File: aa-exec.pod

package info (click to toggle)
apparmor 4.1.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 34,800 kB
  • sloc: ansic: 24,940; python: 24,595; sh: 12,524; cpp: 9,024; yacc: 2,061; makefile: 1,921; lex: 1,215; pascal: 1,145; perl: 1,033; ruby: 365; lisp: 282; exp: 250; java: 212; xml: 159
file content (196 lines) | stat: -rw-r--r-- 6,480 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
 
# This publication is intellectual property of Canonical Ltd. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither Canonical Ltd, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. Canonical Ltd
# essentially adheres to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#


=pod

=head1 NAME

aa-exec - confine a program with the specified AppArmor profile

=head1 SYNOPSIS

B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]

=head1 DESCRIPTION

B<aa-exec> is used to launch a program confined by the specified profile
and or namespace.  If both a profile and namespace are specified command
will be confined by profile in the new policy namespace.  If only a namespace
is specified, the profile name of the current confinement will be used.  If
neither a profile or namespace is specified command will be run using
standard profile attachment (ie. as if run without the aa-exec command).

If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
by aa-exec then -- should be used to separate aa-exec arguments from the
command.
  aa-exec -p profile1 -- ls -l

=head1 OPTIONS
B<aa-exec> accepts the following arguments:

=over 4

=item -p PROFILE, --profile=PROFILE

confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
use the current profile name (likely unconfined).

=item -n NAMESPACE, --namespace=NAMESPACE

use profiles in NAMESPACE.  This will result in confinement transitioning
to using the new profile namespace.

=item -i, --immediate

transition to PROFILE before doing executing I<E<lt>commandE<gt>>.  This
subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
of the current profile.

=item -v, --verbose

show commands being performed

=item -d, --debug

show commands and error codes

=item --

Signal the end of options and disables further option processing. Any
arguments after the -- are treated as arguments of the command.  This is
useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
aa-exec.

=back

=head1 RESTRICTIONS

aa-exec uses I<aa_change_profile(3)> to change application confinement.
The use of I<aa_change_profile(3)> may be restricted by policy in ways
that will cause failure or results different than expected.

Even when using I<aa-exec> from unconfined restrictions in policy can
causes failure or the confinement entered to be different than requested

See the unpriviled unconfined restriction documentation for more detail.
https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction

=head1 STACKING

aa-exec can be used to setup a stack of profiles as confinement. When an
application is confined by a stack, all profiles in the stack are checked
as if they were the profile confining the application. The resulting
mediation is the intersection of what is allowed by each profile in the
stack.

The profiles in a stack are treated independently. Each profile can have
its own flags and profile transitions. During an exec each profile gets
to specify its transition and the results brought together to form a
new canonicalized stack.

The profile separator indicating a stack is the character sequence I<//&>.
Thus a stack can be expressed using

=over 4

  $ aa-exec -p "unconfined//&firefox" -- bash
  $ ps -Z
  LABEL                               PID TTY          TIME CMD
  unconfined                        30714 pts/12   00:00:00 bash
  firefox//&unconfined (unconfined) 31160 pts/12   00:00:00 bash
  firefox//&unconfined (unconfined) 31171 pts/12   00:00:00 ps

=back

=head1 NAMESPACES

aa-exec can be used to enter confinement in another policy namespace
if the policy namespaces exists, is visible, and the profile exists in
the namespace. Note applications launched within the namespace will
not be able to exit the namespace, and may be restricted by additional
confinement around namespacing. Files and resources visible to the
parent that launches the application may not be visible in the policy
namespace resulting in access denials.

To enter a policy namespace the profile is prefixed with the namespace's
name, using a I<:> prefix and suffix.

Eg.

=over 4

  $ aa-exec -p :ex1:unconfined -- bash
  $ ps -Z
  LABEL                               PID TTY          TIME CMD
  -                                 30714 pts/12   00:00:00 bash
  unconfined                        34372 pts/12   00:00:00 bash
  unconfined                        34379 pts/12   00:00:00 ps

=back

Confinement of processes outside of the namespace may not be visible
in which case the confinement will be represented with a -. If policy
is stacked only part of the confinement might be visible. However
confinement is usually fully visible from the parent policy namespace.

Eg. the confinement of the child can be queried in the parent to see

=over 4

  $ ps -Z 34372
  LABEL                               PID TTY      STAT   TIME COMMAND
  :ex1:unconfined                   34372 pts/12   S+     0:00 bash

=back

And in the case of stacking with namespaces

=over 4

  $ aa-exec -p "unconfined//&:ex1:unconfined" -- bash
  $ ps -Z
  LABEL                               PID TTY          TIME CMD
  -                                 30714 pts/12   00:00:00 bash
  unconfined                        36298 pts/12   00:00:00 bash
  unconfined                        36305 pts/12   00:00:00 ps

=back

while from the parent namespace the full confinement can be seen

=over 4

  $ ps -Z 36298
  LABEL                               PID TTY      STAT   TIME COMMAND
  unconfined//&:ex1:unconfined      36298 pts/12   S+     0:00 bash

=back

=head1 BUGS

If you find any bugs, please report them at
L<https://gitlab.com/apparmor/apparmor/-/issues>

=head1 SEE ALSO

apparmor(7), apparmor.d(5), aa_change_profile(3),
aa_change_onexec(3) and L<https://wiki.apparmor.net>.

=cut