[apparmor] user-tmp abstraction, hard links, and separate filesystems
Seth Arnold
seth.arnold at canonical.com
Mon Nov 2 16:21:44 UTC 2015
On Sun, Nov 01, 2015 at 02:26:58PM +0100, intrigeri wrote:
> I see that the user-tmp abstraction, included by many other profiles,
> contains these rules:
>
> owner /var/tmp/** rwkl,
> owner /tmp/** rwkl,
> ^
>
> Am I correct that on systems where /tmp and /var/tmp are on the root
> filesystem, this essentially allows an attacker who took control of
> a confined application to escape its AppArmor confinement, by creating
> a hard link to any other place in the root filesystem, and that within
> that filesystem it will then be only restricted by DAC?
AppArmor further restricts links to only cases where the new link has
a subset of permissions of the source; while I think the rules in the
abstractions are still too wide (I'd rather see the two-argument method
used), it's not as catastrophic as it sounds. Here's the blurb from
apparmor.d(5):
l - Link mode
Allows the program to be able to create a link with this name.
When a link is created, the new link MUST have a subset of
permissions as the original file (with the exception that
the destination does not have to have link access.) If there
is an 'x' rule on the new link, it must match the original
file exactly.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151102/00b4d1f9/attachment.pgp>
More information about the AppArmor
mailing list