[apparmor] base abstraction allowing to run simple programs

intrigeri intrigeri at debian.org
Tue Jul 19 14:48:47 UTC 2016


John Johansen wrote (02 Jan 2016 19:45:38 GMT) :
> On 01/02/2016 10:00 AM, intrigeri wrote:
>> is it expected that merely including abstractions/base allows to run
>> e.g. /bin/echo and /bin/sleep?
>> <demo>
>> $ cat /etc/apparmor.d/empty
>> #include <tunables/global>
>> profile empty {
>>   #include <abstractions/base>
>> }
>> # apparmor_parser -r /etc/apparmor.d/empty && aa-exec -p empty /bin/echo bla
>> bla
>> </demo>
>> Or is it just a side-effect of how aa-exec works, and a real confined
>> program would not be allowed to do the same?
> mostly abstractions/base is to wide

> however unconfined is allowed to delegate file descriptors to programs it
> executes, which is also allowing some of these small utilities, since
> aa-exec is usually run as unconfined this does come into play.

Thank you. I was trying to isolate a small reproducer with that almost
empty profile + aa-exec, in order to debug a harder problem (Tor
Browser in Tails can start Totem, which feels wrong). And now
I realize that I fundamentally misunderstood how aa-exec works: I need
to use --immediate, otherwise my tests are useless since aa-exec will
always be allowed to start the command :)


More information about the AppArmor mailing list