[apparmor] Confinement inheritance with ix
Jonas Große Sundrup
jgs-apparmor at letopolis.de
Tue Aug 11 22:20:37 UTC 2020
Hi,
I have recently locked down a bunch of electron apps using AppArmor and
I noticed something that doesn't yet make sense in my mind:
All electron-apps I'm using do split into multiple executables, for one
the named executable which I call to start it and for two the app.asar,
which seems to be the electron executable, which is in turn started by
the "named executable".
I locked down the named executable and added
/path/to/app.asar rix,
to the profile and I would expect that this app.asar is then confined
just like the executable the profile is made for (and which is
originally called). According to htop, the app.asar is indeed a
subprocess of the named executable.
However, it doesn't seem to be so (at least with regards to the
filesystem access). To achieve this, I have to add an additional
profile for /path/to/app.asar, and then modify the line above to
/path/to/app.asar rpx,
which achieves the desired containment effect.
In practice this is what I'm doing anyways mostly, as the app.asar
usually works with a tighter harness, but according to the
documentation, shouldn't "ix" also have such an effect instead of the
subprocess falling out of confinement?
Or in other words: where is my mental model of AppArmor still incorrect?
(I do have other execution flags in the profiles in question, but all of
them are ix.)
Thanks in advance,
Jonas
More information about the AppArmor
mailing list