1
Origin: upstream, lp:apparmor
2
Subject add mount rule syntax and usage.
3
revno: 2023 thorough 2026
4
committer: Jamie Strandboge <jamie@canonical.com>
6
timestamp: Wed 2012-04-11 16:34:22 -0500
8
parser/apparmor.d.pod: add mount rule syntax and usage. Refinements and
9
clarifications thanks to Steve Beattie.
11
Acked-By: Jamie Strandboge <jamie@canonical.com>
12
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
16
Attached is a patch to add --stderr to the common rules for generating
17
manpages (and adjust it so that it's one rule instead of eight). It
18
also fixes the above problem and a similar problem in the aa-exec
22
common/Make.rules | 25 ---
23
parser/apparmor.d.pod | 332 +++++++++++++++++++++++++++++++++++++++++++++++++-
25
3 files changed, 330 insertions(+), 29 deletions(-)
27
Index: b/common/Make.rules
28
===================================================================
29
--- a/common/Make.rules
30
+++ b/common/Make.rules
31
@@ -206,29 +206,8 @@ install_manpages: $(MANPAGES)
33
MAN_RELEASE="AppArmor ${VERSION}"
36
- $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=1 > $@
39
- $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=2 > $@
42
- $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=3 > $@
45
- $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=4 > $@
48
- $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=5 > $@
51
- $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=6 > $@
54
- $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=7 > $@
57
- $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=8 > $@
58
+%.1 %.2 %.3 %.4 %.5 %.6 %.7 %.8: %.pod
59
+ $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --stderr --section=$(subst .,,$(suffix $@)) > $@
62
$(POD2HTML) --header --css apparmor.css --infile=$< --outfile=$@
63
Index: b/parser/apparmor.d.pod
64
===================================================================
65
--- a/parser/apparmor.d.pod
66
+++ b/parser/apparmor.d.pod
67
@@ -54,7 +54,7 @@ B<COMMENT> = '#' I<TEXT>
69
B<TEXT> = any characters
71
-B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | 'capability ' I<CAPABILITY> | I<NETWORK RULE> | 'change_profile -> ' I<PROGRAMCHILD> ) ... ] '}'
72
+B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | 'capability ' I<CAPABILITY> | I<NETWORK RULE> | I<MOUNT RULE> | I<FILE RULE> | 'change_profile -> ' I<PROGRAMCHILD> ) ... ] '}'
74
B<SUBPROFILE> = [ I<COMMENT> ... ] ( I<PROGRAMHAT> | 'profile ' I<PROGRAMCHILD> ) '{' [ ( I<FILE RULE> | I<COMMENT> | I<INCLUDE> ) ... ] '}'
76
@@ -75,11 +75,37 @@ B<PROGRAMHAT> = '^' (non-whitespace cha
78
B<PROGRAMCHILD> = I<SUBPROFILE> name
80
+B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> | I<PIVOT ROOT> )
82
+B<MOUNT> = [ 'audit' ] [ 'deny' ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ -> [ I<MOUNTPOINT FILEGLOB> ]
84
+B<REMOUNT> = [ 'audit' ] [ 'deny' ] 'remount' [ I<MOUNT CONDITIONS> ] I<MOUNTPOINT FILEGLOB>
86
+B<UMOUNT> = [ 'audit' ] [ 'deny' ] 'umount' [ I<MOUNT CONDITIONS> ] I<MOUNTPOINT FILEGLOB>
88
+B<PIVOT ROOT> = [ 'audit' ] [ 'deny' ] pivot_root [ I<OLD ABS PATH> ] [ I<MOUNTPOINT ABS PATH> ] [ -> I<PROGRAMCHILD> ]
90
+B<MOUNT CONDITIONS> = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' ) I<MOUNT FSTYPE EXPRESSION> ] [ 'options' ( '=' | 'in' ) I<MOUNT FLAGS EXPRESSION> ]
92
+B<MOUNT FSTYPE EXPRESSION> = ( I<MOUNT FSTYPE LIST> | I<MOUNT EXPRESSION> )
94
+B<MOUNT FSTYPE LIST> = Comma separated list of valid filesystem and virtual filesystem types (eg ext4, debugfs, devfs, etc)
96
+B<MOUNT FLAGS EXPRESSION> = ( I<MOUNT FLAGS LIST> | I<MOUNT EXPRESSION> )
98
+B<MOUNT FLAGS LIST> = Comma separated list of I<MOUNT FLAGS>.
100
+B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'nodirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'move' | 'rec' | 'verbose' | 'silent' | 'load' | 'acl' | 'noacl' | 'unbindable' | 'private' | 'slave' | 'shared' | 'relative' | 'norelative' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' )
102
+B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
104
+B<AARE> = B<?*[]{}^> (see below for meanings)
106
B<FILE RULE> = I<RULE QUALIFIER> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) I<ACCESS> ','
108
B<RULE QUALIFIER> = [ 'audit' ] [ 'deny' ] [ 'owner' ]
110
-B<FILEGLOB> = (must start with '/' (after variable expansion), B<?*[]{}^> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
111
+B<FILEGLOB> = (must start with '/' (after variable expansion), B<AARE> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
113
B<ACCESS> = ( 'r' | 'w' | 'l' | 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx -> ' I<PROGRAMCHILD> | 'Cx -> ' I<PROGRAMCHILD> | 'm' ) [ I<ACCESS> ... ] (not all combinations are allowed; see below.)
115
@@ -303,10 +329,6 @@ access is not granted, some capabilities
116
arbitrary access to IPC, ability to bypass discretionary access controls,
117
and other operations that are typically reserved for the root user.
119
-The only operations that cannot be controlled in this manner are mount(2),
120
-umount(2), and loading new AppArmor policy into the kernel, which are
121
-always denied to confined processes.
125
AppArmor supports simple coarse grained network mediation. The network
126
@@ -328,6 +350,281 @@ eg.
127
network inet tcp, #allow access to tcp only for inet4 addresses
128
network inet6 tcp, #allow access to tcp only for inet6 addresses
132
+AppArmor supports mount mediation and allows specifying filesystem types and
133
+mount flags. The syntax of mount rules in AppArmor is based on the mount(8)
134
+command syntax. Mount rules must contain one of the mount, remount, umount or
135
+pivot_root keywords, but all mount conditions are optional. Unspecified
136
+optional conditionals are assumed to match all entries (eg, not specifying
137
+fstype means all fstypes are matched). Due to the complexity of the mount
138
+command and how options may be specified, AppArmor allows specifying
139
+conditionals three different ways:
145
+If a conditional is specified using '=', then the rule only grants permission
146
+for mounts matching the exactly specified options. For example, an AppArmor
147
+policy with the following rule:
151
+mount options=ro /dev/foo -> /mnt/,
159
+$ mount -o ro /dev/foo /mnt
163
+but not either of these:
167
+$ mount -o ro,atime /dev/foo /mnt
169
+$ mount -o rw /dev/foo /mnt
175
+If a conditional is specified using 'in', then the rule grants permission for
176
+mounts matching any combination of the specified options. For example, if an
177
+AppArmor policy has the following rule:
181
+mount options in (ro,atime) /dev/foo -> /mnt/,
185
+all of these mount commands will match:
189
+$ mount -o ro /dev/foo /mnt
191
+$ mount -o ro,atime /dev/foo /mnt
193
+$ mount -o atime /dev/foo /mnt
197
+but none of these will:
201
+$ mount -o ro,sync /dev/foo /mnt
203
+$ mount -o ro,atime,sync /dev/foo /mnt
205
+$ mount -o rw /dev/foo /mnt
207
+$ mount -o rw,noatime /dev/foo /mnt
209
+$ mount /dev/foo /mnt
215
+If multiple conditionals are specified in a single mount rule, then the rule
216
+grants permission for each set of options. This provides a shorthand when
217
+writing mount rules which might help to logically break up a conditional. For
218
+example, if an AppArmor policy has the following rule:
222
+mount options=ro options=atime
226
+both of these mount commands will match:
230
+$ mount -o ro /dev/foo /mnt
232
+$ mount -o atime /dev/foo /mnt
236
+but this one will not:
240
+$ mount -o ro,atime /dev/foo /mnt
246
+Note that separate mount rules are distinct and the options do not accumulate.
247
+For example, these AppArmor mount rules:
252
+mount options=atime,
256
+are not equivalent to either of these mount rules:
260
+mount options=(ro,atime),
262
+mount options in (ro,atime),
266
+To help clarify the flexibility and complexity of mount rules, here are some
267
+example rules with accompanying matching commands:
273
+the 'mount' rule without any conditionals is the most generic and allows any
274
+mount. Equivalent to 'mount fstype=** options=** ** -> /**'.
276
+=item B<mount /dev/foo,>
278
+allow mounting of /dev/foo anywhere with any options. Some matching mount
283
+$ mount /dev/foo /mnt
285
+$ mount -t ext3 /dev/foo /mnt
287
+$ mount -t vfat /dev/foo /mnt
289
+$ mount -o ro,atime,noexec,nodiratime /dev/foo /srv/some/mountpoint
293
+=item B<mount options=ro /dev/foo,>
295
+allow mounting of /dev/foo anywhere, as read only. Some matching mount
300
+$ mount -o ro /dev/foo /mnt
302
+$ mount -o ro /dev/foo /some/where/else
306
+=item B<mount options=(ro,atime) /dev/foo,>
308
+allow mount of /dev/foo anywhere, as read only and using inode access times.
309
+Some matching mount commands:
313
+$ mount -o ro,atime /dev/foo /mnt
315
+$ mount -o ro,atime /dev/foo /some/where/else
319
+=item B<mount options in (ro,atime) /dev/foo,>
321
+allow mount of /dev/foo anywhere using some combination of 'ro' and 'atime'
322
+(see above). Some matching mount commands:
326
+$ mount -o ro /dev/foo /mnt
328
+$ mount -o atime /dev/foo /some/where/else
330
+$ mount -o ro,atime /dev/foo /some/other/place
334
+=item B<mount options=ro /dev/foo, mount options=atime /dev/foo,>
336
+allow mount of /dev/foo anywhere as read only, and allow mount of /dev/foo
337
+anywhere using inode access times. Note this is expressed as two different
342
+$ mount -o ro /dev/foo /mnt/1
344
+$ mount -o atime /dev/foo /mnt/2
348
+=item B<< mount -> /mnt/**, >>
350
+allow mounting anything under a directory in /mnt/**. Some matching mount
355
+$ mount /dev/foo1 /mnt/1
357
+$ mount -o ro,atime,noexec,nodiratime /dev/foo2 /mnt/deep/path/foo2
361
+=item B<< mount options=ro -> /mnt/**, >>
363
+allow mounting anything under /mnt/**, as read only. Some matching mount
368
+$ mount -o ro /dev/foo1 /mnt/1
370
+$ mount -o ro /dev/foo2 /mnt/deep/path/foo2
374
+=item B<< mount fstype=ext3 options=(rw,atime) /dev/sdb1 -> /mnt/stick/, >>
376
+allow mounting an ext3 filesystem in /dev/sdb1 on /mnt/stick as read/write and
377
+using inode access times. Matches only:
381
+$ mount -o rw,atime /dev/sdb1 /mnt/stick
385
+=item B<< mount options=(ro, atime) options in (nodev, user) /dev/foo -> /mnt/, >>
387
+allow mounting /dev/foo on /mmt/ read only and using inode access times or
388
+allow mounting /dev/foo on /mnt/ with some combination of 'nodev' and 'user'.
393
+$ mount -o ro,atime /dev/foo /mnt
395
+$ mount -o nodev /dev/foo /mnt
397
+$ mount -o user /dev/foo /mnt
399
+$ mount -o nodev,user /dev/foo /mnt
407
AppArmor's policy language allows embedding variables into file rules
408
@@ -605,6 +902,29 @@ An example AppArmor profile:
416
+Mount options support the use of pattern matching but mount flags are not
417
+correctly intersected against specified patterns. Eg, 'mount options=**,'
418
+should be equivalent to 'mount,', but it is not. (LP: #965690)
420
+The fstype may not be matched against when certain mount command flags are
421
+used. Specifically fstype matching currently only works when creating a new
422
+mount and not remount, bind, etc.
424
+Mount rules with multiple 'options' conditionals are not applied as documented
425
+but instead merged such that 'options in (ro,nodev) options in (atime)' is
426
+equivalent to 'options in (ro,nodev,atime)'.
428
+When specifying mount options with the 'in' conditional, both the positive and
429
+negative values match when specifying one or the other. Eg, 'rw' matches when
430
+'ro' is specified and 'dev' matches when 'nodev' is specified such that
431
+'options in (ro,nodev)' is equivalent to 'options in (rw,dev)'.
437
apparmor(7), apparmor_parser(8), aa-complain(1),
438
Index: b/utils/aa-exec.pod
439
===================================================================
440
--- a/utils/aa-exec.pod
441
+++ b/utils/aa-exec.pod
442
@@ -82,6 +82,8 @@ arguments after the -- are treated as ar
443
useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
450
If you find any bugs, please report them at