WEB开发网
开发学院服务器云计算 Linux Security Framework -- Apparmor机制介绍... 阅读

Linux Security Framework -- Apparmor机制介绍

 2012-09-05 09:54:22 来源:WEB开发网   
核心提示:(2)通过工具来管理profile,比较著名是:apparmor-utils,Linux Security Framework -- Apparmor机制介绍(2),通过如下命令进行安装:sudo apt-get install apparmor-utils此工具最常用的两个命令为:aa-genprof和aa-logp
(2)通过工具来管理profile,比较著名是:apparmor-utils,通过如下命令进行安装:

sudo apt-get install apparmor-utils
此工具最常用的两个命令为:aa-genprof和aa-logprof,前者用来生成profile文件,后者用来查询处于apparmor的日志记录。
再看一个手工编写的profile,熟悉下其语法格式,如果想更详细的学习,参见具体的讲解profile语法格式的文档,如:http://ubuntuforums.org/showthread.php?t=1008906。

#include <tunables/global>
/usr/bin/kopete { //需要限制的应用程序的名称
#include <abstractions/X>
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/kde>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
//限制其在对家目录下几个文件的读写权限
deny @{HOME}/.bash* rw,
deny @{HOME}/.cshrc rw,
deny @{HOME}/.profile rw,
deny @{HOME}/.ssh/* rw,
deny @{HOME}/.zshrc rw,
//对以下文件具有读、写、或可执行的权限
/etc/X11/cursors/oxy-white.theme r,
/etc/default/apport r,
/etc/kde4/* r,
/etc/kde4rc r,
/etc/kderc r,
/etc/security/* r,
/etc/ssl/certs/* r,
owner /home/*/ r,
/opt/firefox/firefox.sh Px,
/usr/bin/convert rix,
/usr/bin/kde4 rix,
/usr/bin/kopete r,
/usr/bin/kopete_latexconvert.sh rix,
/usr/bin/launchpad-integration ix,
/usr/bin/xdg-open mrix,
/usr/lib/firefox*/firefox.sh Px,
/usr/lib/kde4/**.so mr,
/usr/lib/kde4/libexec/drkonqi ix,
/usr/share/emoticons/ r,
/usr/share/emoticons/** r,
/usr/share/enchant/** r,
/usr/share/kde4/** r,
/usr/share/kubuntu-default-settings/** r,
/usr/share/locale-langpack/** r,
/usr/share/myspell/** r,
owner @{HOME}/.config/** rwk,
owner @{HOME}/.kde/** rwlk,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.thumbnails/** rw,
owner @{HOME}/Downloads/ rw,
owner @{HOME}/Downloads/** rw,
}
语法介绍:

r = read
w = write
l = link
k = lock
a = append

ix = inherit = Inherit the parent's profile.
px = requires a separate profile exists for the application, with environment scrubbing.
Px = requires a separate profile exists for the application, without environment scrubbing.
ux and Ux = Allow execution of an application unconfined, with and without environmental scrubbing. (use with caution if at all).
m = allow executable mapping.

上一页  1 2 

Tags:Linux Security Framework

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接