[apparmor] How to setup apparmor for calling an executable from another executable with a profile

Christian Boltz apparmor at cboltz.de
Tue May 29 11:34:00 UTC 2018 

Hello,

Am Dienstag, 29. Mai 2018, 07:05:28 CEST schrieb Germán Diago Gómez:
> I have a question I posted in Stackoverflow and ubuntu stack exchange
> with no luck.
> 
> My problem is the following:
> 
> 
> I have a problem I am not sure how to solve in AppArmor.
> 
> Basically I have a profile that executes a program, let us say
> 
> |profile myprof { /my/executable ix, } |
> 
> The problem is that from that executable, I call another executable,
> spawning a process, let us call it, /the/other/executable.
> 
> How can I make AppArmor give /my/executable permissions to call
> /the/other/executable? This will be done when /my/executable is
> already running, of course.

Add an execute rule (ix, Cx or Px) for /the/other/executable

> I saw the API for aa_change_hat and subprofiles: is that the way to
> go?
> 
> My ideal would be to be able to tell from the profile directly that
> /my/executable can use /the/other/executable. /the/other/executable
> should be able to read and write in the same places as /my/executable,
> so this could be maybe inherited.

Sounds like   /the/other/executable ix,   is what fits you best.


If you want the permissions of myprof to be different from the 
permissions for /my/executable and /the/other/executable, you can use
    /my/executable Cx,
to run /my/executable in a child profile, and then put
    /the/other/executable ix,
in that child profile.

BTW: If you are looking for documentation, have a look at
https://doc.opensuse.org/documentation/leap/security/html/book.security/
part.apparmor.html


Regards,

Christian Boltz
-- 
You know, Murphy was an optimist, so if we introduce a new step in our
workflow when it's most critical we can expect spectacular failures.
[Stefan Hundhammer in yast-devel]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180529/636c5789/attachment.sig>

More information about the AppArmor mailing list