.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{ . if \nF \{ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "APPARMOR.D 5" .TH APPARMOR.D 5 "2014-09-22" "AppArmor 2.9.0" "AppArmor" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" apparmor.d \- syntax of security profiles for AppArmor. .SH "DESCRIPTION" .IX Header "DESCRIPTION" AppArmor profiles describe mandatory access rights granted to given programs and are fed to the AppArmor policy enforcement module using \&\fIapparmor_parser\fR\|(8). This man page describes the format of the AppArmor configuration files; see \fIapparmor\fR\|(7) for an overview of AppArmor. .SH "FORMAT" .IX Header "FORMAT" The following is a BNF-style description of AppArmor policy configuration files; see below for an example AppArmor policy file. AppArmor configuration files are line-oriented; \fB#\fR introduces a comment, similar to shell scripting languages. The exception to this rule is that \fB#include\fR will \fIinclude\fR the contents of a file inline to the policy; this behaviour is modelled after \fIcpp\fR\|(1). .Sp .RS 4 \&\fB\s-1INCLUDE\s0\fR = '#include' ( \fI\s-1ABS PATH\s0\fR | \fI\s-1MAGIC PATH\s0\fR ) .Sp \&\fB\s-1ABS PATH\s0\fR = '\*(L"' path '\*(R"' (the path is passed to \fIopen\fR\|(2)) .Sp \&\fB\s-1MAGIC PATH\s0\fR = '<' relative path '>' (the path is relative to \fI/etc/apparmor.d/\fR) .Sp \&\fB\s-1COMMENT\s0\fR = '#' \fI\s-1TEXT\s0\fR .Sp \&\fB\s-1TEXT\s0\fR = any characters .Sp \&\fB\s-1PROFILE\s0\fR = [ \fI\s-1COMMENT\s0\fR ... ] [ \fI\s-1VARIABLE ASSIGNMENT\s0\fR ... ] ( '"' \fI\s-1PROGRAM\s0\fR '"' | \fI\s-1PROGRAM\s0\fR ) [ 'flags=(complain)' ]'{' [ ( \fI\s-1RESOURCE RULE\s0\fR | \fI\s-1COMMENT\s0\fR | \fI\s-1INCLUDE\s0\fR | \fI\s-1SUBPROFILE\s0\fR | 'capability ' \fI\s-1CAPABILITY\s0\fR | \fI\s-1NETWORK RULE\s0\fR | \fI\s-1MOUNT RULE\s0\fR | \fI\s-1PIVOT ROOT RULE\s0\fR | \fI\s-1DBUS RULE\s0\fR | \fI\s-1UNIX RULE\s0\fR \fI\s-1FILE RULE\s0\fR | 'change_profile \-> ' \fI\s-1PROGRAMCHILD\s0\fR ) ... ] '}' .Sp \&\fB\s-1SUBPROFILE\s0\fR = [ \fI\s-1COMMENT\s0\fR ... ] ( \fI\s-1PROGRAMHAT\s0\fR | 'profile ' \fI\s-1PROGRAMCHILD\s0\fR ) '{' [ ( \fI\s-1FILE RULE\s0\fR | \fI\s-1COMMENT\s0\fR | \fI\s-1INCLUDE\s0\fR ) ... ] '}' .Sp \&\fB\s-1CAPABILITY\s0\fR = (lowercase capability name without '\s-1CAP_\s0' prefix; see \&\fIcapabilities\fR\|(7)) .Sp \&\fB\s-1NETWORK RULE\s0\fR = 'network' [ [ \fI\s-1DOMAIN\s0\fR ] [ \fI\s-1TYPE\s0\fR ] [ \fI\s-1PROTOCOL\s0\fR ] ] ',' .Sp \&\fB\s-1DOMAIN\s0\fR = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' ) ',' .Sp \&\fB\s-1TYPE\s0\fR = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' ) .Sp \&\fB\s-1PROTOCOL\s0\fR = ( 'tcp' | 'udp' | 'icmp' ) .Sp \&\fB\s-1PROGRAM\s0\fR = (non-whitespace characters except for '^', must start with '/'. Embedded spaces or tabs must be quoted.) .Sp \&\fB\s-1PROGRAMHAT\s0\fR = '^' (non-whitespace characters; see \fIaa_change_hat\fR\|(2) for a description of how this \*(L"hat\*(R" is used.) .Sp \&\fB\s-1PROGRAMCHILD\s0\fR = \fI\s-1SUBPROFILE\s0\fR name .Sp \&\fB\s-1MOUNT RULE\s0\fR = ( \fI\s-1MOUNT\s0\fR | \fI\s-1REMOUNT\s0\fR | \fI\s-1UMOUNT\s0\fR ) .Sp \&\fB\s-1MOUNT\s0\fR = [ 'audit' ] [ 'deny' ] 'mount' [ \fI\s-1MOUNT CONDITIONS\s0\fR ] [ \fI\s-1SOURCE FILEGLOB\s0\fR ] [ \-> [ \fI\s-1MOUNTPOINT FILEGLOB\s0\fR ] .Sp \&\fB\s-1REMOUNT\s0\fR = [ 'audit' ] [ 'deny' ] 'remount' [ \fI\s-1MOUNT CONDITIONS\s0\fR ] \fI\s-1MOUNTPOINT FILEGLOB\s0\fR .Sp \&\fB\s-1UMOUNT\s0\fR = [ 'audit' ] [ 'deny' ] 'umount' [ \fI\s-1MOUNT CONDITIONS\s0\fR ] \fI\s-1MOUNTPOINT FILEGLOB\s0\fR .Sp \&\fB\s-1MOUNT CONDITIONS\s0\fR = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' ) \fI\s-1MOUNT FSTYPE EXPRESSION\s0\fR ] [ 'options' ( '=' | 'in' ) \fI\s-1MOUNT FLAGS EXPRESSION\s0\fR ] .Sp \&\fB\s-1MOUNT FSTYPE EXPRESSION\s0\fR = ( \fI\s-1MOUNT FSTYPE LIST\s0\fR | \fI\s-1MOUNT EXPRESSION\s0\fR ) .Sp \&\fB\s-1MOUNT FSTYPE LIST\s0\fR = Comma separated list of valid filesystem and virtual filesystem types (eg ext4, debugfs, devfs, etc) .Sp \&\fB\s-1MOUNT FLAGS EXPRESSION\s0\fR = ( \fI\s-1MOUNT FLAGS LIST\s0\fR | \fI\s-1MOUNT EXPRESSION\s0\fR ) .Sp \&\fB\s-1MOUNT FLAGS LIST\s0\fR = Comma separated list of \fI\s-1MOUNT FLAGS\s0\fR. .Sp \&\fB\s-1MOUNT FLAGS\s0\fR = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'nodirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'move' | 'rec' | 'verbose' | 'silent' | 'load' | 'acl' | 'noacl' | 'unbindable' | 'private' | 'slave' | 'shared' | 'relative' | 'norelative' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' ) .Sp \&\fB\s-1MOUNT EXPRESSION\s0\fR = ( \fI\s-1ALPHANUMERIC\s0\fR | \fI\s-1AARE\s0\fR ) ... .Sp \&\fB\s-1PIVOT ROOT RULE\s0\fR = [ 'audit' ] [ 'deny' ] pivot_root [ oldroot=\fI\s-1OLD PUT FILEGLOB\s0\fR ] [ \fI\s-1NEW ROOT FILEGLOB\s0\fR ] [ \-> \fI\s-1PROGRAMCHILD\s0\fR ] .Sp \&\fB\s-1PTRACE_RULE\s0\fR = [ 'audit' ] [ 'deny' ] 'ptrace' [ \fI\s-1PTRACE ACCESS PERMISSIONS\s0\fR ] [ \fI\s-1PTRACE PEER\s0\fR ] .Sp \&\fB\s-1PTRACE ACCESS PERMISSIONS\s0\fR = \fI\s-1PTRACE ACCESS\s0\fR | \fI\s-1PTRACE ACCESS LIST\s0\fR .Sp \&\fB\s-1PTRACE ACCESS LIST\s0\fR = '(' Comma or space separated list of \fI\s-1PTRACE ACCESS\s0\fR ')' .Sp \&\fB\s-1PTRACE ACCESS\s0\fR = ( 'r' | 'w' | 'rw' | 'read' | 'readby' | 'trace' | 'tracedby' ) .Sp \&\fB\s-1PTRACE PEER\s0\fR = 'peer' '=' \fI\s-1AARE\s0\fR .Sp \&\fB\s-1SIGNAL_RULE\s0\fR = [ 'audit' ] [ 'deny' ] 'signal' [ \fI\s-1SIGNAL ACCESS PERMISSIONS\s0\fR ] [ \fI\s-1SIGNAL SET\s0\fR ] [ \fI\s-1SIGNAL PEER\s0\fR ] .Sp \&\fB\s-1SIGNAL ACCESS PERMISSIONS\s0\fR = \fI\s-1SIGNAL ACCESS\s0\fR | \fI\s-1SIGNAL ACCESS LIST\s0\fR .Sp \&\fB\s-1SIGNAL ACCESS LIST\s0\fR = '(' Comma or space separated list of \fI\s-1SIGNAL ACCESS\s0\fR ')' .Sp \&\fB\s-1SIGNAL ACCESS\s0\fR = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' | 'receive' ) .Sp \&\fB\s-1SIGNAL SET\s0\fR = 'set' '=' '(' \fI\s-1SIGNAL LIST\s0\fR ')' .Sp \&\fB\s-1SIGNAL LIST\s0\fR = Comma or space separated list of \fI\s-1SIGNALS\s0\fR .Sp \&\fB\s-1SIGNALS\s0\fR = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' ) .Sp \&\fB\s-1SIGNAL PEER\s0\fR = 'peer' '=' \fI\s-1AARE\s0\fR .Sp \&\fB\s-1DBUS RULE\s0\fR = ( \fI\s-1DBUS MESSAGE RULE\s0\fR | \fI\s-1DBUS SERVICE RULE\s0\fR | \fI\s-1DBUS EAVESDROP RULE\s0\fR | \fI\s-1DBUS COMBINED RULE\s0\fR ) .Sp \&\fB\s-1DBUS MESSAGE RULE\s0\fR = [ 'audit' ] [ 'deny' ] 'dbus' [ \fI\s-1DBUS ACCESS EXPRESSION\s0\fR ] [ \fI\s-1DBUS BUS\s0\fR ] [ \fI\s-1DBUS PATH\s0\fR ] [ \fI\s-1DBUS INTERFACE\s0\fR ] [ \fI\s-1DBUS MEMBER\s0\fR ] [ \fI\s-1DBUS PEER\s0\fR ] .Sp \&\fB\s-1DBUS SERVICE RULE\s0\fR = [ 'audit' ] [ 'deny' ] 'dbus' [ \fI\s-1DBUS ACCESS EXPRESSION\s0\fR ] [ \fI\s-1DBUS BUS\s0\fR ] [ \fI\s-1DBUS NAME\s0\fR ] .Sp \&\fB\s-1DBUS EAVESDROP RULE\s0\fR = [ 'audit' ] [ 'deny' ] 'dbus' [ \fI\s-1DBUS ACCESS EXPRESSION\s0\fR ] [ \fI\s-1DBUS BUS\s0\fR ] .Sp \&\fB\s-1DBUS COMBINED RULE\s0\fR = [ 'audit' ] [ 'deny' ] 'dbus' [ \fI\s-1DBUS ACCESS EXPRESSION\s0\fR ] [ \fI\s-1DBUS BUS\s0\fR ] .Sp \&\fB\s-1DBUS ACCESS EXPRESSION\s0\fR = ( \fI\s-1DBUS ACCESS\s0\fR | '(' \fI\s-1DBUS ACCESS LIST\s0\fR ')' ) .Sp \&\fB\s-1DBUS BUS\s0\fR = 'bus' '=' '(' 'system' | 'session' | '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR ')' .Sp \&\fB\s-1DBUS PATH\s0\fR = 'path' '=' '(' '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR ')' .Sp \&\fB\s-1DBUS INTERFACE\s0\fR = 'interface' '=' '(' '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR ')' .Sp \&\fB\s-1DBUS MEMBER\s0\fR = 'member' '=' '(' '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR ')' .Sp \&\fB\s-1DBUS PEER\s0\fR = 'peer' '=' '(' [ \fI\s-1DBUS NAME\s0\fR ] [ \fI\s-1DBUS LABEL\s0\fR ] ')' .Sp \&\fB\s-1DBUS NAME\s0\fR = 'name' '=' '(' '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR ')' .Sp \&\fB\s-1DBUS LABEL\s0\fR = 'label' '=' '(' '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR ')' .Sp \&\fB\s-1DBUS ACCESS LIST\s0\fR = Comma separated list of \fI\s-1DBUS ACCESS\s0\fR .Sp \&\fB\s-1DBUS ACCESS\s0\fR = ( 'send' | 'receive' | 'bind' | 'eavesdrop' ) (some accesses are incompatible with some rules; see below.) .Sp \&\fB\s-1AARE\s0\fR = \fB?*[]{}^\fR (see below for meanings) .Sp \&\fB\s-1UNIX RILE\s0\fR = [ \fI\s-1UNIX QUALIFIERS\s0\fR ] 'unix' [ \fI\s-1UNIX ACCESS EXPR\s0\fR ] [ \fI\s-1UNIX RULE CONDS\s0\fR ] [ \fI\s-1UNIX LOCAL EXPR\s0\fR ] [ \fI\s-1UNIX PEER EXPR\s0\fR ] .Sp \&\fB\s-1UNIX QUALIFIERS\s0\fR = [ 'audit' ] [ 'allow' | 'deny' ] .Sp \&\fB\s-1UNIX ACCESS EXPR\s0\fR = ( \fI\s-1UNIX ACCESS\s0\fR | \fI\s-1UNIX ACCESS LIST\s0\fR ) .Sp \&\fB\s-1UNIX ACCESS\s0\fR = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) .Sp \&\fB\s-1UNIX ACCESS LIST\s0\fR = '(' \fI\s-1UNIX ACCESS\s0\fR ( [','] \fI\s-1UNIX ACCESS\s0\fR )* ')' .Sp \&\fB\s-1UNIX RULE CONDS\s0\fR = ( \fI\s-1TYPE COND\s0\fR | \fI\s-1PROTO COND\s0\fR ) each cond can appear at most once .Sp \&\fB\s-1TYPE COND\s0\fR = 'type' '=' ( \fI\s-1AARE\s0\fR | '(' ( '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR )+ ')' ) .Sp \&\fB\s-1PROTO COND\s0\fR = 'protocol' '=' ( \fI\s-1AARE\s0\fR | '(' ( '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR )+ ')' ) .Sp \&\fB\s-1UNIX LOCAL EXPR\s0\fR = ( \fI\s-1UNIX ADDRESS COND\s0\fR | \fI\s-1UNIX LABEL COND\s0\fR | \fI\s-1UNIX ATTR COND\s0\fR | \fI\s-1UNIX OPT COND\s0\fR )* each cond can appear at most once .Sp \&\fB\s-1UNIX PEER EXPR\s0\fR = 'peer' '=' ( \fI\s-1UNIX ADDRESS COND\s0\fR | \fI\s-1UNIX LABEL COND\s0\fR )+ each cond can appear at most once .Sp \&\fB\s-1UNIX ADDRESS COND\s0\fR 'addr' '=' ( \fI\s-1AARE\s0\fR | '(' '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR ')' ) .Sp \&\fB\s-1UNIX LABEL COND\s0\fR 'label' '=' ( \fI\s-1AARE\s0\fR | '(' '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR ')' ) .Sp \&\fB\s-1UNIX ATTR COND\s0\fR 'attr' '=' ( \fI\s-1AARE\s0\fR | '(' '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR ')' ) .Sp \&\fB\s-1UNIX OPT COND\s0\fR 'opt' '=' ( \fI\s-1AARE\s0\fR | '(' '"' \fI\s-1AARE\s0\fR '"' | \fI\s-1AARE\s0\fR ')' ) .Sp \&\fB\s-1FILE RULE\s0\fR = \fI\s-1RULE QUALIFIER\s0\fR ( '"' \fI\s-1FILEGLOB\s0\fR '"' | \fI\s-1FILEGLOB\s0\fR ) \fI\s-1ACCESS\s0\fR ',' .Sp \&\fB\s-1RULE QUALIFIER\s0\fR = [ 'audit' ] [ 'deny' ] [ 'owner' ] .Sp \&\fB\s-1FILEGLOB\s0\fR = (must start with '/' (after variable expansion), \fB\s-1AARE\s0\fR have special meanings; see below. May include \fI\s-1VARIABLE\s0\fR. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.) .Sp \&\fB\s-1ACCESS\s0\fR = ( 'r' | 'w' | 'l' | 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx \-> ' \fI\s-1PROGRAMCHILD\s0\fR | 'Cx \-> ' \fI\s-1PROGRAMCHILD\s0\fR | 'm' ) [ \fI\s-1ACCESS\s0\fR ... ] (not all combinations are allowed; see below.) .Sp \&\fB\s-1VARIABLE\s0\fR = '@{' \fI\s-1ALPHA\s0\fR [ ( \fI\s-1ALPHANUMERIC\s0\fR | '_' ) ... ] '}' .Sp \&\fB\s-1VARIABLE ASSIGNMENT\s0\fR = \fI\s-1VARIABLE\s0\fR ('=' | '+=') (space separated values) .Sp \&\fB\s-1ALIAS RULE\s0\fR = \fI\s-1ABS PATH\s0\fR '\->' \fI\s-1REWRITTEN ABS PATH\s0\fR ',' .Sp \&\fB\s-1ALPHA\s0\fR = ('a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z') .Sp \&\fB\s-1ALPHANUMERIC\s0\fR = ('0', '1', '2', ... '9', 'a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z') .RE .PP All resources and programs need a full path. There may be any number of subprofiles (aka child profiles) in a profile, limited only by kernel memory. Subprofile names are limited to 974 characters. Child profiles can be used to confine an application in a special way, or when you want the child to be unconfined on the system, but confined when called from the parent. Hats are a special child profile that can be used with the \&\fIaa_change_hat\fR\|(2) \s-1API\s0 call. Applications written or modified to use \&\fIaa_change_hat\fR\|(2) can take advantage of subprofiles to run under different confinements, dependent on program logic. Several \fIaa_change_hat\fR\|(2)\-aware applications exist, including an Apache module, \fImod_apparmor\fR\|(5); a \s-1PAM\s0 module, pam_apparmor; and a Tomcat valve, tomcat_apparmor. Applications written or modified to use \fIchange_profile\fR\|(2) transition permanently to the specified profile. libvirt is one such application. .SS "Access Modes" .IX Subsection "Access Modes" File permission access modes consists of combinations of the following modes: .IP "\fBr\fR" 8 .IX Item "r" \&\- read .IP "\fBw\fR" 8 .IX Item "w" \&\- write \*(-- conflicts with append .IP "\fBa\fR" 8 .IX Item "a" \&\- append \*(-- conflicts with write .IP "\fBux\fR" 8 .IX Item "ux" \&\- unconfined execute .IP "\fBUx\fR" 8 .IX Item "Ux" \&\- unconfined execute \*(-- scrub the environment .IP "\fBpx\fR" 8 .IX Item "px" \&\- discrete profile execute .IP "\fBPx\fR" 8 .IX Item "Px" \&\- discrete profile execute \*(-- scrub the environment .IP "\fBcx\fR" 8 .IX Item "cx" \&\- transition to subprofile on execute .IP "\fBCx\fR" 8 .IX Item "Cx" \&\- transition to subprofile on execute \*(-- scrub the environment .IP "\fBix\fR" 8 .IX Item "ix" \&\- inherit execute .IP "\fBm\fR" 8 .IX Item "m" \&\- allow \s-1PROT_EXEC\s0 with \fImmap\fR\|(2) calls .IP "\fBl\fR" 8 .IX Item "l" \&\- link .IP "\fBk\fR" 8 .IX Item "k" \&\- lock .SS "Access Modes Details" .IX Subsection "Access Modes Details" .IP "\fBr \- Read mode\fR" 4 .IX Item "r - Read mode" Allows the program to have read access to the file or directory listing. Read access is required for shell scripts and other interpreted content. .IP "\fBw \- Write mode\fR" 4 .IX Item "w - Write mode" Allows the program to have write access to the file. Files and directories must have this permission if they are to be unlinked (removed.) Write mode is not required on a directory to rename or create files within the directory. .Sp This mode conflicts with append mode. .IP "\fBa \- Append mode\fR" 4 .IX Item "a - Append mode" Allows the program to have a limited appending only write access to the file. Append mode will prevent an application from opening the file for write unless it passes the O_APPEND parameter flag on open. .Sp The mode conflicts with Write mode. .IP "\fBux \- Unconfined execute mode\fR" 4 .IX Item "ux - Unconfined execute mode" Allows the program to execute the program without any AppArmor profile being applied to the program. .Sp This mode is useful when a confined program needs to be able to perform a privileged operation, such as rebooting the machine. By placing the privileged section in another executable and granting unconfined execution rights, it is possible to bypass the mandatory constraints imposed on all confined processes. For more information on what is constrained, see the \fIapparmor\fR\|(7) man page. .Sp \&\fB\s-1WARNING\s0\fR 'ux' should only be used in very special cases. It enables the designated child processes to be run without any AppArmor protection. \&'ux' does not scrub the environment of variables such as \s-1LD_PRELOAD\s0; as a result, the calling domain may have an undue amount of influence over the callee. Use this mode only if the child absolutely must be run unconfined and \s-1LD_PRELOAD\s0 must be used. Any profile using this mode provides negligible security. Use at your own risk. .Sp Incompatible with 'Ux', 'px', 'Px', 'cx', 'Cx', 'ix'. .IP "\fBUx \- unconfined execute \*(-- scrub the environment\fR" 4 .IX Item "Ux - unconfined execute scrub the environment" \&'Ux' allows the named program to run in 'ux' mode, but AppArmor will invoke the Linux Kernel's \fBunsafe_exec\fR routines to scrub the environment, similar to setuid programs. (See \fIld.so\fR\|(8) for some information on setuid/setgid environment scrubbing.) .Sp \&\fB\s-1WARNING\s0\fR 'Ux' should only be used in very special cases. It enables the designated child processes to be run without any AppArmor protection. Use this mode only if the child absolutely must be run unconfined. Use at your own risk. .Sp Incompatible with 'ux', 'px', 'Px', 'cx', 'Cx', 'ix'. .IP "\fBpx \- Discrete Profile execute mode\fR" 4 .IX Item "px - Discrete Profile execute mode" This mode requires that a discrete security profile is defined for a program executed and forces an AppArmor domain transition. If there is no profile defined then the access will be denied. .Sp \&\fB\s-1WARNING\s0\fR 'px' does not scrub the environment of variables such as \&\s-1LD_PRELOAD\s0; as a result, the calling domain may have an undue amount of influence over the callee. .Sp Incompatible with 'Ux', 'ux', 'Px', 'cx', 'Cx', 'ix'. .IP "\fBPx \- Discrete Profile execute mode \*(-- scrub the environment\fR" 4 .IX Item "Px - Discrete Profile execute mode scrub the environment" \&'Px' allows the named program to run in 'px' mode, but AppArmor will invoke the Linux Kernel's \fBunsafe_exec\fR routines to scrub the environment, similar to setuid programs. (See \fIld.so\fR\|(8) for some information on setuid/setgid environment scrubbing.) .Sp Incompatible with 'Ux', 'ux', 'px', 'cx', 'Cx', 'ix'. .IP "\fBcx \- Transition to Subprofile execute mode\fR" 4 .IX Item "cx - Transition to Subprofile execute mode" This mode requires that a local security profile is defined and forces an AppArmor domain transition to the named profile. If there is no profile defined then the access will be denied. .Sp \&\fB\s-1WARNING\s0\fR 'cx' does not scrub the environment of variables such as \&\s-1LD_PRELOAD\s0; as a result, the calling domain may have an undue amount of influence over the callee. .Sp Incompatible with 'Ux', 'ux', 'px', 'Px', 'Cx', 'ix'. .IP "\fBCx \- Transition to Subprofile execute mode \*(-- scrub the environment\fR" 4 .IX Item "Cx - Transition to Subprofile execute mode scrub the environment" \&'Cx' allows the named program to run in 'cx' mode, but AppArmor will invoke the Linux Kernel's \fBunsafe_exec\fR routines to scrub the environment, similar to setuid programs. (See \fIld.so\fR\|(8) for some information on setuid/setgid environment scrubbing.) .Sp Incompatible with 'Ux', 'ux', 'px', 'Px', 'cx', 'ix'. .IP "\fBix \- Inherit execute mode\fR" 4 .IX Item "ix - Inherit execute mode" Prevent the normal AppArmor domain transition on \fIexecve\fR\|(2) when the profiled program executes the named program. Instead, the executed resource will inherit the current profile. .Sp This mode is useful when a confined program needs to call another confined program without gaining the permissions of the target's profile, or losing the permissions of the current profile. There is no version to scrub the environment because 'ix' executions don't change privileges. .Sp Incompatible with 'Ux', 'ux', 'Px', 'px', 'cx', 'Cx'. Implies 'm'. .IP "\fBm \- Allow executable mapping\fR" 4 .IX Item "m - Allow executable mapping" This mode allows a file to be mapped into memory using \fImmap\fR\|(2)'s \&\s-1PROT_EXEC\s0 flag. This flag marks the pages executable; it is used on some architectures to provide non-executable data pages, which can complicate exploit attempts. AppArmor uses this mode to limit which files a well-behaved program (or all programs on architectures that enforce non-executable memory access controls) may use as libraries, to limit the effect of invalid \fB\-L\fR flags given to \fIld\fR\|(1) and \fB\s-1LD_PRELOAD\s0\fR, \&\fB\s-1LD_LIBRARY_PATH\s0\fR, given to \fIld.so\fR\|(8). .IP "\fBl \- Link mode\fR" 4 .IX Item "l - Link mode" Allows the program to be able to create a link with this name. When a link is created, the new link \fB\s-1MUST\s0\fR have a subset of permissions as the original file (with the exception that the destination does not have to have link access.) If there is an 'x' rule on the new link, it must match the original file exactly. .IP "\fBk \- lock mode\fR" 4 .IX Item "k - lock mode" Allows the program to be able lock a file with this name. This permission covers both advisory and mandatory locking. .SS "Comments" .IX Subsection "Comments" Comments start with # and may begin at any place within a line. The comment ends when the line ends. This is the same comment style as shell scripts. .SS "Capabilities" .IX Subsection "Capabilities" The only capabilities a confined process may use may be enumerated; for the complete list, please refer to \fIcapabilities\fR\|(7). Note that granting some capabilities renders AppArmor confinement for that domain advisory; while \fIopen\fR\|(2), \fIread\fR\|(2), \fIwrite\fR\|(2), etc., will still return error when access is not granted, some capabilities allow loading kernel modules, arbitrary access to \s-1IPC,\s0 ability to bypass discretionary access controls, and other operations that are typically reserved for the root user. .SS "Network Rules" .IX Subsection "Network Rules" AppArmor supports simple coarse grained network mediation. The network rule restrict all \fIsocket\fR\|(2) based operations. The mediation done is a course grained check on whether a socket of a given type and family can be created, read, or written. There is no mediation based of port number or protocol beyond tcp, udp, and raw. Network \fInetlink\fR\|(7) rules may only specify type 'dgram' and 'raw'. .PP AppArmor network rules are accumulated so that the granted network permissions are the union of all the listed network rule permissions. .PP AppArmor network rules are broad and general and become more restrictive as further information is specified. .PP eg. .PP .Vb 5 \& network, #allow access to all networking \& network tcp, #allow access to tcp \& network inet tcp, #allow access to tcp only for inet4 addresses \& network inet6 tcp, #allow access to tcp only for inet6 addresses \& network netlink raw, #allow access to AF_NETLINK SOCK_RAW .Ve .SS "Mount Rules" .IX Subsection "Mount Rules" AppArmor supports mount mediation and allows specifying filesystem types and mount flags. The syntax of mount rules in AppArmor is based on the \fImount\fR\|(8) command syntax. Mount rules must contain one of the mount, remount or umount keywords, but all mount conditions are optional. Unspecified optional conditionals are assumed to match all entries (eg, not specifying fstype means all fstypes are matched). Due to the complexity of the mount command and how options may be specified, AppArmor allows specifying conditionals three different ways: .IP "1." 4 If a conditional is specified using '=', then the rule only grants permission for mounts matching the exactly specified options. For example, an AppArmor policy with the following rule: .Sp .Vb 1 \& mount options=ro /dev/foo \-E /mnt/, .Ve .Sp Would match: .Sp .Vb 1 \& $ mount \-o ro /dev/foo /mnt .Ve .Sp but not either of these: .Sp .Vb 1 \& $ mount \-o ro,atime /dev/foo /mnt \& \& $ mount \-o rw /dev/foo /mnt .Ve .IP "2." 4 If a conditional is specified using 'in', then the rule grants permission for mounts matching any combination of the specified options. For example, if an AppArmor policy has the following rule: .Sp .Vb 1 \& mount options in (ro,atime) /dev/foo \-> /mnt/, .Ve .Sp all of these mount commands will match: .Sp .Vb 1 \& $ mount \-o ro /dev/foo /mnt \& \& $ mount \-o ro,atime /dev/foo /mnt \& \& $ mount \-o atime /dev/foo /mnt .Ve .Sp but none of these will: .Sp .Vb 1 \& $ mount \-o ro,sync /dev/foo /mnt \& \& $ mount \-o ro,atime,sync /dev/foo /mnt \& \& $ mount \-o rw /dev/foo /mnt \& \& $ mount \-o rw,noatime /dev/foo /mnt \& \& $ mount /dev/foo /mnt .Ve .IP "3." 4 If multiple conditionals are specified in a single mount rule, then the rule grants permission for each set of options. This provides a shorthand when writing mount rules which might help to logically break up a conditional. For example, if an AppArmor policy has the following rule: .Sp .Vb 1 \& mount options=ro options=atime .Ve .Sp both of these mount commands will match: .Sp .Vb 1 \& $ mount \-o ro /dev/foo /mnt \& \& $ mount \-o atime /dev/foo /mnt .Ve .Sp but this one will not: .Sp .Vb 1 \& $ mount \-o ro,atime /dev/foo /mnt .Ve .PP Note that separate mount rules are distinct and the options do not accumulate. For example, these AppArmor mount rules: .PP .Vb 1 \& mount options=ro, \& \& mount options=atime, .Ve .PP are not equivalent to either of these mount rules: .PP .Vb 1 \& mount options=(ro,atime), \& \& mount options in (ro,atime), .Ve .PP To help clarify the flexibility and complexity of mount rules, here are some example rules with accompanying matching commands: .IP "\fBmount,\fR" 4 .IX Item "mount," the 'mount' rule without any conditionals is the most generic and allows any mount. Equivalent to 'mount fstype=** options=** ** \-> /**'. .IP "\fBmount /dev/foo,\fR" 4 .IX Item "mount /dev/foo," allow mounting of /dev/foo anywhere with any options. Some matching mount commands: .Sp .Vb 1 \& $ mount /dev/foo /mnt \& \& $ mount \-t ext3 /dev/foo /mnt \& \& $ mount \-t vfat /dev/foo /mnt \& \& $ mount \-o ro,atime,noexec,nodiratime /dev/foo /srv/some/mountpoint .Ve .IP "\fBmount options=ro /dev/foo,\fR" 4 .IX Item "mount options=ro /dev/foo," allow mounting of /dev/foo anywhere, as read only. Some matching mount commands: .Sp .Vb 1 \& $ mount \-o ro /dev/foo /mnt \& \& $ mount \-o ro /dev/foo /some/where/else .Ve .IP "\fBmount options=(ro,atime) /dev/foo,\fR" 4 .IX Item "mount options=(ro,atime) /dev/foo," allow mount of /dev/foo anywhere, as read only and using inode access times. Some matching mount commands: .Sp .Vb 1 \& $ mount \-o ro,atime /dev/foo /mnt \& \& $ mount \-o ro,atime /dev/foo /some/where/else .Ve .IP "\fBmount options in (ro,atime) /dev/foo,\fR" 4 .IX Item "mount options in (ro,atime) /dev/foo," allow mount of /dev/foo anywhere using some combination of 'ro' and 'atime' (see above). Some matching mount commands: .Sp .Vb 1 \& $ mount \-o ro /dev/foo /mnt \& \& $ mount \-o atime /dev/foo /some/where/else \& \& $ mount \-o ro,atime /dev/foo /some/other/place .Ve .IP "\fBmount options=ro /dev/foo, mount options=atime /dev/foo,\fR" 4 .IX Item "mount options=ro /dev/foo, mount options=atime /dev/foo," allow mount of /dev/foo anywhere as read only, and allow mount of /dev/foo anywhere using inode access times. Note this is expressed as two different rules. Matches: .Sp .Vb 1 \& $ mount \-o ro /dev/foo /mnt/1 \& \& $ mount \-o atime /dev/foo /mnt/2 .Ve .IP "\fBmount \-> /mnt/**,\fR" 4 .IX Item "mount -> /mnt/**," allow mounting anything under a directory in /mnt/**. Some matching mount commands: .Sp .Vb 1 \& $ mount /dev/foo1 /mnt/1 \& \& $ mount \-o ro,atime,noexec,nodiratime /dev/foo2 /mnt/deep/path/foo2 .Ve .IP "\fBmount options=ro \-> /mnt/**,\fR" 4 .IX Item "mount options=ro -> /mnt/**," allow mounting anything under /mnt/**, as read only. Some matching mount commands: .Sp .Vb 1 \& $ mount \-o ro /dev/foo1 /mnt/1 \& \& $ mount \-o ro /dev/foo2 /mnt/deep/path/foo2 .Ve .IP "\fBmount fstype=ext3 options=(rw,atime) /dev/sdb1 \-> /mnt/stick/,\fR" 4 .IX Item "mount fstype=ext3 options=(rw,atime) /dev/sdb1 -> /mnt/stick/," allow mounting an ext3 filesystem in /dev/sdb1 on /mnt/stick as read/write and using inode access times. Matches only: .Sp .Vb 1 \& $ mount \-o rw,atime /dev/sdb1 /mnt/stick .Ve .IP "\fBmount options=(ro, atime) options in (nodev, user) /dev/foo \-> /mnt/,\fR" 4 .IX Item "mount options=(ro, atime) options in (nodev, user) /dev/foo -> /mnt/," allow mounting /dev/foo on /mmt/ read only and using inode access times or allow mounting /dev/foo on /mnt/ with some combination of 'nodev' and 'user'. Matches only: .Sp .Vb 1 \& $ mount \-o ro,atime /dev/foo /mnt \& \& $ mount \-o nodev /dev/foo /mnt \& \& $ mount \-o user /dev/foo /mnt \& \& $ mount \-o nodev,user /dev/foo /mnt .Ve .SS "Pivot Root Rules" .IX Subsection "Pivot Root Rules" AppArmor mediates changing of the root filesystem through the \fIpivot_root\fR\|(2) system call. The syntax of 'pivot_root' rules in AppArmor is based on the \&\fIpivot_root\fR\|(2) system call parameters with the notable exception that the ordering is reversed. The path corresponding to the put_old parameter of \&\fIpivot_root\fR\|(2) is optionally specified in the 'pivot_root' rule using the \&'oldroot=' prefix. .PP AppArmor 'pivot_root' rules can specify a profile transition to occur during the \fIpivot_root\fR\|(2) system call. Note that AppArmor will only transition the process calling \fIpivot_root\fR\|(2) to the new profile. .PP The paths specified in 'pivot_root' rules must end with '/' since they are directories. .PP Here are some example 'pivot_root' rules: .PP .Vb 2 \& # Allow any pivot \& pivot_root, \& \& # Allow pivoting to any new root directory and putting the old root \& # directory at /mnt/root/old/ \& pivot_root oldroot=/mnt/root/old/, \& \& # Allow pivoting the root directory to /mnt/root/ \& pivot_root /mnt/root/, \& \& # Allow pivoting to /mnt/root/ and putting the old root directory at \& # /mnt/root/old/ \& pivot_root oldroot=/mnt/root/old/ /mnt/root/, \& \& # Allow pivoting to /mnt/root/, putting the old root directory at \& # /mnt/root/old/ and transition to the /mnt/root/sbin/init profile \& pivot_root oldroot=/mnt/root/old/ /mnt/root/ \-> /mnt/root/sbin/init, .Ve .SS "PTrace rules" .IX Subsection "PTrace rules" AppArmor supports mediation of \fIptrace\fR\|(2). AppArmor PTrace rules are accumulated so that the granted PTrace permissions are the union of all the listed PTrace rule permissions. .PP AppArmor PTrace permissions are implied when a rule does not explicitly state an access list. By default, all PTrace permissions are implied. .PP The trace and tracedby permissions govern \fIptrace\fR\|(2) while read and readby govern certain \fIproc\fR\|(5) filesystem accesses, \fIkcmp\fR\|(2), futexes (\fIget_robust_list\fR\|(2)) and perf trace events. .PP For a ptrace operation to be allowed the profile of the tracing process and the profile of the target task must both have the correct permissions. For example, the profile of the process attaching to another task must have the trace permission for the target task's profile, and the task being traced must have the tracedby permission for the tracing process' profile. .PP Example AppArmor PTrace rules: .PP .Vb 2 \& # Allow all PTrace access \& ptrace, \& \& # Explicitly allow all PTrace access, \& ptrace (read, readby, trace, tracedby), \& \& # Explicitly deny use of ptrace(2) \& deny ptrace (trace), \& \& # Allow unconfined processes (eg, a debugger) to ptrace us \& ptrace (readby, tracedby) peer=unconfined, \& \& # Allow ptrace of a process running under the /usr/bin/foo profile \& ptrace (trace) peer=/usr/bin/foo, .Ve .SS "Signal rules" .IX Subsection "Signal rules" AppArmor supports mediation of \fIsignal\fR\|(7). AppArmor signal rules are accumulated so that the granted signal permissions are the union of all the listed signal rule permissions. .PP AppArmor signal permissions are implied when a rule does not explicitly state an access list. By default, all signal permissions are implied. .PP For the sending of a signal to be allowed, the profile of the sending process and the profile of the target task must both have the correct permissions. For example, the profile of a process sending a signal to another task must have the send permission for the target task's profile, and the task receiving the signal must have a receive permission for the sending process' profile. .PP Example AppArmor signal rules: .PP .Vb 2 \& # Allow all signal access \& signal, \& \& # Explicitly deny sending the HUP and INT signals \& deny signal (send) set=(hup, int), \& \& # Allow unconfined processes to send us signals \& signal (receive) peer=unconfined, \& \& # Allow sending of signals to a process running under the /usr/bin/foo \& # profile \& signal (send) peer=/usr/bin/foo, \& \& # Allow checking for PID existence \& signal (receive, send) set=("exists"), \& \& # Allow us to signal ourselves using the built\-in @{profile_name} variable \& signal peer=@{profile_name}, .Ve .SS "DBus rules" .IX Subsection "DBus rules" AppArmor supports DBus mediation. The mediation is performed in conjunction with the DBus daemon. The DBus daemon verifies that communications over the bus are permitted by AppArmor policy. .PP AppArmor DBus rules are accumulated so that the granted DBus permissions are the union of all the listed DBus rule permissions. .PP AppArmor DBus rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the interface member level (method or signal name), however the contents of messages are not examined. .PP Some AppArmor DBus permissions are not compatible with all AppArmor DBus rules. The 'bind' permission cannot be used in message rules. The 'send' and 'receive' permissions cannot be used in service rules. The 'eavesdrop' permission cannot be used in rules containing any conditionals outside of the 'bus' conditional. .PP AppArmor DBus permissions are implied when a rule does not explicitly state an access list. By default, all DBus permissions are implied. Only message permissions are implied for message rules and only service permissions are implied for service rules. .PP Example AppArmor DBus rules: .PP .Vb 2 \& # Allow all DBus access \& dbus, \& \& # Explicitly allow all DBus access, \& dbus (send, receive, bind), \& \& # Deny send/receive/bind access to the session bus \& deny dbus bus=session, \& \& # Allow bind access for a particular name on any bus \& dbus bind name=com.example.ExampleName, \& \& # Allow receive access for a particular path and interface \& dbus receive path=/com/example/path interface=com.example.Interface, \& \& # Deny send/receive access to the system bus for a particular interface \& deny dbus bus=system interface=com.example.ExampleInterface, \& \& # Allow send access for a particular path, interface, member, and pair of \& # peer names: \& dbus send \& bus=session \& path=/com/example/path \& interface=com.example.Interface \& member=ExampleMethod \& peer=(name=(com.example.ExampleName1|com.example.ExampleName2)), \& \& # Allow receive access for all unconfined peers \& dbus receive peer=(label=unconfined)), \& \& # Allow eavesdropping on the system bus \& dbus eavesdrop bus=system, \& \& # Allow and audit all eavesdropping \& audit dbus eavesdrop, .Ve .SS "Unix socket rules" .IX Subsection "Unix socket rules" AppArmor supports fine grained mediation of unix domain abstract and anonymous sockets. Unix domain sockets with file system paths are mediated via file access rules. .PP Abstract unix domain sockets is a nonportable Linux extension of unix domain sockets, see \fIunix\fR\|(7) for more information. .PP \fIUnix socket address paths\fR .IX Subsection "Unix socket address paths" .PP The sun_path component (aka the socket address) of a unix domain socket is specified by the .PP .Vb 1 \& addr= .Ve .PP conditional. If an address conditional is not specified as part of a rule then the rule matches both abstract and anonymous sockets. .PP In apparmor the address of an abstract unix domain socket begins with the \fI@\fR character, similar to how they are reported (as paths) by netstat \-x. The address then follows and may contain pattern matching and any characters including the null character. In apparmor null characters must be specified by using an escape sequence \fI\e000\fR or \&\fI\ex00\fR. The pattern matching is the same as is used by file path matching so * will not match \fI/\fR even though it has no special meaning with in an abstract socket name. Eg. .PP .Vb 1 \& unix addr=@*, .Ve .PP Anonymous unix domain sockets have no sun_path associated with the socket address, however it can be specified with the special \fInone\fR keyword to indicate the rule only applies to anonymous unix domain sockets. Eg. .PP .Vb 1 \& unix addr=none, .Ve .PP If the address component of a rule is not specified then the rule applies to both abstract and anonymous sockets. .PP \fIUnix socket permissions\fR .IX Subsection "Unix socket permissions" .PP Unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. .PP Unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the socket address (aka sun_path) and label level. The content of the communication is not examined. .PP Unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. .PP The create, bind, listen, shutdown, getattr, setattr, getopt, and setopt permissions are local socket permissions. They are only applied to the local socket and can't be specified in rules that have a peer component. The accept permission applies to the combination of a local and peer socket. The connect, send, and receive permissions are peer socket permissions. .PP Only the peer socket permissions will be applied to rules that don't specify permissions and contain a peer component. .PP \fIExample Unix domain socket rules:\fR .IX Subsection "Example Unix domain socket rules:" .PP .Vb 2 \& # Allow all permissions to unix sockets \& unix, \& \& # Explicitly allow all unix permissions \& unix (create, listen, accept, connect, send, receive, getattr, setattr, setopt, getopt), \& \& # Explicitly deny unix socket access \& deny unix, \& \& # Allow create and use of abstract and anonymous sockets for profile_name \& unix peer=(label=@{profile_name}), \& \& # Allow receiving via unix sockets from unconfined \& unix (receive) peer=(label=unconfined), \& \& # Allow getattr and shutdown on anonymous sockets \& unix (getattr, shutdown) addr=none, \& \& # Allow SOCK_STREAM connect, receive and send on an abstract socket @bar \& # with peer running under profile \*(Aq/foo\*(Aq \& unix (connect, receive, send) type=stream peer=(label=/foo,addr="@bar"), \& \& # Allow accepting connections from and receiving from peer running under \& # profile \*(Aq/bar\*(Aq on abstract socket \*(Aq@foo\*(Aq \& unix (accept, receive) addr=@foo peer=(label=/bar), .Ve .PP \fIAbstract unix domain sockets autobind\fR .IX Subsection "Abstract unix domain sockets autobind" .PP Abstract unix domain sockets can autobind to an address. The autobind address is a unique 5 digit string of decimal numbers, eg. \f(CW@00001\fR. There is nothing that prevents a task from manually binding to addresses with a similar pattern so it is impossible to reliably identify autobind addresses from a regular address. .PP \fIInteraction of network rules and fine grained unix domain socket rules\fR .IX Subsection "Interaction of network rules and fine grained unix domain socket rules" .PP The coarse grained networking rules can be used to control unix domain sockets as well. When fine grained unix domain socket mediation is available the coarse grained network rule is mapped into the equivalent unix socket rule. .PP E.G. .PP .Vb 1 \& network unix, => unix, \& \& network unix stream, => unix stream, .Ve .PP Fine grained mediation rules however can not be lossly converted back to the coarse grained network rule; e.g. .PP .Vb 1 \& unix bind addr=@example, .Ve .PP Has no exact match under coarse grained network rules, the closest match is the much wider permission rule of .PP .Vb 1 \& network unix, .Ve .SS "Variables" .IX Subsection "Variables" AppArmor's policy language allows embedding variables into file rules to enable easier configuration for some common (and pervasive) setups. Variables may have multiple values assigned, but any variable assignments must be made before the start of the profile. .PP The parser will automatically expand variables to include all values that they have been assigned; it is an error to reference a variable without setting at least one value. .PP At the time of this writing, the following variables are defined in the provided AppArmor policy: .PP .Vb 10 \& @{HOME} \& @{HOMEDIRS} \& @{multiarch} \& @{pid} \& @{PROC} \& @{securityfs} \& @{sys} \& @{tid} \& @{XDG_DESKTOP_DIR} \& @{XDG_DOWNLOAD_DIR} \& @{XDG_TEMPLATES_DIR} \& @{XDG_PUBLICSHARE_DIR} \& @{XDG_DOCUMENTS_DIR} \& @{XDG_MUSIC_DIR} \& @{XDG_PICTURES_DIR} \& @{XDG_VIDEOS_DIR} .Ve .PP These are defined in files in \fI/etc/apparmor.d/tunables\fR and are used in many of the abstractions described later. .PP You may also add files in \fI/etc/apparmor.d/tunables/home.d\fR for site-specific customization of \fB@{\s-1HOMEDIRS\s0}\fR, \&\fI/etc/apparmor.d/tunables/multiarch.d\fR for \fB@{multiarch}\fR and \&\fI/etc/apparmor.d/tunables/xdg\-user\-dirs.d\fR for \fB@{XDG_*}\fR. .PP The special \fB@{profile_name}\fR variable is set to the profile name and may be used in all policy. .SS "Alias rules" .IX Subsection "Alias rules" AppArmor also provides alias rules for remapping paths for site-specific layouts. They are an alternative form of path rewriting to using variables, and are done after variable resolution. Alias rules must occur within the preamble of the profile. System-wide aliases are found in \&\fI/etc/apparmor.d/tunables/alias\fR, which is included by \&\fI/etc/apparmor.d/tunables/global\fR. \fI/etc/apparmor.d/tunables/global\fR is typically included at the beginning of an AppArmor profile. .SS "Globbing" .IX Subsection "Globbing" File resources may be specified with a globbing syntax similar to that used by popular shells, such as \fIcsh\fR\|(1), \fIbash\fR\|(1), \fIzsh\fR\|(1). .IP "\fB*\fR" 4 .IX Item "*" can substitute for any number of characters, excepting '/' .IP "\fB**\fR" 4 .IX Item "**" can substitute for any number of characters, including '/' .IP "\fB?\fR" 4 .IX Item "?" can substitute for any single character excepting '/' .IP "\fB[abc]\fR" 4 .IX Item "[abc]" will substitute for the single character a, b, or c .IP "\fB[a\-c]\fR" 4 .IX Item "[a-c]" will substitute for the single character a, b, or c .IP "\fB[^a\-c]\fR" 4 .IX Item "[^a-c]" will substitute for any single character not matching a, b or c .IP "\fB{ab,cd}\fR" 4 .IX Item "{ab,cd}" will expand to one rule to match ab, one rule to match cd .PP When AppArmor looks up a directory the pathname being looked up will end with a slash (e.g., \fI/var/tmp/\fR); otherwise it will not end with a slash. Only rules that match a trailing slash will match directories. Some examples, none matching the \fI/tmp/\fR directory itself, are: .IP "\fB/tmp/*\fR" 4 .IX Item "/tmp/*" Files directly in \fI/tmp\fR. .IP "\fB/tmp/*/\fR" 4 .IX Item "/tmp/*/" Directories directly in \fI/tmp\fR. .IP "\fB/tmp/**\fR" 4 .IX Item "/tmp/**" Files and directories anywhere underneath \fI/tmp\fR. .IP "\fB/tmp/**/\fR" 4 .IX Item "/tmp/**/" Directories anywhere underneath \fI/tmp\fR. .SS "Rule Qualifiers" .IX Subsection "Rule Qualifiers" There are several rule qualifiers that can be applied to permission rules. Rule qualifiers can modify the rule and/or permissions within the rule. .IP "\fBaudit\fR" 4 .IX Item "audit" Specifies that permissions requests that match the rule should be recorded to the audit log. .IP "\fBdeny\fR" 4 .IX Item "deny" Specifies that permissions requests that match the rule should be denied without logging. Can be combined with 'audit' to enable logging. .IP "\fBowner\fR" 4 .IX Item "owner" Specifies that the task must have the same euid/fsuid as the object being referenced by the permission check. .SS "#include mechanism" .IX Subsection "#include mechanism" AppArmor provides an easy abstraction mechanism to group common file access requirements; this abstraction is an extremely flexible way to grant site-specific rights and makes writing new AppArmor profiles very simple by assembling the needed building blocks for any given program. .PP The use of '#include' is modelled directly after \fIcpp\fR\|(1); its use will replace the '#include' statement with the specified file's contents. \&\fB#include \*(L"/absolute/path\*(R"\fR specifies that \fI/absolute/path\fR should be used. \fB#include \*(L"relative/path\*(R"\fR specifies that \fIrelative/path\fR should be used, where the path is relative to the current working directory. \&\fB#include \fR is the most common usage; it will load \&\fImagic/path\fR relative to a directory specified to \fIapparmor_parser\fR\|(8). \&\fI/etc/apparmor.d/\fR is the AppArmor default. .PP The supplied AppArmor profiles follow several conventions; the abstractions stored in \fI/etc/apparmor.d/abstractions/\fR are some large clusters that are used in most profiles. What follows are short descriptions of how some of the abstractions are used. .IP "\fIabstractions/audio\fR" 4 .IX Item "abstractions/audio" Includes accesses to device files used for audio applications. .IP "\fIabstractions/authentication\fR" 4 .IX Item "abstractions/authentication" Includes access to files and services typically necessary for services that perform user authentication. .IP "\fIabstractions/base\fR" 4 .IX Item "abstractions/base" Includes files that should be readable and writable in all profiles. .IP "\fIabstractions/bash\fR" 4 .IX Item "abstractions/bash" Includes many files used by bash; useful for interactive shells and programs that call \fIsystem\fR\|(3). .IP "\fIabstractions/consoles\fR" 4 .IX Item "abstractions/consoles" Includes read and write access to the device files controlling the virtual console, \fIsshd\fR\|(8), \fIxterm\fR\|(1), etc. This abstraction is needed for many programs that interact with users. .IP "\fIabstractions/fonts\fR" 4 .IX Item "abstractions/fonts" Includes access to fonts and the font libraries. .IP "\fIabstractions/gnome\fR" 4 .IX Item "abstractions/gnome" Includes read and write access to \s-1GNOME\s0 configuration files, as well as read access to \s-1GNOME\s0 libraries. .IP "\fIabstractions/kde\fR" 4 .IX Item "abstractions/kde" Includes read and write access to \s-1KDE\s0 configuration files, as well as read access to \s-1KDE\s0 libraries. .IP "\fIabstractions/kerberosclient\fR" 4 .IX Item "abstractions/kerberosclient" Includes file access rules needed for common kerberos clients. .IP "\fIabstractions/nameservice\fR" 4 .IX Item "abstractions/nameservice" Includes file rules to allow \s-1DNS, LDAP, NIS, SMB,\s0 user and group password databases, services, and protocols lookups. .IP "\fIabstractions/perl\fR" 4 .IX Item "abstractions/perl" Includes read access to perl modules. .IP "\fIabstractions/user\-download\fR" 4 .IX Item "abstractions/user-download" .PD 0 .IP "\fIabstractions/user\-mail\fR" 4 .IX Item "abstractions/user-mail" .IP "\fIabstractions/user\-manpages\fR" 4 .IX Item "abstractions/user-manpages" .IP "\fIabstractions/user\-tmp\fR" 4 .IX Item "abstractions/user-tmp" .IP "\fIabstractions/user\-write\fR" 4 .IX Item "abstractions/user-write" .PD Some profiles for typical \*(L"user\*(R" programs will use these include files to describe rights that users have in the system. .IP "\fIabstractions/wutmp\fR" 4 .IX Item "abstractions/wutmp" Includes write access to files used to maintain \fIwtmp\fR\|(5) and \fIutmp\fR\|(5) databases, used with the w(1) and associated commands. .IP "\fIabstractions/X\fR" 4 .IX Item "abstractions/X" Includes read access to libraries, configuration files, X authentication files, and the X socket. .PP The abstractions stored in \fI/etc/apparmor.d/program\-chunks/\fR are intended for use by specific program suites, and are not generally useful. .PP Some of the abstractions rely on variables that are set in files in the \&\fI/etc/apparmor.d/tunables/\fR directory. These variables are currently \&\fB@{\s-1HOME\s0}\fR and \fB@{\s-1HOMEDIRS\s0}\fR. Variables cannot be set in profile scope; they can only be set before the profile. Therefore, any profiles that use abstractions should either \fB#include \fR or otherwise ensure that \fB@{\s-1HOME\s0}\fR and \fB@{\s-1HOMEDIRS\s0}\fR are set before starting the profile definition. The \fIaa\-autodep\fR\|(8) and \fIaa\-genprof\fR\|(8) utilities will automatically emit \fB#include \fR in generated profiles. .SH "EXAMPLE" .IX Header "EXAMPLE" An example AppArmor profile: .PP .Vb 2 \& # a variable definition in the preamble \& @{HOME} = /home/*/ /root/ \& \& # a comment about foo. \& /usr/bin/foo { \& /bin/mount ux, \& /dev/{,u}random r, \& /etc/ld.so.cache r, \& /etc/foo.conf r, \& /etc/foo/* r, \& /lib/ld\-*.so* rmix, \& /lib/lib*.so* r, \& /proc/[0\-9]** r, \& /usr/lib/** r, \& /tmp/foo.pid wr, \& /tmp/foo.* lrw, \& /@{HOME}/.foo_file rw, \& /usr/bin/baz Cx \-> baz, \& \& # a comment about foo\*(Aqs hat (subprofile), bar. \& ^bar { \& /lib/ld\-*.so* rmix, \& /usr/bin/bar rmix, \& /var/spool/* rwl, \& } \& \& # a comment about foo\*(Aqs subprofile, baz. \& profile baz { \& #include \& owner /proc/[0\-9]*/stat r, \& /bin/bash ixr, \& /var/lib/baz/ r, \& owner /var/lib/baz/* rw, \& } \& } .Ve .SH "FILES" .IX Header "FILES" .IP "\fI/etc/init.d/boot.apparmor\fR" 4 .IX Item "/etc/init.d/boot.apparmor" .PD 0 .IP "\fI/etc/apparmor.d/\fR" 4 .IX Item "/etc/apparmor.d/" .PD .SH "KNOWN BUGS" .IX Header "KNOWN BUGS" .IP "\(bu" 4 Mount options support the use of pattern matching but mount flags are not correctly intersected against specified patterns. Eg, 'mount options=**,' should be equivalent to 'mount,', but it is not. (\s-1LP:\s0 #965690) .IP "\(bu" 4 The fstype may not be matched against when certain mount command flags are used. Specifically fstype matching currently only works when creating a new mount and not remount, bind, etc. .IP "\(bu" 4 Mount rules with multiple 'options' conditionals are not applied as documented but instead merged such that 'options in (ro,nodev) options in (atime)' is equivalent to 'options in (ro,nodev,atime)'. .IP "\(bu" 4 When specifying mount options with the 'in' conditional, both the positive and negative values match when specifying one or the other. Eg, 'rw' matches when \&'ro' is specified and 'dev' matches when 'nodev' is specified such that \&'options in (ro,nodev)' is equivalent to 'options in (rw,dev)'. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIapparmor\fR\|(7), \fIapparmor_parser\fR\|(8), \fIaa\-complain\fR\|(1), \&\fIaa\-enforce\fR\|(1), \fIaa_change_hat\fR\|(2), \fImod_apparmor\fR\|(5), and .