Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New feature: re-attached path #559

Open
1 of 2 tasks
roddhjav opened this issue Oct 14, 2024 · 1 comment
Open
1 of 2 tasks

New feature: re-attached path #559

roddhjav opened this issue Oct 14, 2024 · 1 comment

Comments

@roddhjav
Copy link
Owner

roddhjav commented Oct 14, 2024
edited
Loading

For more context, see https://apparmor.pujol.io/development/internal/#re-attached-path

AppAmor 4.0 provides the attach_disconnect.path flag allowing to reattach this path to a prefix that is not /. When used it provides an important security improvement from AppArmor 3.0.

The plan is to uses attach_disconnect.path by default and automatically on all profiles with the attach_disconnect flag. The attached path is set to a @{att}, a new dynamically generated variable set at build time in the preamble of all profile to be:

  • @{att}=/att/<profile_name> for profile with attach_disconnect flag.
  • @{att}=/ for other profiles
  • When the feature is disabled (for abi3), the variable is defined as a global tunable and set to @{att}=/

Internal

  • New abstractions/attached/base abstraction
  • New abstractions/attached/consoles abstraction
  • New attach build tasks:
    • Add the attach_disconnected.path flag on all profile with the attach_disconnected flag
    • Add the attached/base abstraction in the profile
  • Fallback for ABI3: globally defined @{att}=/

Tasks
roddhjav added a commit that referenced this issue Oct 14, 2024
@roddhjav
fix(profile): ensure abi3 compatibility with re-attached path.
0dbc42e 
See  #559, #558 #557 #555
This was referenced Oct 14, 2024
Closed
Closed
Closed
@roddhjav roddhjav pinned this issue Oct 14, 2024
@curiosityseeker
Copy link
Contributor

curiosityseeker commented Oct 18, 2024
edited
Loading

The plan is to uses attach_disconnect.path by default and automatically on all profiles with the attach_disconnect flag. The attached path is set to a @{att}, a new dynamically generated variable set at build time in the preamble of all profile to be:

* `@{att}=/att/<profile_name>` for profile with `attach_disconnect` flag.

* `@{att}=/` for other profiles

This is what I don't understand. @{att}=/att/<profile_name> is for profiles with the attach_disconnect flag - okay. But @{att}=/ for other profiles, i.e. without the attach_disconnect flag? Why should this be needed for such profiles at all? That sounds to me like a oxymoron :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@roddhjav @curiosityseeker