4.8 File Permission Access Modes

File permission access modes consist of combinations of the following nine modes:

r

Read mode

w

Write mode

px

Discrete profile execute mode

Px

Discrete profile execute mode—clean exec

ux

Unconstrained execute mode

Ux

Unconstrained execute mode—clean exec

ix

Inherit execute mode

m

Allow PROT_EXEC with mmap(2) calls

l

Link mode

Read Mode (r)

Allows the program to have read access to the resource. Read access is required for shell scripts and other interpreted content and determines if an executing process can core dump or be attached to with ptrace(2) (ptrace(2) is used by utilities like strace(1), ltrace(1), and gdb(1)).

Write Mode (w)

Allows the program to have write access to the resource. Files must have this permission if they are to be unlinked (removed).

Discrete Profile Execute Mode (px)

This mode requires that a discrete security profile is defined for a resource executed at an AppArmor domain transition. If there is no profile defined, the access is denied.

WARNING: Using the Discrete Profile Execute Mode

px does not scrub the environment of variables such as LD_PRELOAD. As a result, the calling domain may have an undue amount of influence over the called item.

Incompatible with Ux, ux, Px, and ix.

Discrete Profile Execute Mode (Px)—Clean Exec

Px allows the named program to run in px mode, but AppArmor invokes the Linux kernel's unsafe_exec routines to scrub the environment, similar to setuid programs. See ld.so(8) for some information about setuid and setgid environment scrubbing.

Incompatible with Ux, ux, px, and ix.

Unconstrained Execute Mode (ux)

Allows the program to execute the resource without any AppArmor profile applied to the executed resource. Requires listing execute mode as well.

This mode is useful when a confined program needs to be able to perform a privileged operation, such as rebooting the machine. By placing the privileged section in another executable and granting unconstrained execution rights, it is possible to bypass the mandatory constraints imposed on all confined processes. For more information about what is constrained, see the apparmor(7) man page.

WARNING: Using Unconstrained Execute Mode (ux)

Use ux only in very special cases. It enables the designated child processes to be run without any AppArmor protection. ux does not scrub the environment of variables such as LD_PRELOAD. As a result, the calling domain may have an undue amount of influence over the called resource. Use this mode only if the child absolutely must be run unconfined and LD_PRELOAD must be used. Any profile using this mode provides negligible security. Use at your own risk.

This mode is incompatible with Ux, px, Px, and ix.

Unconstrained Execute Mode (Ux)—Clean Exec

Ux allows the named program to run in ux mode, but AppArmor invokes the Linux kernel's unsafe_exec routines to scrub the environment, similar to setuid programs. See ld.so(8) for some information about setuid and setgid environment scrubbing.

WARNING: Using Unconstrained Execute Mode (Ux)

Use Ux only in very special cases. It enables the designated child processes to run without any AppArmor protection. Use this mode only if the child absolutely must be run unconfined. Use at your own risk.

Incompatible with ux, px, Px, and ix.

Inherit Execute Mode (ix)

ix prevents the normal AppArmor domain transition on execve(2) when the profiled program executes the named program. Instead, the executed resource inherits the current profile.

This mode is useful when a confined program needs to call another confined program without gaining the permissions of the target's profile or losing the permissions of the current profile. There is no version to scrub the environment because ix executions do not change privileges.

Incompatible with Ux, ux, Px, and px. Implies m.

Allow Executable Mapping (m)

This mode allows a file to be mapped into memory using mmap(2)'s PROT_EXEC flag. This flag marks the pages executable. It is used on some architectures to provide nonexecutable data pages, which can complicate exploit attempts. AppArmor uses this mode to limit which files a well-behaved program (or all programs on architectures that enforce nonexecutable memory access controls) may use as libraries, to limit the effect of invalid -L flags given to ld(1) and LD_PRELOAD, LD_LIBRARY_PATH, given to ld.so(8).

Link Mode

The link mode mediates access to hard links. When a link is created, the target file must have the same access permissions as the link created (with the exception that the destination does not need link access).

When choosing one of the Ux or Px file permission access modes, take into account that the following environment variables are removed from the environment before the child process inherits it. As a consequence, applications or processes relying on any of these variables do not work anymore if the profile applied to them carries Ux or Px flags: