AppArmorPolicyNamespaceInterfaces

From AppArmor
Jump to: navigation, search

Related Documents

AppArmor Policy Table of Contents

AppArmor Policy Namespaces Table of Contents

Interfaces

Limitations

  • AppArmor 3.5
    • apparmor/policy is not virtualized
    • /sys/module/apparmor/parameters/* are not virtualized

Interface virtualization

The profile introspection and management interfaces are virtualized to the current namespace view of the task doing profile management or introspection.


Low level Interfaces

Policy Namespaces via policy interface

Policy Load

dd bs=size if=file of=/sys/kernel/security/apparmor/{.load/.replace}

If the user is capable of administering policy an AppArmor policy namespace can be created by loading a profile to it.

 apparmor_parser -n namespace profile

Or if a profile has a namespace specification as part of its definition then the profile can just be loaded

 # cat profile
 profile :ns:A {
   ..
 }
 # apparmor_parser profile

Removing a namespace

If the user is capable of administering policy an AppArmor policy namespace can be removed by echoing the namespace name into the low level .remove interface.

 echo -n "ns_name" >/sys/kernel/security/apparmor/.remove

Creating a Policy Namespace via the fs

Limitation: This first became available in AppArmor 3.6

A new child policy namespace can be created by doing mkdir in the namespaces directory in apparmorfs.

 mkdir /sys/kernel/security/apparmor/policy/namespaces/new_ns


Removing a Policy Namespace via the fs

Limitation: This first became available in AppArmor 3.6

A child policy namespace can be removed by doing rmdir in the namespaces directory in apparmorfs.

 rmdir /sys/kernel/security/apparmor/policy/namespaces/child_ns

TODO: recursive delete

Effect of removing a policy namespace if tasks are still confined by policy in it

The removal of a policy namespace removes all of its profiles. If there are tasks still confined by profiles in the namespace when it is removed then those tasks confinement will be modified dependent on the tasks confinement of the parent namespace. If the task is confined by the parent namespace then the profiles from the deleted namespace will be dropped. If however the task is not confined by the parent namespace, the profiles from the deleted namesapce will be replaced by the default profile of the parent namespace.

Egs. Given a root namespace with profiles A, B, and a default profile of D. And an namespace ns1 with profile X. When :ns1: is removed, X will be removed or replaced based on :ns1:'s parent the root namespace

 Task1 is confined by
    A//&:ns1:X
  since Task1 is confined by the profile A in the root namespace X is dropped from the confinement resulting in a new confinement of
    A
 Task2 is confined by
    :ns1:X
 since Task2 is not confined by a profile in the root namespace the profile X is replaced by the default profile D for the root namespace.

Setting Namespace properties

View

owner

Using Namespaces in policy

Policy Transitions within a namespace

Transitioning to a new namespace

Policy Namespace Example

Limitations

As of AppArmor kernel module 3.5 namespaces only support a local view, they do not support sharing a root. That is


Creating Namespaces

Specifying Namespaces in Policy