Low level interfaces to the AppArmor kernel module
read: current confinement of a task
This file contains the name of the currently confining profile,
which may be optionally followed by the profile mode in
parenthesis. The name is not null terminated nor followed by
a new line. If the task is not confined the file will contain
the word unconfined.
write: interface for change_hat, change_profile, set_profile
Writing to this file is the control interface for change_hat,
change_profile. The ability to successfully write a given
command depends on the profiles confinement and rules. The
command must be written entirely in a single write and it
does not need to be null terminated.
The change hat command allows transitioning of a task
between a main profile and special hat profiles. The
<hat name> is the name of a hat as it would appear in a
profile. The token is an unsigned decimal or hexadecimal
number in ascii. This command can only be issued by a task
to it self. The basic format of the command is
- entering a hat or changing between sibling hats To enter a hat or change between hats a valid hat name must be given followed by a token, which is required to leave the hat. If the profile is currently in a hat and trying to change to a sibling hat then the token passed must be the same as was used to enter the current hat. If the hat is successfully entered the token is remembered and must be matched to change out of the hat via the change hat interface; e.g.: ```
- returning from a hat To return from a hat, the change hat command is issued without a profile name, and with a token value matching the token that was used to do the initial change hat. If the change hat call is successful the task returns to the parent profile and the token is forgotten, allowing for new change hat calls using different tokens; e.g.: ```
- errors Change hat can fail for a number of reasons, and it returns different error codes depending on the failure. - EINVAL: invalid leading command word (missing space between command and args?), no command args, invalid token, invalid hat name, no hat name and zero token - EACCES: change\_hat command issued by another task, or task is being ptraced and new hat is not allowed by trace - EPERM: change\_hat by unconfined task - ENOMEM: out of memory - ENOENT: hat not found - killed: the task will be killed if it is currently in a hat and it passes a token that does not match the currently stored token. - change hatv ???? - change profile ```
relative names (eg. child and hat profiles, direct transition????
- change profilev ????
/proc//attr/prev - AppArmor v2.4
read: This file provides the profile name of the parent profile when the task is confined by a hat profile. This file is empty when a task is unconfined or does not have a parent profile to return to.
/proc//attr/exec - change_profile on exec
/proc//attr/fscreate - unused
/proc//attr/keycreate - unused
/proc//attr/sockcreate - unused
securityfs - /sys/kernel/security/apparmor
AppArmor presents a filesystem under securityfs that provides policy
management and introspection as well as introspection into the modules
These files provide for loading, replacing, and removing profiles and
profile namespaces. The loading and removal interfaces take data in
the binary profile format, while the remove
interface takes a profile name.