Learn R Programming

RAppArmor (version 3.2.5)

apparmor: Change hats

Description

A hat is a subprofile which name starts with a '^'. The difference between hats and profiles is that one can escape (revert) from the hat using the token. Hence this provides more limited security than a profile.

Note that in order for this function to do its work, it needs read access to the attributes of the current process. If aa_getcon fails with a permission denied error, it might actually mean that the current process is being confined with a very restrictive profile.

Usage

aa_change_hat(subprofile, magic_token)

aa_revert_hat(magic_token)

aa_change_profile(profile)

aa_find_mountpoint()

aa_getcon()

aa_is_enabled()

aa_is_compiled()

Arguments

subprofile

character string identifying the subprofile (hat) name (without the "^")

magic_token

a number that will be the key to revert out of the hat.

profile

character string with the name of the profile.

Examples

Run this code
if (FALSE) {
aa_change_profile("testprofile");
aa_getcon();
test <- read.table("/etc/group");
aa_change_hat("testhat", 13337);
aa_getcon();
test <- read.table("/etc/group");
aa_revert_hat(13337);
test <- read.table("/etc/group");
}
 if (FALSE) {
test <- read.table("/etc/passwd");
aa_change_profile("testprofile");
aa_getcon();
test <- read.table("/etc/passwd");
}

Run the code above in your browser using DataLab