diff --git a/docs/apparmor.d.pod b/docs/apparmor.d.pod index bef3bf7dc..caf1ae95c 100644 --- a/docs/apparmor.d.pod +++ b/docs/apparmor.d.pod @@ -72,27 +72,6 @@ B = (non-whitespace characters, must start with '/', B have s B = ( 'r' | 'w' | 'l' | 'ix' | 'ux' | 'px' ) I (not all combinations are allowed; see below.) -=begin comment - -XXX COMMENTED OUT UNTIL APPARMOR SUPPORTS NETDOMAIN - -B = ( 'tcp_connect' | 'tcp_accept' | 'udp_send' | 'udp_receive' ) [ ( 'to' I | 'from' I ) ] [ 'via' I ] (Obviously, at most one 'to' and at most one 'from' is allowed per line.) -= -=B = I '.' I '.' I '.' I [ '/' I ] [ ':' ( I | I ) ] - -B = [0-9]+ - -B = I [ I ... ] (CIDR notation) - -B = I [ I ... ] (0-65535, inclusive) - -B = I '-' I (low port, high port, inclusive) - -B = [a-z0-9]+ (name of interface; e.g., 'eth0') - -=end comment - - =back All resources and programs need a full path. There may be any number @@ -168,8 +147,7 @@ Discrete Profile execute entries. This mode is useful when a confined program needs to call another confined program without gaining the permissions of the target's -profile, or losing the permissions of the current profile. This mode is -infrequently used. +profile, or losing the permissions of the current profile. =item B @@ -180,8 +158,8 @@ Inherit and Unconstrained execute entries. =item B -Allows the program to be able to create a link with this name -(including symlinks). When a link is created, the file that is being +Allows the program to be able to create a link with this name. +When a link is created, the file that is being linked to B have the same access permissions as the link being created (with the exception that the destination does not have to have link access.) @@ -227,77 +205,6 @@ will expand to one rule to match ab, one rule to match cd =back -=begin comment - -=head2 Network Rules - -AppArmor also performs mandatory per-process mediation of network -use, similar to tcp_wrappers (hosts_access(5)). Network access control -is handled a little differently than file system access control --- -a process only has network use mediated by AppArmor if there are any -network rules in the program's profile. - -All network rules accept specifications for a "from" address, a "to" -address, and an interface to use. Leaving a "from" or "to" address -unspecified is the same as using "0.0.0.0" --- a wildcard equivalent to -INADDR_ANY. Leaving the ports unspecified for a "from" or "to" address -is equivalent to using the range 0-65535. - -=over 4 - -=item B - -is required if a program must be able to use accept(2) to -accept an incoming TCP session setup handshake. An incoming connection -that does not match any of the loaded rules is rejected; if no accept -rule is loaded, the accept(2) system call is quickly rejected with --EACCES. If the process is allowed to perform an accept(2), rejected -connections do NOT cause an error out of the system call --- the -connection is simply dropped with an RST. - -=item B - -is required if a program must be able to use connect(2) to -initiate an outgoing TCP session setup handshake. An outgoing connection -that does not match any of the loaded rules is rejected with -EACCES. - -(It is a known issue that I does not mediate TCP session -setup when only a "via iface" is specified; read(2) and write(2) -mediation will still occur, so explicit data transfer is impossible.) - -=item B - -is required if a program must be able to use send(2), sendto(2), -sendmsg(2), or write(2) to communicate using a UDP socket. No outgoing -packet is sent, and -EACCES is returned to the process. - -(It is a known issue that I does not mediate outgoing UDP -packets when only a "via iface" rule is specified. If the socket is -connected, read(2) and write(2) mediation will still occur; however, -explicit data transfer is possible.) - -=item B - -is required if a program must be able to use recv(2), recvfrom(2), -recvmsg(2), or read(2) to communicate using a UDP socket. The incoming -packet is thrown away and no notice is sent to the communicating peer; -if no receive rule is loaded, the system calls are quickly rejected with --EACCES. If the process is allowed to receive, rejected packets do NOT -cause an error out of the system call --- the packet is simply dropped. - -=back - -Of special note is programs spawned by inetd(8), xinetd(8), tcpserver, -or similar programs; as the inetd will perform an accept(2) on behalf of -a configured service, the profile for inetd must include a I -rule that allows connections to the service. In addition, if the program -spawned by the inetd uses a different profile than the inetd (strongly -recommended), then the spawned program's profile must also include a -I or I rule, so that the short-circuit tests -may be satisfied. - -=end comment - =head2 #include mechanism AppArmor provides an easy abstraction mechanism to group common file @@ -321,40 +228,80 @@ descriptions of how some of the abstractions are used. =over 4 + +=item F + +Includes accesses to device files used for audio applications. + +=item F + +Includes access to files and services typically necessary for services +that perform user authentication. + =item F -includes files that should be readable and writable in all profiles. +Includes files that should be readable and writable in all profiles. -=begin comment +=item F -Note: this profile set is required by programs compiled with the -Immunix security toolchain - including StackGuard and FormatGuard. -(Should you need to write a profile that does not include network -rules, you may I<#include Eprogram-chunks/base-filesE>, -which is only the file portions of the F -abstraction.) - -=end comment - -=item F - -includes file rules to allow DNS, LDAP, NIS, SMB, user and group password -databases, services, and protocols lookups. +Includes many files used by bash; useful for interactive shells and +programs that call system(3). =item F -includes read and write access to the device files controlling the +Includes read and write access to the device files controlling the virtual console, sshd(8), xterm(1), etc. This abstraction is needed for many programs that interact with users. -=item F +=item F -includes write access to files used to maintain wtmp(5) and utmp(5) -databases, used with the w(1) and associated commands. +Includes access to fonts and the font libraries. + +=item F + +Includes read and write access to GNOME configuration files, as well as +read access to GNOME libraries. + +=item F + +Includes read and write access to KDE configuration files, as well as +read access to KDE libraries. =item F -includes file access rules needed for common kerberos clients. +Includes file access rules needed for common kerberos clients. + +=item F + +Includes file rules to allow DNS, LDAP, NIS, SMB, user and group password +databases, services, and protocols lookups. + +=item F + +Includes read access to perl modules. + +=item F + +=item F + +=item F + +=item F + +=item F + +Some profiles for typical "user" programs will use these include files +to describe rights that users have in the system. + +=item F + +Includes write access to files used to maintain wtmp(5) and utmp(5) +databases, used with the w(1) and associated commands. + +=item F + +Includes read access to libraries, configuration files, X authentication +files, and the X socket. =back @@ -362,15 +309,15 @@ The abstractions stored in F are intended for use by specific program suites, and are not generally useful. -=begin comment - -most networking rules have been -placed in these files to facilitate better constraints. (The AppArmor -network policies allow communication with all IP addresses, and restrict -access to specific ports only. A system administrator may wish to allow -certain services to communicate only with specific subnets.) - -=end comment +Some of the abstractions rely on variables that are set in files in the +F directory. These variables are currently +B<@{HOME}> and B<@{HOMEDIR}>. Variables cannot be set in profile scope; +they can only be set before the profile. Therefore, any profiles that +use abstractions should either B<#include Etunables/globalE> or +otherwise ensure that B<@{HOME}> and B<@{HOMEDIR}> are set before +starting the profile definition. The autodep(8) and genprof(8) utilities +will automatically emit B<#include Etunables/globalE> in +generated profiles. =head1 EXAMPLE