File permission access modes consist of combinations of the following nine modes:
|
Read mode |
|
Write mode |
|
Discrete profile execute mode |
|
Discrete profile execute mode—clean exec |
|
Unconstrained execute mode |
|
Unconstrained execute mode—clean exec |
|
Inherit execute mode |
|
Allow |
|
Link mode |
Allows the program to have read access to the resource. Read access is required for shell scripts and other interpreted content and determines if an executing process can core dump or be attached to with ptrace(2) (ptrace(2) is used by utilities like strace(1), ltrace(1), and gdb(1)).
Allows the program to have write access to the resource. Files must have this permission if they are to be unlinked (removed).
This mode requires that a discrete security profile is defined for a resource executed at an AppArmor domain transition. If there is no profile defined, the access is denied.
![]() | Using the Discrete Profile Execute Mode |
---|---|
|
Incompatible with Ux
, ux
,
Px
, and ix
.
Px
allows the named program to run in
px
mode, but AppArmor invokes the Linux kernel's
unsafe_exec routines to scrub the environment, similar
to setuid programs. See ld.so(8) for some information
about setuid and setgid environment scrubbing.
Incompatible with Ux
, ux
,
px
, and ix
.
Allows the program to execute the resource without any AppArmor profile applied to the executed resource. Requires listing execute mode as well.
This mode is useful when a confined program needs to be able to perform
a privileged operation, such as rebooting the machine. By placing the
privileged section in another executable and granting unconstrained
execution rights, it is possible to bypass the mandatory constraints
imposed on all confined processes. For more information about what is
constrained, see the apparmor(7)
man page.
![]() | Using Unconstrained Execute Mode (ux) |
---|---|
Use |
This mode is incompatible with Ux
,
px
, Px
, and
ix
.
Ux
allows the named program to run in
ux
mode, but AppArmor invokes the Linux kernel's
unsafe_exec routines to scrub the environment, similar
to setuid programs. See ld.so(8) for some information
about setuid and setgid environment scrubbing.
![]() | Using Unconstrained Execute Mode (Ux) |
---|---|
Use |
Incompatible with ux
, px
,
Px
, and ix
.
ix
prevents the normal AppArmor domain transition on
execve(2) when the profiled program executes the named
program. Instead, the executed resource inherits the current
profile.
This mode is useful when a confined program needs to call another
confined program without gaining the permissions of the target's profile
or losing the permissions of the current profile. There is no version to
scrub the environment because ix
executions do not
change privileges.
Incompatible with Ux
, ux
,
Px
, and px
. Implies
m
.
This mode allows a file to be mapped into memory using
mmap(2)'s PROT_EXEC
flag. This flag
marks the pages executable. It is used on some architectures to provide
nonexecutable data pages, which can complicate exploit attempts.
AppArmor uses this mode to limit which files a well-behaved program (or
all programs on architectures that enforce nonexecutable memory access
controls) may use as libraries, to limit the effect of invalid
-L
flags given to ld(1) and
LD_PRELOAD
, LD_LIBRARY_PATH
, given to
ld.so(8).
The link mode mediates access to hard links. When a link is created, the target file must have the same access permissions as the link created (with the exception that the destination does not need link access).
When choosing one of the Ux or Px file permission access modes, take into account that the following environment variables are removed from the environment before the child process inherits it. As a consequence, applications or processes relying on any of these variables do not work anymore if the profile applied to them carries Ux or Px flags:
GCONV_PATH
GETCONF_DIR
HOSTALIASES
LD_AUDIT
LD_DEBUG
LD_DEBUG_OUTPUT
LD_DYNAMIC_WEAK
LD_LIBRARY_PATH
LD_ORIGIN_PATH
LD_PRELOAD
LD_PROFILE
LD_SHOW_AUXV
LD_USE_LOAD_BIAS
LOCALDOMAIN
LOCPATH
MALLOC_TRACE
NLSPATH
RESOLV_HOST_CONF
RES_OPTIONS
TMPDIR
TZDIR