Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New feature: re-attached path #559

Open
1 of 2 tasks
roddhjav opened this issue Oct 14, 2024 · 7 comments
Open
1 of 2 tasks

New feature: re-attached path #559

roddhjav opened this issue Oct 14, 2024 · 7 comments

Comments

@roddhjav
Copy link
Owner

roddhjav commented Oct 14, 2024
edited
Loading

For more context, see https://apparmor.pujol.io/development/internal/#re-attached-path

AppAmor 4.0 provides the attach_disconnect.path flag allowing to reattach this path to a prefix that is not /. When used it provides an important security improvement from AppArmor 3.0.

The plan is to uses attach_disconnect.path by default and automatically on all profiles with the attach_disconnect flag. The attached path is set to a @{att}, a new dynamically generated variable set at build time in the preamble of all profile to be:

  • @{att}=/att/<profile_name> for profile with attach_disconnect flag.
  • @{att}=/ for other profiles
  • When the feature is disabled (for abi3), the variable is defined as a global tunable and set to @{att}=/

Internal

  • New abstractions/attached/base abstraction
  • New abstractions/attached/consoles abstraction
  • New attach build tasks:
    • Add the attach_disconnected.path flag on all profile with the attach_disconnected flag
    • Add the attached/base abstraction in the profile
  • Fallback for ABI3: globally defined @{att}=/

Tasks
roddhjav added a commit that referenced this issue Oct 14, 2024
@roddhjav
fix(profile): ensure abi3 compatibility with re-attached path.
0dbc42e 
See  #559, #558 #557 #555
This was referenced Oct 14, 2024
Closed
Closed
Closed
@roddhjav roddhjav pinned this issue Oct 14, 2024
@curiosityseeker
Copy link
Contributor

curiosityseeker commented Oct 18, 2024
edited
Loading

The plan is to uses attach_disconnect.path by default and automatically on all profiles with the attach_disconnect flag. The attached path is set to a @{att}, a new dynamically generated variable set at build time in the preamble of all profile to be:

* `@{att}=/att/<profile_name>` for profile with `attach_disconnect` flag.

* `@{att}=/` for other profiles

This is what I don't understand. @{att}=/att/<profile_name> is for profiles with the attach_disconnect flag - okay. But @{att}=/ for other profiles, i.e. without the attach_disconnect flag? Why should this be needed for such profiles at all? That sounds to me like a oxymoron :)

@roddhjav
Copy link
Owner Author

roddhjav commented Oct 19, 2024
edited
Loading

As @{att} can be used in abstraction, profile without the attach_disconnect flag need to have the variable defined. It is mostly a safety measure to ensure the profiles compile.

@curiosityseeker
Copy link
Contributor

Ah, understood! Thanks!

@beroal
Copy link
Contributor

beroal commented Oct 21, 2024

As @{att} can be used in abstraction, profile without the attach_disconnect flag need to have the variable defined. It is mostly a safety measure to ensure the profiles compile.

Why not @{att}=/giekxhayfnjdhaeb?

@roddhjav
Copy link
Owner Author

@beroal Because it is not what we want. If a profile doesn't have the attach_disconnect flag it may still needs similar access but from /.

@beroal
Copy link
Contributor

beroal commented Oct 28, 2024

Is it attach_disconnect or attach_disconnected?

@roddhjav
Copy link
Owner Author

attach_disconnected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@roddhjav @beroal @curiosityseeker