[apparmor] Solutions for scripting files, e.g perl python

Christian Boltz apparmor at cboltz.de
Tue Jan 14 20:47:54 UTC 2014


Am Dienstag, 14. Januar 2014 schrieb Kshitij Gupta:
> On Jan 14, 2014 11:54 AM, "Aaron Lewis"  wrote:
> > It looks like one cannot create a profile for a scrit, e.g perl or
> > python
> > 
> > Am I wrong?
> > 
> > I don't want a single profile for all script that runs by the same
> > interpreter

> The above works when the script is run as an executable. Though it
> didn't work for me when used via idle or using python (my naive guess
> would be because child profiles were not used by python/idle)
> More experience members can shed more light on the matter.

Correct - the profile /path/to/script is used if the script is 
executable and you call it as a standalone command ("./script" or just 
"script" if it's in $PATH)

If you call the script with "python script", then the /path/to/script 
profile is not used - in this case, AppArmor only looks for a profile 
for "python".

Another option is to run
    aa-exec -p /path/to/script python /path/to/script
(note: I never tested aa-exec ;-)

For additiional complexity, load the libapparmor bindings in your script 
and call change_profile - but chmod +x is much easier ;-)


Christian Boltz
The manual said the program requires Windows 95 or better,
so I installed Linux.

More information about the AppArmor mailing list