[apparmor] Question regarding confining sudo in a child profile
Hanno Stock
hanno.stock at gmx.net
Mon Oct 21 11:13:20 UTC 2013
Hi everybody,
I have a question regarding confining use of sudo with a child profile.
I see some strange behavior (at least to my understanding). I would be
glad for any pointers in the right direction.
The situation:
1. Ubuntu 12.04 system with AppArmor 2.7 (installed via distribution
package)
2. I have an openvpn daemon which runs some learn-address script via sudo.
3. I have a profile for openvpn with a child profile for sudo and a
named child profile for the learn-address script.
In the openvpn-profile I have:
/usr/bin/sudo rCx,
In the sudo child profile I have:
/etc/openvpn/scripts/learn-address.sh rCx -> learn_address,
However I still get kernel logs like this:
Oct 21 12:23:54 intranet-vpn kernel: [408806.259761] type=1400
audit(1382351034.874:22653): apparmor="ALLOWED" operation="exec"
parent=3442 profile="/usr/sbin/openvpn///usr/bin/sudo"
name="/usr/sbin/ipset" pid=3443 comm="learn-address.s"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
target="/usr/sbin/openvpn///usr/bin/sudo//null-1c8"
The ipset utility is however run by the learn-address.sh script, not
directly by sudo. I do not understand why the sudo child profile is used
here. To my understanding the profile should be "learn_address" which
allows the execution of ipset.
Thanks & best regards
Hanno
More information about the AppArmor
mailing list