Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 215
Hide thumbs
Also See for LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009:
- Administration manual (338 pages) ,
- Deployment manual (246 pages) ,
- Application manual (364 pages)
Table of Contents
Advertisement
21.2.5 Change rules
AppArmor provides change_hat and change_profile rules that control domain
transitioning. change_hat are specified by defining hats in a profile, while
change_profile rules refer to another profile and start with the keyword
change_profile:
change_profile /usr/bin/foobar,
Both change_hat and change_profile provide for an application directed profile
transition, without having to launch a separate application. change_profile provides
a generic one way transition between any of the loaded profiles. change_hat provides
for a returnable parent child transition where an application can switch from the parent
profile to the hat profile and if it provides the correct secret key return to the parent
profile at a later time.
change_profile is best used in situations where an application goes through a
trusted setup phase and then can lower its privilege level. Any resources mapped or
opened during the start-up phase may still be accessible after the profile change, but
the new profile will restrict the opening of new resources, and will even limit some of
the resources opened before the switch. Specifically memory resources will still be
available while capability and file resources (as long as they are not memory mapped)
can be limited.
change_hat is best used in situations where an applications runs a virtual machine
or an interpreter that does not provide direct access to the applications resources (e.g.
Apache's mod_php). Since change_hat stores the return secret key in the applica-
tion's memory the phase of reduced privilege should not have direct access to memory.
It is also important that file access is properly separated, since the hat can restrict ac-
cesses to a file handle but does not close it. If an application does buffering and provides
access to the open files with buffering, the accesses to these files may not be seen by
the kernel and hence not restricted by the new profile.
WARNING: Safety of Domain Transitions
The change_hat and change_profile domain transitions are less secure
than a domain transition done through an exec because they do not affect a
processes memory mappings, nor do they close resources that have already
been opened.
Profile Components and Syntax
203
Advertisement
Table of Contents
Related Manuals for Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009
Related Products for Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009
- NOVELL EDIRECTORY 8.8 SP2 - GUIDE 10-2007
- NOVELL EDIRECTORY 8.8 SP5 - GUIDE 12-2009
- NOVELL IDENTITY MANAGER 3.6.1 - WORKORDER DRIVER IMPLEMENTATION GUIDE 18-12-2009
- NOVELL LINUX ENTERPRISE 11 - SUBSCRIPTION MANAGEMENT TOOL GUIDE 10-02-2009
- NOVELL OPEN ENTERPRISE SERVER - CONVERSION GUIDE 12-2010
- NOVELL OPEN ENTERPRISE SERVER 2 SP2 - PLANING AND IMPLEMENTATION GUIDE 11-10-2009
- NOVELL PLATESPIN ORCHESTRATE 2.0.2 - UPGARDE GUIDE 10-09-2009
- NOVELL PLATESPIN ORCHESTRATE 2.0.2 - VIRTUAL MACHINE MANAGEMENT GUIDE 10-17-2009
- NOVELL PRODUCT NAME 10.3 - DEPLOYING ZENWORKS ON CITRIX SERVER BEST PRACTICES GUIDE 12-13-2010
- NOVELL SERVER CONSOLIDATION MIGRATION TOOLKIT 1.1 - ADMINISTRATION GUIDE 12-23-2005
- NOVELL ZENWORKS APPLICATION VIRTUALIZATION 8.0.2 - INTEGRATION AND STREAMING GUIDE 11-2010
- NOVELL ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE 03-17-2010
- NOVELL CUSTOMER CENTER 2.3 - GUIDE 4-8-2009
- NOVELL IFOLDER 3.X - SECURITY ADMINISTRATOR GUIDE 08-15-2006
- NOVELL LINUX ENTERPRISE SERVER 10 - START-UP GUIDE 06-12-2006
- NOVELL LINUX ENTERPRISE SERVER 10 SP2 - STORAGE ADMINISTRATION GUIDE 05-15-2009