor/-/issues>
|
2012-03-20 11:45:13 -07:00
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
2025-03-08 23:05:59 -08:00
|
|
|
apparmor(7), apparmor.d(5), aa_change_profile(3),
|
2018-09-13 16:28:22 +00:00
|
|
|
aa_change_onexec(3) and L<https://wiki.apparmor.net>.
|
2012-03-20 11:45:13 -07:00
|
|
|
|
|
|
|
|
=cut
|
