[apparmor] sanitized_helper is ineffective in confining python programs
Tomasz Miąsko
tomasz.miasko at gmail.com
Thu Sep 8 13:03:21 UTC 2016
Hi,
Strategy employed in abstractions/ubuntu-helpers for environment sanitizing is
ineffective for python programs. For example, the check prohibiting user owned
python imports ("audit deny owner /**/*.py* r"), can be avoided as follows:
Using symbolic link to avoid check for python extension:
* Save code to execute in a file without .py extension, for example site.code.
* Create symbolic link from site.py to site.code
* Execute a python program that transitions to sanitized_helper profile with
PYTHONPATH=directory containing site.py
Using python built-in support for zip imports:
* Create zip file with code to execute.
* Execute python program that transitions to sanitized_helper profile with
PYTHONPATH=zip file
Cheers,
--
Tomasz
More information about the AppArmor
mailing list