[apparmor] How to prevent a file being loaded with executable permission?
Aphyr Lee
aphyrlee at gmail.com
Mon Mar 6 08:03:50 UTC 2017
Hi,
I am trying to use AppArmor to prevent specific files being loaded
with executable permission. I tried to deny the file permission, m -
memory map executable, but I was not lucky to make it work.
The use scenario is that I would like to prevent execution from the
writable directory, /tmp.
Here is my AppArmor profile.
my-bash-profile:
#include <tunables/global>
profile /home/ubuntu/bash flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
allow /bin/** rmix,
allow /dev/tty* rw,
deny /tmp/** mxkl,
/tmp/ rw,
/tmp/** rw,
}
testing-1 (expected - not able to execute the "echo" in /tmp):
#/home/ubuntu/bash -c "/tmp/echo hello"
/home/ubuntu/bash: /tmp/echo: Permission denied
testing-2 (unexpected - the library of /tmp/libtest_lib.so was loaded
and the init function of libtest_lib.so got executed):
# /home/ubuntu/bash -c "LD_PRELOAD=/tmp/libtest_lib.so /bin/echo hello"
*** test_lib_so_loaded()***
hello
My environment:
Platform: 16.04.1-Ubuntu
Kernel: 4.8.0-32-lowlatency
AppArmor Package: 2.10.95-0ubuntu2.5
Do I misunderstand anything or make any mistakes?
Best regards,
Aphyr
More information about the AppArmor
mailing list