[apparmor] Apparmor policy hide?
Jacek
wampir990 at gmail.com
Fri Mar 26 10:17:29 UTC 2021
Thanks
A little test:
# G1 Gentuś ### Fri Mar 26 11:10:44 localhost : /home/duch
# root ~> tail /etc/apparmor.d/bin.ping
network netlink raw,
network unix stream,
signal receive set=cont peer=unconfined,
signal receive set=term peer=unconfined,
hide w /bin/ping,
### mrix,
kill w /bin/ping6,
}
# G1 Gentuś ### Fri Mar 26 11:10:57 localhost : /home/duch
# root ~> apparmor_parser -r /etc/apparmor.d/bin.ping
AppArmor parser error for /etc/apparmor.d/bin.ping in profile
/etc/apparmor.d/bin.ping at line 34: missing an end of line character?
(entry: hide)
Can I request a more precise example of the syntax for this entry?
;)
Cheers
W dniu 26.03.2021 o 09:57, John Johansen pisze:
> it helps some times, but is very much still an error code and
dependent on how the application is handling returned errors. With that
said hiding via returning ENOENT instead of EACCES is part of the
extended perm work that should be landing upstream over the next cycle
or two. Eg.
>
> hide w /foo/bar,
>
> This of course doesn't stop an application from being able to
discover something isn't right, eg. if you give directory read access
the dir listing will show the entry that is being hidden, this as you
said is more about trying not to break certain applications.
>
> The other option you have is the heavy hammer of killing the task
instead. Currently that is limited to a profile flag but the extended
perm work will make that possible to specify at the rule level.
>
> kill w /etc/password,
More information about the AppArmor
mailing list