Include Statements - Novell APPARMOR 2.0.1 Administration Manual

Hide thumbs Also See for APPARMOR 2.0.1:

Administration manual (128 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

Table of Contents

between the access mode and the trailing comma is optional. A comprehensive

overview of the access modes available can be found in

sion Access Modes"

This variable expands to a value that can be changed without changing the entire

profile.

TIP: Using Variables in Profiles

With the current AppArmor tools, variables as presented in the above example

can only be used when manually editing and maintaining a profile.

A typical example when variables come in handy are network scenarios in which

user home directories are not mounted in the standard location /home/

username, but under a custom location. Find the variable definitions for this

use case (@{HOME} and @{HOMEDIRS}) in the /etc/apparmor.d/

tunables/home file.

When a profile is created for a program, the program can access only the files, modes,

and POSIX capabilities specified in the profile. These restrictions are in addition to the

native Linux access controls.

Example:

To gain the capability CAP_CHOWN, the program must have both access

to CAP_CHOWN under conventional Linux access controls (typically, be a root-owned

process) and have the capability chown in its profile. Similarly, to be able to write to

the file /foo/bar the program must have both the correct user ID and mode bits set

in the files attributes (see the chmod and chown man pages) and have /foo/bar

w in its profile.

Attempts to violate Novell AppArmor rules are recorded in /var/log/audit/

audit.log if the audit package is installed or otherwise in /var/log/messages.

In many cases, Novell AppArmor rules prevent an attack from working because neces-

sary files are not accessible and, in all cases, Novell AppArmor confinement restricts

the damage that the attacker can do to the set of files permitted by Novell AppArmor.

2.2 #include Statements

#include statements are directives that pull in components of other Novell AppArmor

profiles to simplify profiles. Include files fetch access permissions for programs. By

(page 69).

Section 4.8, "File Permis-

Profile Components and Syntax

Table of Contents

Include Statements - Novell APPARMOR 2.0.1 Administration Manual

2.2 #include Statements

Related Manuals for Novell APPARMOR 2.0.1

Related Content for Novell APPARMOR 2.0.1

Table of Contents