[apparmor] Fwd: environment variables
Tetsuo Handa
from-ubuntu at I-love.SAKURA.ne.jp
Tue Nov 15 03:45:25 UTC 2011
Reply to post on Tue Nov 15 00:30:10 UTC 2011
> filter PATH=/home/*,
> deny PATH={**:,}/home/bad{:**,}
How do you handle "PATH=/./home/bad" and "PATH=/home/./bad" and
"PATH=/home/bad/" cases? Unlike file's pathname calculated from dentry/vfsmount
pair, environment variable's value cannot be normalized.
Also, implicitly removing environment variables can cause target application to
use defaults. For example,
CC=mygcc make
might use gcc if CC was implicitly removed.
Rather, rejecting execve() seems to be safer.
More information about the AppArmor
mailing list