[apparmor] [profile] /etc/cron.daily/logrotate: updated version.
daniel curtis
sidetripping at gmail.com
Tue Jan 3 17:41:20 UTC 2017
Hi Christian
>> This is the usual review policy for AppArmor (...)
>> Maybe you heard about usrMerge
OK, thanks for explanations. It is logical. Yes, I've read about usrMerge -
but it was a long time ago. If I remember correctly, it was on Fedora
project website.
Anyway, I would like to ask about two rules - basically permissions - used
in the logrotate profile;
/{usr/,}sbin/initctl Ux,
/{usr/,}sbin/runlevel Ux,
It is secure to use "Ux"? According to this website [1]; "In the case of an
allowed application with a Ux rule, the kernel sets the AT_SECURE auxilary
vector in the loaded ELF image. This results in the linker (ld.so)
sanitizing many dangerous environment variables, including LD_PRELOAD and
LD_LIBRARY_PATH (...)"
Seth answer [2]. I'm just asking - maybe it's OK, but I'm just curious.
What is your opinion about this one? Should it be changed, or as Seth has
wrote; "depending upon what they do with init, you could drag in a huge
amount of privileges to this profile that logically belong to upstart
instead (...)"
Best regards.
_____________
[1]
http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html
[2] https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170103/32833b05/attachment.html>
More information about the AppArmor
mailing list