[. . . ] Novell AppArmor 2. 0. 1 November 29, 2006 www. novell. com Novell AppArmor Administration Guide Novell AppArmor Administration Guide Copyright © 2006 Novell, Inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1. 2 or any later version published by the Free Software Foundation; with the Invariant Section being this copyright notice and license. A copy of the license is included in the section entitled "GNU Free Documentation License". Novell, the Novell logo, the N logo, openSUSE, SUSE, and the SUSE "geeko" logo are registered trademarks of Novell, Inc. [. . . ] Example: an arbitrary number of path elements, including entire directories. Substitutes for the single character a, b, or c Example: a rule that matches /home[01]/*/. plan allows a program to access . plan files for users in both /home0 and /home1. [a-c] Substitutes for the single character a, b, or c. 68 Novell AppArmor Administration Guide {ab, cd} Expand to one rule to match ab and one rule to match cd. Example: a rule that matches /{usr, www}/pages/** to grant access to Web pages in both /usr/pages and /www/ pages. 4. 8 File Permission Access Modes File permission access modes consist of combinations of the following nine modes: r w px Px ux Ux ix m l Read mode Write mode Discrete profile execute mode Discrete profile execute mode--clean exec Unconstrained execute mode Unconstrained execute mode--clean exec Inherit execute mode Allow PROT_EXEC with mmap(2) calls Link mode Read Mode (r) Allows the program to have read access to the resource. Read access is required for shell scripts and other interpreted content and determines if an executing process can core dump or be attached to with ptrace(2) (ptrace(2) is used by utilities such as strace(1), ltrace(1), and gdb(1)). Building Profiles via the Command Line 69 Write Mode (w) Allows the program to have write access to the resource. Discrete Profile Execute Mode (px) This mode requires that a discrete security profile is defined for a resource executed at a Novell AppArmor domain transition. WARNING: Using the Discrete Profile Execute Mode px does not scrub the environment of variables such as LD_PRELOAD. As a result, the calling domain may have an undue amount of influence over the callee. Discrete Profile Execute Mode (Px)--Clean Exec Px allows the named program to run in px mode, but AppArmor invokes the Linux kernel's unsafe_exec routines to scrub the environment, similar to setuid programs. See ld. so(8) for some information about setuid and setgid environment scrubbing. Unconstrained Execute Mode (ux) Allows the program to execute the resource without any Novell AppArmor profile applied to the executed resource. This mode is useful when a confined program needs to be able to perform a privileged operation, such as rebooting the machine. By placing the privileged section in another executable and granting unconstrained execution rights, it is possible to bypass the mandatory constraints imposed on all confined processes. For more information about what is constrained, see the apparmor(7) man page. WARNING: Using Unconstrained Execute Mode (ux) Use ux only in very special cases. It enables the designated child processes to be run without any AppArmor protection. As a result, the calling domain 70 Novell AppArmor Administration Guide may have an undue amount of influence over the callee. Use this mode only if the child absolutely must be run unconfined and LD_PRELOAD must be used. Unconstrained Execute Mode (Ux)--Clean Exec Ux allows the named program to run in ux mode, but AppArmor invokes the Linux kernel's unsafe_exec routines to scrub the environment, similar to setuid programs. See ld. so(8) for some information about setuid and setgid environment scrubbing. WARNING: Using Unconstrained Execute Mode (Ux) Use Ux only in very special cases. It enables the designated child processes to be run without any AppArmor protection. [. . . ] application firewalling Novell AppArmor contains applications and limits the actions they are permitted to take. It uses privilege confinement to prevent attackers from using malicious programs on the protected server and even using trusted applications in unintended ways. attack signature Pattern in system or network activity that signals a possible virus or hacker attack. Intrusion detection systems might use attack signatures to distinguish between legitimate and potentially malicious activity. [. . . ]