[apparmor] File rule question

Frankie Onuonga onuonga at live.com
Sun Mar 11 17:49:07 UTC 2012


true .
even to me this does not make sense.
i think we need to restructure just to avoid any problems in future..

On Sun, Mar 11, 2012 at 4:18 AM, Seth Arnold <seth.arnold at gmail.com> wrote:

> It does seem odd, but if m and r permission are granted then the program
> could do the moral equivalent of an exec entirely in memory itself -- with
> the exception of setuid, setgid, or setfacl capabilities, which the profile
> will confine anyhow.
>
> Thus I think the full set makes sense.
>
> ------Original Message------
> From: John Johansen
> Sender: apparmor-bounces at lists.ubuntu.com
> To: apparmor
> Subject: [apparmor] File rule question
> Sent: Mar 10, 2012 5:50 PM
>
> So in 2.8 the ability to specify all files via
>
>  file,
>
> instead of having to do
>
>  /** rwlkmix,
>
> the question is should this short cut provide all those permissions or
> should
> we separate out exec permissions.  It seems odd to me that saying you have
> access to all files means you also can exec anything even if it remains
> confined by the current profile.
>
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120311/9a69676b/attachment.html>


More information about the AppArmor mailing list