apparmor profiles

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, can you help me to know if I understand it…

I have the follow profile:


# Last Modified: Fri Aug 20 16:19:21 2010
# REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53
#include <tunables/global>

/usr/bin/skype {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>


deny owner /home/vampird/.mozilla/eclipse/ r,
deny owner /home/vampird/.mozilla/extensions/ r,

lot of stuff...

/dev/ r,
/dev/video0 rw,
/home/*/.ICEauthority r,
/home/*/.Skype/ rw,
/home/*/.Skype/** rwk,
/home/*/.Xauthority r,
/home/*/.config/Trolltech.conf rk,
owner /home/*/.fontconfig/* m,
/home/*/.fontconfig/* r,
owner /home/*/.kde/share/config/kioslaverc r,
owner /home/*/.kde4/share/config/kdeglobals rk,
/home/*/.mozilla/ r,
/home/*/.mozilla/firefox/ r,
/home/*/.mozilla/firefox/*/ r,
/home/*/.mozilla/firefox/*/bookmarkbackups/ r,
/home/*/.mozilla/firefox/*/chrome/ r,
/home/*/.mozilla/firefox/*/extensions/ r,
/home/*/.mozilla/firefox/*/prefs.js r,
/proc/interrupts r,
/sys/devices/system/cpu/ r,
/tmp/.ICE-unix/* w,
/tmp/.X11-unix/X0 w,
/usr/bin/skype mr,
/usr/lib/qt4/plugins/iconengines/ r,
/usr/lib/qt4/plugins/imageformats/ r,
/usr/lib/qt4/plugins/imageformats/*.so mr,
/usr/lib/qt4/plugins/inputmethods/ r,
/usr/share/X11/XKeysymDB r,
/usr/share/X11/locale/** r,
/usr/share/fonts/** mr,
/usr/share/icons/** r,
/usr/share/skype/lang/skype_en.qm mr,
/usr/share/skype/sounds/*.wav rk,
/var/cache/libx11/compose/* r,

}

so, the line “deny owner /home/vampird/.mozilla/eclipse/ r,” deny access
to this directory to skype?
if exist the line “/home/*/.mozilla/ r,” too, skype have or not access
to this directory?


VampirD

Microsoft Windows is like air conditioning
Stops working when you open a window.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkxu2TEACgkQJQ+0ABWtaVkgVQCfSQ2D4+yZS8ov6HEnD0WbB5zh
gqkAoOIy+Hfihe+BGOAOKxk0SPzTiy+5
=aR3b
-----END PGP SIGNATURE-----

On 2010-08-20 21:32, VampirD wrote:
> Hi, can you help me to know if I understand it…
>
> I have the follow profile:
>
>


> # Last Modified: Fri Aug 20 16:19:21 2010
> # REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53
> #include <tunables/global>
>
> /usr/bin/skype {
>   #include <abstractions/audio>
>   #include <abstractions/base>
>   #include <abstractions/fonts>
>   #include <abstractions/nameservice>
>
>
>   deny owner /home/vampird/.mozilla/eclipse/ r,
>   deny owner /home/vampird/.mozilla/extensions/ r,
>
>   lot of stuff...

....

> }
> 

>
> so, the line “deny owner /home/vampird/.mozilla/eclipse/ r,” deny access
> to this directory to skype?

Good question.

AA has changed a lot, I no longer understand it. So I had a look at the man page (man “AppArmor”),
saw a link to <http://forge.novell.com/modules/xfmod/project/?apparmor>, but it doesn’t work. I
don’t know if this is because of the server shutdown that was announced for today, or because the AA
project has switched to Ubuntu (yes, no kidding).

I found some documentation here <http://www.novell.com/documentation/apparmor/>, but it is outdated
(oS 10.3). I know where the current AA mail list is (https://lists.ubuntu.com/archives/apparmor/),
but I don’t see a link for documentation there - but I’m not very good at searching sites.

I know that the PDFs or HTML for the AA documentation was included with the distro years ago, but
I’m also unable to find it - perhaps because the servers are down.

with “zypper se manual | less -S” I see lots of manuals, but not the one for AA. Neither searching
for “books” finds it.

Try “apparmor.d(5)”, it seems to be the the one that documents the syntax. But no mention of “owner”.

It appears that when Novell fired the AA team⁽¹⁾, they also took pains to remove further
documentation. The packages are included, but nothing more. Ah, yes, there are some Yast modules,
but… you can try the edit module, it has some help… But I don’t know how current it is.

⁽¹⁾ <http://en.wikipedia.org/wiki/AppArmor>


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Elessar))

On 2010-08-20 21:32, VampirD wrote:
> Hi, can you help me to know if I understand it…

> deny owner /home/vampird/.mozilla/eclipse/ r,
> deny owner /home/vampird/.mozilla/extensions/ r,
>


&gt;
&gt; so, the line "deny owner /home/vampird/.mozilla/eclipse/ r," deny access
&gt; to this directory to skype?
&gt; if exist the line "/home/*/.mozilla/ r," too, skype have or not access
&gt; to this directory?


I found some documentation:

]&gt; &lt;https://apparmor.wiki.kernel.org/index.php/ProfileLanguage#Deny_rules&gt;

--
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 "Emerald" GM (Elessar))