[apparmor] base abstraction allowing to run simple programs
John Johansen
john.johansen at canonical.com
Sat Jan 2 19:45:38 UTC 2016
On 01/02/2016 10:00 AM, intrigeri wrote:
> Hi,
>
> is it expected that merely including abstractions/base allows to run
> e.g. /bin/echo and /bin/sleep?
>
> <demo>
>
> $ cat /etc/apparmor.d/empty
> #include <tunables/global>
>
> profile empty {
> #include <abstractions/base>
> }
>
> # apparmor_parser -r /etc/apparmor.d/empty && aa-exec -p empty /bin/echo bla
> bla
>
> </demo>
>
> Or is it just a side-effect of how aa-exec works, and a real confined
> program would not be allowed to do the same?
>
mostly abstractions/base is to wide
however unconfined is allowed to delegate file descriptors to programs it
executes, which is also allowing some of these small utilities, since
aa-exec is usually run as unconfined this does come into play.
Better controls of delegation is on the todo list.
More information about the AppArmor
mailing list