[apparmor] owner usage for @{HOME} rules
Simon Deziel
simon.deziel at gmail.com
Thu Dec 20 02:25:09 UTC 2012
On 12-12-19 06:44 PM, Seth Arnold wrote:
> On Wed, Dec 19, 2012 at 06:30:01PM -0500, Simon Deziel wrote:
>> === modified file 'profiles/apparmor.d/abstractions/bash'
>> --- profiles/apparmor.d/abstractions/bash 2012-08-06 11:56:31 +0000
>> +++ profiles/apparmor.d/abstractions/bash 2012-12-19 22:57:02 +0000
>> @@ -10,10 +10,10 @@
>>
>> # user-specific bash files
>> @{HOMEDIRS} r,
>> - @{HOME}/.bashrc r,
>> - @{HOME}/.profile r,
>> - @{HOME}/.bash_profile r,
>> - @{HOME}/.bash_history rw,
>> + owner @{HOME}/.bashrc r,
>> + owner @{HOME}/.profile r,
>> + owner @{HOME}/.bash_profile r,
>> + owner @{HOME}/.bash_history rw,
>
> These are the only ones that looks potentially problematic to me -- sudo
> may or may not scrub the environment when it executes shells or programs
> that may execute shells, and something this tight may prevent proper
> initialization or prevent the history feature from working. This might
> be desirable at many, or even most, sites, but it does feel like the
> change most likely to break something somewhere.
You are right, I missed the "sudo -E" case.
> But I do like the rest of the patch.
Good, here is v2 without the changes to abstractions/bash. I appreciate
your review, thanks!
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: add-owner-for-home-rules-v2.patch
Type: text/x-patch
Size: 5705 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20121219/86b2e692/attachment-0001.bin>
More information about the AppArmor
mailing list