[apparmor] Learning apparmor
Jamie Strandboge
jamie at canonical.com
Tue Dec 18 15:22:56 UTC 2012
On 12/17/2012 05:29 PM, Christian Boltz wrote:
> Besides that, John forgot to mention Ux, Px and Cx (and Pix, Cix and
> PUx). They basically do the same as their lowercase counterparts, but
> are more secure because they clean the environment variables
> (LD_PRELOAD, PATH etc.) before executing the "child" program.
>
> In other words: It's recommended to use the uppercase variant of the
> exec rules (except if a program really needs unmodified environment
> variables).
>
It is recommended to use the uppercase variants, but keep in mind they
do not clean out all environment variables-- only those specified in
glibc's secure-exec (ie, PATH is *not* scrubbed). I wrote up something a
while back discussing this[1].
[1]https://wiki.ubuntu.com/SecurityTeam/AppArmorPolicyReview#Execute_rules
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20121218/2f4a5155/attachment.pgp>
More information about the AppArmor
mailing list