Results 1 to 3 of 3

Thread: apparmor profiles

  1. #1
    Join Date
    Nov 2009
    Location
    Uruguay
    Posts
    737

    Default apparmor profiles

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi, can you help me to know if I understand it...

    I have the follow profile:

    Code:
    # Last Modified: Fri Aug 20 16:19:21 2010
    # REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53
    #include <tunables/global>
    
    /usr/bin/skype {
    #include <abstractions/audio>
    #include <abstractions/base>
    #include <abstractions/fonts>
    #include <abstractions/nameservice>
    
    
    deny owner /home/vampird/.mozilla/eclipse/ r,
    deny owner /home/vampird/.mozilla/extensions/ r,
    
    lot of stuff...
    
    /dev/ r,
    /dev/video0 rw,
    /home/*/.ICEauthority r,
    /home/*/.Skype/ rw,
    /home/*/.Skype/** rwk,
    /home/*/.Xauthority r,
    /home/*/.config/Trolltech.conf rk,
    owner /home/*/.fontconfig/* m,
    /home/*/.fontconfig/* r,
    owner /home/*/.kde/share/config/kioslaverc r,
    owner /home/*/.kde4/share/config/kdeglobals rk,
    /home/*/.mozilla/ r,
    /home/*/.mozilla/firefox/ r,
    /home/*/.mozilla/firefox/*/ r,
    /home/*/.mozilla/firefox/*/bookmarkbackups/ r,
    /home/*/.mozilla/firefox/*/chrome/ r,
    /home/*/.mozilla/firefox/*/extensions/ r,
    /home/*/.mozilla/firefox/*/prefs.js r,
    /proc/interrupts r,
    /sys/devices/system/cpu/ r,
    /tmp/.ICE-unix/* w,
    /tmp/.X11-unix/X0 w,
    /usr/bin/skype mr,
    /usr/lib/qt4/plugins/iconengines/ r,
    /usr/lib/qt4/plugins/imageformats/ r,
    /usr/lib/qt4/plugins/imageformats/*.so mr,
    /usr/lib/qt4/plugins/inputmethods/ r,
    /usr/share/X11/XKeysymDB r,
    /usr/share/X11/locale/** r,
    /usr/share/fonts/** mr,
    /usr/share/icons/** r,
    /usr/share/skype/lang/skype_en.qm mr,
    /usr/share/skype/sounds/*.wav rk,
    /var/cache/libx11/compose/* r,
    
    }
    so, the line "deny owner /home/vampird/.mozilla/eclipse/ r," deny access
    to this directory to skype?
    if exist the line "/home/*/.mozilla/ r," too, skype have or not access
    to this directory?

    - --
    VampirD

    Microsoft Windows is like air conditioning
    Stops working when you open a window.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.15 (GNU/Linux)
    Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

    iEYEARECAAYFAkxu2TEACgkQJQ+0ABWtaVkgVQCfSQ2D4+yZS8ov6HEnD0WbB5zh
    gqkAoOIy+Hfihe+BGOAOKxk0SPzTiy+5
    =aR3b
    -----END PGP SIGNATURE-----

  2. #2
    Carlos E. R. NNTP User

    Default Re: apparmor profiles

    On 2010-08-20 21:32, VampirD wrote:
    > Hi, can you help me to know if I understand it...
    >
    > I have the follow profile:
    >
    >
    Code:
    > # Last Modified: Fri Aug 20 16:19:21 2010
    > # REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53
    > #include <tunables/global>
    >
    > /usr/bin/skype {
    >   #include <abstractions/audio>
    >   #include <abstractions/base>
    >   #include <abstractions/fonts>
    >   #include <abstractions/nameservice>
    >
    >
    >   deny owner /home/vampird/.mozilla/eclipse/ r,
    >   deny owner /home/vampird/.mozilla/extensions/ r,
    >
    >   lot of stuff...
    Code:
    ....
    
    > }
    > 

    >
    > so, the line "deny owner /home/vampird/.mozilla/eclipse/ r," deny access
    > to this directory to skype?


    Good question.

    AA has changed a lot, I no longer understand it. So I had a look at the man page (man "AppArmor"),
    saw a link to <http://forge.novell.com/modules/xfmod/project/?apparmor>, but it doesn't work. I
    don't know if this is because of the server shutdown that was announced for today, or because the AA
    project has switched to Ubuntu (yes, no kidding).


    I found some documentation here <http://www.novell.com/documentation/apparmor/>, but it is outdated
    (oS 10.3). I know where the current AA mail list is (https://lists.ubuntu.com/archives/apparmor/),
    but I don't see a link for documentation there - but I'm not very good at searching sites.

    I know that the PDFs or HTML for the AA documentation was included with the distro years ago, but
    I'm also unable to find it - perhaps because the servers are down.

    with "zypper se manual | less -S" I see lots of manuals, but not the one for AA. Neither searching
    for "books" finds it.


    Try "apparmor.d(5)", it seems to be the the one that documents the syntax. But no mention of "owner".


    It appears that when Novell fired the AA team⁽¹⁾, they also took pains to remove further
    documentation. The packages are included, but nothing more. Ah, yes, there are some Yast modules,
    but... you can try the edit module, it has some help... But I don't know how current it is.




    ⁽¹⁾ <http://en.wikipedia.org/wiki/AppArmor>

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" GM (Elessar))

  3. #3
    Carlos E. R. NNTP User

    Default Re: apparmor profiles

    On 2010-08-20 21:32, VampirD wrote:
    > Hi, can you help me to know if I understand it...


    > deny owner /home/vampird/.mozilla/eclipse/ r,
    > deny owner /home/vampird/.mozilla/extensions/ r,
    > [/code]
    >
    > so, the line "deny owner /home/vampird/.mozilla/eclipse/ r," deny access
    > to this directory to skype?
    > if exist the line "/home/*/.mozilla/ r," too, skype have or not access
    > to this directory?



    I found some documentation:

    ]> <https://apparmor.wiki.kernel.org/index.php/ProfileLanguage#Deny_rules>

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" GM (Elessar))

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •