Différences

Ci-dessous, les différences entre deux révisions de la page.

--- systeme:apparmor [2015/08/15 09:49] – [Type de permission] root
+++ systeme:apparmor [2015/08/15 10:27] – [apparmor_parser] root
@@ Ligne 14: / Ligne 14: @@
   * **a** : Append mode (mutually exclusive to w)
   * **k** : File locking mode
-  * **px** : Discrete profile execute mode
+  * **x** : Execute
-  * **Px** : Discrete profile execute mode—clean exec
+    * **ux** : Execute unconfined (preserve environment) -- WARNING: should only be used in very special cases
-  * **ux** : Unconstrained execute mode
+    * **Ux** : Execute unconfined (scrub the environment)
-  * **Ux** : Unconstrained execute mode—clean exec
+    * **px** : Execute under a specific profile (preserve the environment) -- WARNING: should only be used in special cases
-  * **ix** : Inherit execute mode
+    * **Px** : Execute under a specific profile (scrub the environment)
+    * **pix** : as px but fallback to inheriting the current profile if the target profile is not found
+    * **Pix** : as Px but fallback to inheriting the current profile if the target profile is not found
+    * **pux** : as px but fallback to executing unconfined if the target profile is not found
+    * **Pux** : as Px but fallback to executing unconfined if the target profile is not found
+    * **ix** : Execute and inherit the current profile
+    * **cx** : Execute and transition to a child profile (preserve the environment)
+    * **Cx** : Execute and transition to a child profile (scrub the environment)
+    * **cix** : as cx but fallback to inheriting the current profile if the target profile is not found
+    * **Cix** : as Cx but fallback to inheriting the current profile if the target profile is not found
+    * **cux** : as cx but fallback to executing unconfined if the target profile is not found
+    * **Cux** : as Cx but fallback to executing unconfined if the target profile is not found
   * **m** : Allow PROT_EXEC with mmap(2) calls
   * **l** : Link mode
@@ Ligne 25: / Ligne 36: @@
   * **deny** : explicitly deny, without logging
   * **audit deny** : combination to explicitly deny, but log
-  * **quiet** : Enlève le flag audit
+  * **quiet** : clears audit qualifier off of rules. Does it take precedence over audit like deny over allow
 <code>
@@ Ligne 53: / Ligne 64: @@
 owner=(fred george)
 owner=(fred 1001)
+</code>
+  * **Child profile (cx)** :
+<code>
+ /parent/profile {
+     /path/to/child1 cx -> child1,
+     /path/to/child2 cx,
+     /path/to/* cx,           # for * matching child3 will transition to child3,
+                              # child4, child5, ... will transition to /path/to/child*
+                              # if matching child profile does not exist will fail
+     /another/path/to/* cx -> child1,        # send all matching execs to child1
+     profile child1 {
+     }
+     profile /path/to/child2 {
+     }
+     profile /path/to/child3 {
+     }
+     # generic fall back profile
+     profile /path/to/child* {
+     }
+  }
 </code>
 ====== Activer apparmor ======
@@ Ligne 135: / Ligne 176: @@
 ===== apparmor_parser =====
+  * Voir ce qu'il y a de charger dans le profil apache2 :
+<xtermrtf>
+$ apparmor_parser -Q --debug /etc/apparmor.d/usr.sbin.apache2
+</xtermrtf>
+<xtermrtf>
+$ apparmor_parser -p /etc/apparmor.d/usr.sbin.apache2
+</xtermrtf>
   * Recharger le profile ping :
 <xtermrtf>
 $ apparmor_parser -r /etc/apparmor.d/bin.ping
 </xtermrtf>