[apparmor] [profile] transmission-gtk, the encrypted data and requested/denied 'rwc'.
Jamie Strandboge
jamie at canonical.com
Fri Jan 22 14:07:38 UTC 2016
On Fri, 2016-01-22 at 13:20 +0100, daniel curtis wrote:
> Hello.
>
> Yes Jamie, You're right: 'uuid' is root owned and there is a denied
> entry
> with 'fsuid=1000, ouid=0' in a log file (e.g. '/var/log/syslog'). So,
> I
> will try to remove 'owner' and see what happens. But it is not more
> secure
> with the 'owner' option?
>
> Seth, You wrote that "the 'owner' modifier on this rule is preventing
> the
> read", right? Also the DENIED line on my system is similar to your.
> Requested and denied mask ("r") and 'fsuid=1000 ouid=0'. Yes, I
> noticed
> that 'fsuid' and 'ouid' are different.
>
The 'owner' flag is more secure if it can be applied to a rule that
makes sense to have it. Things in /tmp, @{HOME} or @{HOME}/Private,
definitely consider using owner. The rule I responded to was
for /proc/sys/kernel/random/uuid though-- this will only ever be owned
by root so if your program legitimately needs it and you want to grant
access to it but your program runs under a non-root UID, you need to
not specify 'owner'.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160122/e33f7905/attachment.pgp>
More information about the AppArmor
mailing list