PolicyDB encoding policy into an HFA.
Related Documents
- AppArmor Technical documentation
- Format of the DFA/HFA
- PolicyDB the encoding of policy rules into the HFA
- Encoding permissions
- Putting it altogether relationship of Policy and DFA/HFA
- Steps in generating the DFA/HFA
Overview
The PolicyDB is the state machine that matches various permission requests to the permission permissions granted by a profile.
AppArmor 3.0 introduced the PolicyDB, which is extends the use of the HFA beyond file rules into other mediation types. The PolicyDB allows for generic queries to be made against AppArmor policy using just the HFA. For backwards compatibility reasons masks and some other structures are retained and used but all information is also recorded in the PolicyDB.
The layout of the PolicyDB can be thought of as a tree, that begins with the HFA start state. From here a single byte transition based on the type of permission request, finds the rules governing that type. Further transitions within a type lead to more specific sub-types and eventually a match that can be used to determine permissions.
Example: doing
file_rules_start_state = next_state(PolicyDB, start_state, AA_FILE_TYPE)
will find the file rules within the PolicyDB. Note that file rules are stored in a backwards compatible manner so that, direct access is possible by specifying an alternate start state for file rules.
Each kind of permission request has a defined types, with unknown types reserved for future expansion. The Layout and ordering of matching within a given type, is tailored to the input of the types permission request, so each type has its own layout and high level match routine.
The currently define classes for the policydb are
- AA_CLASS_CAP
- AA_CLASS_FILE
- AA_CLASS_ATTACH
- AA_CLASS_ENV
- AA_CLASS_ARGV
- AA_CLASS_MOUNT
- AA_CLASS_NET
- AA_CLASS_PIPE
- AA_CLASS_SYSV_MSGQ
- AA_CLASS_SYSV_SEM
- AA_CLASS_SYSV_SHMEM
- AA_CLASS_SIGNAL
- AA_RLIMIT_CLASS
- AA_MEMORY_CLASS
- AA_CPU_CLASS
- AA_CLASS_AUDIT
- AA_CLASS_KEY
- AA_CLASS_DBUS
- AA_CLASS_X