[apparmor] base abstraction allowing to run simple programs
intrigeri
intrigeri at debian.org
Tue Jul 19 14:48:47 UTC 2016
Hi,
John Johansen wrote (02 Jan 2016 19:45:38 GMT) :
> On 01/02/2016 10:00 AM, intrigeri wrote:
>> is it expected that merely including abstractions/base allows to run
>> e.g. /bin/echo and /bin/sleep?
>>
>> <demo>
>>
>> $ cat /etc/apparmor.d/empty
>> #include <tunables/global>
>>
>> profile empty {
>> #include <abstractions/base>
>> }
>>
>> # apparmor_parser -r /etc/apparmor.d/empty && aa-exec -p empty /bin/echo bla
>> bla
>>
>> </demo>
>>
>> Or is it just a side-effect of how aa-exec works, and a real confined
>> program would not be allowed to do the same?
>>
> mostly abstractions/base is to wide
> however unconfined is allowed to delegate file descriptors to programs it
> executes, which is also allowing some of these small utilities, since
> aa-exec is usually run as unconfined this does come into play.
Thank you. I was trying to isolate a small reproducer with that almost
empty profile + aa-exec, in order to debug a harder problem (Tor
Browser in Tails can start Totem, which feels wrong). And now
I realize that I fundamentally misunderstood how aa-exec works: I need
to use --immediate, otherwise my tests are useless since aa-exec will
always be allowed to start the command :)
Cheers,
--
intrigeri
More information about the AppArmor
mailing list