[apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...
Ian
apparmor at zestysoft.com
Tue Jun 4 00:02:08 UTC 2019
On 11/3/18, /John Johansen/ wrote://
> A task invoking the no_new_privs prct >
https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
<https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt>
Okay, so I just did a strace on 'man' and see that it calls that
function with the nnp parameter before attempting to execve the child
processes that fail to execute.
Okay -- I get it now: While nnp normally works fine if the executable
is unconstrained, once apparmor assigns a security label to the
executable, it's game over because the LSM system asks apparmor to do
something it cannot -- prove the future profile transition has the same
permissions. I thought the child processes were asking for additional
security, but that's not the case.
This means that since all non-kernel processes have a label with the
FullSystemPolicy setup, this is an unavoidable problem -- there is no
way to remove a label once assigned. It's ironic that a function
designed to help secure a system is what is responsible for preventing
whitelisting.
I assume I'll run into a similar issue with selinux since this is a LSM
label transition thing then? Man, this linux whitelisting search is
turning out to be the holy grail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190603/7f6dd34a/attachment.html>
More information about the AppArmor
mailing list