key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
around carat symbols and commas in file rules, and basic permission
modes first testcases from jjohansen@suse.de.
Acked-By: Steve Beattie <steve@nxnw.org>
<mathiaz@ubuntu.com> [Message-ID: <20070813201254.GD11381@mathias.mathiaz.net>]
Added comments to both file-skipping locations referencing the other
location that needs to be modified.
(The ideal solution would be for this information to be stored in one
commonly referenced location, configurable by distributors and
administratrors.)
Turkish has 4 letter "I"s. English has only two, a lowercase dotted i and an
uppercase dotless I. Turkish has lowercase and uppercase forms of both dotted
and dotless I. So tolower(I) != i and toupper(i) != I for us.
Althought this situation is not a apparmor bug (sed can't convert these
properly) its directly affected. But these must locale independent. So
please apply following simple patch to solve this issue.
Acked-By: Steve Beattie <sbeattie@suse.de>
Acked-By: Steve Beattie <sbeattie@suse.de>
Support placing the permission modes first before the pathname. This
makes things somewhat more consistent with other types of permissions
(capability [specific_cap], network [stuff], etc.).
