Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add klm #955

Merged
merged 1 commit into from Oct 31, 2022
Merged

add klm #955

merged 1 commit into from Oct 31, 2022

Conversation

achrefbensaad
Copy link
Member

@achrefbensaad achrefbensaad commented Oct 28, 2022
edited by Ankurk99

add klm flag to the generated AppArmor profile:
r - read - permission to read data
w - write - permission to create, delete, write to a file and extend it
a - append - permission to create, and extend a file. The append permission is limited that it only gives permission for applications to open a file with O_APPEND, it can not be used to enforce a generic file write is append only. If an application only has the append permission in the profile and it tries to write to the file even if it is an appending write, the write will be failed.
l - link - permission to link to a file (combined with /** to determine if permissions apply to subtree)
k - lock - permission to lock a file, is combined with write perm to determine if it has permission to take exclusive lock
m - memory map executable - permission to memory map a file executable
x - executable - determines if a file is executable, allow forms of the rule must be accompanied by x qualifiers. When specified as part of an allow rule it must be accompanied by qualifiers.

@achrefbensaad
add klm
7325e17 
Signed-off-by: Achref ben saad <achref@accuknox.com>
daemon1024
daemon1024 previously approved these changes Oct 28, 2022
View reviewed changes
@daemon1024
Copy link
Member

Can we add the reasoning in the description? Thanks

@daemon1024
Copy link
Member 

r - read - permission to read data
w - write - permission to create, delete, write to a file and extend it
a - append - permission to create, and extend a file. The append permission is limited that it only gives permission for applications to open a file with O_APPEND, it can not be used to enforce a generic file write is append only. If an application only has the append permission in the profile and it tries to write to the file even if it is an appending write, the write will be failed.
l - link - permission to link to a file (combined with /** to determine if permissions apply to subtree)
k - lock - permission to lock a file, is combined with write perm to determine if it has permission to take exclusive lock
m - memory map executable - permission to memory map a file executable
x - executable - determines if a file is executable, allow forms of the rule must be accompanied by x qualifiers. When specified as part of an allow rule it must be accompanied by qualifiers.

For reference.

Should we allow m? Isn't it dangerous?

@daemon1024 daemon1024 dismissed their stale review October 28, 2022 07:24

Need further discussion

@daemon1024 daemon1024 self-requested a review October 28, 2022 07:24
@nyrahul
Copy link
Contributor

nyrahul commented Oct 29, 2022

We can some more context for m flag here. Lets discuss in the next call.

@achrefbensaad, what is the use-case/scenario satisfied by this change?

@nyrahul nyrahul merged commit 7fdfe6d into kubearmor:main Oct 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nyrahul nyrahul nyrahul approved these changes

@daemon1024 daemon1024 Awaiting requested review from daemon1024

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@achrefbensaad @daemon1024 @nyrahul