Include - Novell APPARMOR Admin Manual
Hide thumbs
Also See for APPARMOR:
- Quick start manual (5 pages) ,
- Installation & quick start manual (4 pages) ,
- Quick start card (7 pages)
Table of Contents
Advertisement
Profile Components and Syntax
When a profile is created for a program, the program can only access
the files, modes, and POSIX capabilities specified in the profile. These
restrictions are in addition to the native Linux access controls.
Example:
To gain the capability CAP_CHOWN, the program must
have both access to CAP_CHOWN under conventional Linux access
controls (typically, be a root-owned process) and h a v e " capability
chown" i n i t s p r o f i l e . S i mi l a r l y , t o b e a b l e t o w r i t e t o t h e f i l e /foo/bar
the program must have both the correct user-ID and mode bits set in
the files attributes (see the chmod and chown man pages) and have
" /foo/bar w" i n i t s p r o f i l e .
Attempts to violate Novell AppArmor rules are recorded in syslog. In
many cases, Novell AppArmor rules will prevent an attack from work-
ing because necessary files are not accessible, and in all cases Novell
AppArmor confinement bounds the damage that the attacker can do to
the set of files permitted by Novell AppArmor.
#include
#includes are directives that pull in components of other Novell AppAr-
mor profiles to simplify profiles. Include files procure access permis-
sions for programs. By using an include, you can give the program
access to directory paths or files that are also required by other pro-
grams. Using includes can reduce the size of a profile.
By default, the #include statement appends the beginning of the path-
name to /etc/subdomain.d/ which is where it expects to find the include
file. Unlike other profile statements (but similar to C programs),
#include lines do not end with a comma.
Novell AppArmor provides two classes of #includes, Abstractions and
Program Chunks to assist you in profiling your applications.
Abstractions
Abstractions are #includes that are grouped by common application
tasks. These tasks include access to authentication mechanisms,
access to nameservice routines, common graphics requirements, and
system accounting, among others. Files listed in these abstractions
are specific to the named task; programs that require one of these files
19
Advertisement
Table of Contents
