[apparmor] File rule question
Seth Arnold
seth.arnold at gmail.com
Sun Mar 11 02:18:31 UTC 2012
It does seem odd, but if m and r permission are granted then the program could do the moral equivalent of an exec entirely in memory itself -- with the exception of setuid, setgid, or setfacl capabilities, which the profile will confine anyhow.
Thus I think the full set makes sense.
------Original Message------
From: John Johansen
Sender: apparmor-bounces at lists.ubuntu.com
To: apparmor
Subject: [apparmor] File rule question
Sent: Mar 10, 2012 5:50 PM
So in 2.8 the ability to specify all files via
file,
instead of having to do
/** rwlkmix,
the question is should this short cut provide all those permissions or should
we separate out exec permissions. It seems odd to me that saying you have
access to all files means you also can exec anything even if it remains
confined by the current profile.
--
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor
mailing list