tunables: additional system & user helper variables. (!1088) · Merge requests · AppArmor / apparmor

Alex requested to merge roddhjav/apparmor:master into master Aug 19, 2023

Hi all,

This is the first MR that aims to upstream work from apparmor.d. This first MR proposes a new set tunables. The next MR will propose additional abstractions. Then the first (carefully selected) profiles will be ready to be upstreamed.

All the variables proposed here have been heavily used in apparmor.d for up to two years.

User variables

Define a large selection of XDG_*_DIR directory name to allow easy directory personalization.
Add user_*_dirs variables. They are the full path of the XDG_*_DIR. The naming comes from the existing user_share_dirs variable.

The goal is to ensure that all user data accessible by a profiled program can always be reached and configured under a user_*_dirs variable. For example:

In the pass profile: https://gitlab.com/roddhjav/apparmor.d/-/blob/main/apparmor.d/profiles-m-r/pass#L59
In a new user-read abstraction: https://gitlab.com/roddhjav/apparmor.d/-/blob/main/apparmor.d/abstractions/user-read
In git: https://gitlab.com/roddhjav/apparmor.d/-/blob/main/apparmor.d/profiles-g-l/git#L83
In thunderbird: https://gitlab.com/roddhjav/apparmor.d/-/blob/main/apparmor.d/profiles-s-z/thunderbird#L147

Therefore, a system admin could quickly personalize this directory (eg: https://apparmor.pujol.io/configuration/#personal-directories)

System variables

Generic locations for binaries and libraries across distributions: @{bin}, @{lib}
Useful variables helper that are better than using glob like [0-9]*: @{int}, @{rand6}, @{rand8}, @{rand10}, @{uuid}, @{hex}, @{pci}

A general overview of all variables available in apparmor can be read here: https://apparmor.pujol.io/variables/

Edited Aug 19, 2023 by Alex

tunables: additional system & user helper variables.

Merge request reports