[apparmor] restricting file access to processes "within" profile
Jonas Große Sundrup
jgs-apparmor at letopolis.de
Mon Aug 10 22:59:48 UTC 2020
Hi,
I'm trying to restrict the access to /dev/shm. Some applications do
require it, among these multiprocess-applications. I do suspect
(although I have not yet explicitly tested it), that all processes
might need to read and potentially write files there that have been
created by another process of their tree. Hence, I'm thinking about how
to best restrict access there as well and the natural though would be
along the lines of apparmor-profiles, so the original binary and
everything it spawns. Does apparmor have something in this regard?
The strictest option I currently see is
owner /dev/shm/** rw
but that would not have two processes under the same user but in
different profiles still not separated.
Given that AppArmor revolves around filepaths, it feels to me like it
might actually not be designed for this particular usecase, but as my
experience with AppArmor is still limited maybe I'm lucky and there is
something I haven't seen yet that allows even this kind of containment.
This would certainly also be useful for things like /tmp if one were to
nail down the processes in question.
Thanks in advance,
Jonas
More information about the AppArmor
mailing list