Skip to content

AppArmor boolean RFC #672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
doublez13 wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

AppArmor boolean RFC #672

doublez13 wants to merge 3 commits into from

Conversation

@doublez13
Copy link
Contributor

@doublez13 doublez13 commented Feb 26, 2025
edited
Loading

NOTE: This PR relies on an upstream AppArmor patch that has been merged, but not included in a tagged release yet.

As I was writing a policy for yara (a malware scanner), I thought it might be useful to implement something analogous to SELinux booleans. The idea is that chunks of policy can be enabled or disabled by booleans that are controlled in a single file.

For instance, the following SELinux booleans control the policy for AV programs:

# getsebool -a | grep antivirus
antivirus_can_scan_system --> off
antivirus_use_jit --> off

# semanage boolean -l | grep antivirus
antivirus_can_scan_system      (off  ,  off)  Allow antivirus to can scan system
antivirus_use_jit              (off  ,  off)  Allow antivirus to use jit

In this yara policy, I've implemented a boolean that controls whether or not yara has permission to read and trace other processes. In my opinion, this should be disabled by default, which would only allow yara to read files. Enabling this boolean allows yara (and any other AV policy that implements it) to scan another process's memory.

This PR is just an RFC and couldn't be merged until the AppArmor patch gets in a tagged release and pushed to distros.
I'm more interested to hear opinions on whether booleans are something you think would be beneficial to the AppArmor policies.

@doublez13
Create profile for yara (uses booleans)
608e3b8
@doublez13
Create booleans
8b0191f 
The file holds booleans that can be used to control the flow of multiple policies..
@doublez13 doublez13 marked this pull request as draft February 26, 2025 16:34
@roddhjav
Copy link
Owner

roddhjav commented Feb 26, 2025
edited
Loading

This will have to wait for the feature to be supported in a released AppArmor version, but I am 100% in with this. It is actually already planned in the roadmap: https://apparmor.pujol.io/development/roadmap/#next-features:

  • Conditions
    • Integrate the new condition feature in the profiles and restrict them a lot according to the application actually in use. Eg: Gnome | KDE, X11 | Wayland, etc.
    • Create a new aa-config tool, similar to seboolean, to manage various settings, based on conditions.

@doublez13 doublez13 changed the title DO NOT MERGE: AppArmor boolean RFC AppArmor boolean RFC Apr 12, 2025
@doublez13
Copy link
Contributor Author

doublez13 commented Apr 12, 2025
edited
Loading

The required patch has landed in AppArmor 4.1.

@roddhjav
Copy link
Owner

roddhjav commented Apr 24, 2025

Sadly, full condition support has not landed in apparmor 4.1. Therefore, it will have to wait for the next version (or even possibly apparmor 5.0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@doublez13 @roddhjav