[apparmor] Apparmor profile query
John Johansen
john.johansen at canonical.com
Thu Mar 25 21:41:41 UTC 2021
On 3/25/21 7:04 AM, tarunikaa123 at gmail.com wrote:
>
>
> Hi Team,
>
>
>
> I have a query regarding file access permissions on Apparmor profiles.
>
>
>
> Here ‘sample.c’ is a C program and ‘sample’ is the binary executable obtained on running it.
>
>
>
> ‘/usr/bin/sample rw, ’ is one of the policies mentioned in an Apparmor profile.
>
you shouldn't 'w' in that rule unless you are allowing updating of the executable from the confined application. This is highly discouraged
>
>
> My process which has Apparmor profile defined, accesses this ‘sample’ binary to fetch a value from it.
>
>
>
> 1. Why do I not have execute permission x in my profile for the binary and just rw ?
x is used to determine what the application can exec to. So if it never reexecs itself it shouldn't need the exec permission. With that said this isn't entirely true. The kernel has changed where it applies the cred and check over time so some kernels will actually require the x permission for an executables profile so its best practice to give
/usr/bin/sample mrix,
for the executable in its profile.
The m (mmap executable) is another one where the kernel has changed its behavior around the executable over time.
> 2. Isn't it supposed to be ‘/usr/bin/sample rwx’, as the binary file needs to be executed by the process ?
>
please don't give 'w' to the binary. Best practice is as mentioned above
mrix
>
>
> Could someone please guide?
>
To give exact details as to why you are seeing what you are seeing I need to know the kernel version (patches or distro), and what the confinement is on the processes launching the sample application.
Eg. If launching sample from unconfined you won't see unconfined x rule, however it implicitly does a
mrpix
>
>
>
>
> Thanks,
>
> Tarunikaa
>
>
More information about the AppArmor
mailing list