[apparmor] Handling meta-read permissions
John Johansen
john.johansen at canonical.com
Thu Jul 29 23:43:37 BST 2010
Currently AppArmor provides a pass on meta-read permission, closing this hole lead
to bug https://launchpad.net/bugs/599450. We considered fixing this through profile
changes but this would require granting read access for every directory and file
along PATH variables that are probed. This would require opening up profiles far
more than the old behavior of implicitly granting meta-read permissions.
Going forward the user space read permission will grant both read and meta-read
permissions. But there will be cases when we don't want to grant full read
permissions.
we have two options
* Require explicitly specifying meta-read permission rules. This will require
expanding current profiles, to enable them to work.
eg.
/foo/ r,
/foo/* meta-r,
/bar/**/ r,
/bar/**/* meta-r,
* Granting read permissions on a directory implies granting meta-read permissions
on the files in the directory. Basically if you can read the directory contents
you can stat the files in it.
eg. (cover permissions granted by above example)
/foo/ r,
/bar/**/ r,
This will not remove the need to be able to specify meta-r, but it should take
care of most cases, with out requiring profile modification.
*Note the meta-r syntax is not necessarily how this will be specified in policy.
More information about the AppArmor
mailing list