[apparmor] Apparmor: global profile queries
Christian Boltz
apparmor at cboltz.de
Mon Jan 23 12:53:14 UTC 2023
Hello,
Am Montag, 23. Januar 2023, 02:47:38 CET schrieb Murali Selvaraj:
> I am trying to use a global/system-wide Apparmor profile to restrict
> the executing of any scripts from /tmp folder.
> As a first step, I added this entry (audit deny /tmp/* x,) and I was
> expecting Apparmor audit logs while executing the script from /tmp/
> (sh /tmp/foo.sh).
^^
That's the problem: you called
sh /tmp/foo.sh
which means sh (/bin/sh) gets executed. sh then _reads_ the script,
but does not _execute_ it.
For comparison, try
chmod +x /tmp/foo.sh
/tmp/foo.sh
which should get blocked.
Unfortunately I can't offer an easy way to block sh /tmp/foo.sh
Maybe you could execute interpreters like sh, bash, perl, python etc. in
a separate profile that doesn't allow access to /tmp/, but that will also
block/break valid uses of files in /tmp/.
Regards,
Christian Boltz
--
Das einzige Instrument, das ich beherrsche, ist MP3-Player.
[Kristian Köhntopp]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20230123/50d3f08e/attachment.sig>
More information about the AppArmor
mailing list