[apparmor] user-tmp abstraction, hard links, and separate filesystems
intrigeri
intrigeri at debian.org
Sun Nov 1 13:26:58 UTC 2015
Hi,
I see that the user-tmp abstraction, included by many other profiles,
contains these rules:
owner /var/tmp/** rwkl,
owner /tmp/** rwkl,
^
Am I correct that on systems where /tmp and /var/tmp are on the root
filesystem, this essentially allows an attacker who took control of
a confined application to escape its AppArmor confinement, by creating
a hard link to any other place in the root filesystem, and that within
that filesystem it will then be only restricted by DAC?
If I'm correct, then it sounds like it should be made clear, somehow,
that an operational requirement, for meaningful usage of upstream
profiles that include the user-tmp abstraction, is to have /tmp and
/var/tmp on dedicated filesystems. Is it the case already?
(/me hopes he got something wrong.)
Cheers,
--
intrigeri
More information about the AppArmor
mailing list