[apparmor] Apparmor: global profile queries

Christian Boltz apparmor at cboltz.de
Mon Jan 23 12:53:14 UTC 2023


Hello,

Am Montag, 23. Januar 2023, 02:47:38 CET schrieb Murali Selvaraj:
> I am trying to use a global/system-wide Apparmor profile to restrict
> the executing of any scripts from /tmp folder.
> As a first step, I added this entry (audit deny /tmp/* x,) and I was
> expecting Apparmor audit logs while executing the script from /tmp/
> (sh /tmp/foo.sh).
   ^^
That's the problem: you called
    sh /tmp/foo.sh
which means   sh   (/bin/sh) gets executed. sh then _reads_ the script, 
but does not _execute_ it.

For comparison, try
    chmod +x /tmp/foo.sh
    /tmp/foo.sh
which should get blocked.


Unfortunately I can't offer an easy way to block   sh /tmp/foo.sh
Maybe you could execute interpreters like sh, bash, perl, python etc. in 
a separate profile that doesn't allow access to /tmp/, but that will also 
block/break valid uses of files in /tmp/.


Regards,

Christian Boltz
-- 
Das einzige Instrument, das ich beherrsche, ist MP3-Player.
[Kristian Köhntopp]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20230123/50d3f08e/attachment.sig>


More information about the AppArmor mailing list