[apparmor] Apparmor: global profile queries

John Johansen john.johansen at canonical.com
Wed Jan 25 19:03:39 UTC 2023 

On 1/25/23 10:49, Murali Selvaraj wrote:
> Hi Christian,
> 
> Thanks for the explanation.
> 
> My requirement is to find a way to avoid/block the script (sh /tmp/foo.sh) execution  from directories like (/tmp/).
> However I am unable to meet this requirement using the profile below.
> 
> cat bin.sh
> profile sh_restriction /bin/sh  flags=(attach_disconnected,complain) {
>    ptrace,
>    signal,
>    capability,
>    /tmp/** r,
>    audit /tmp/** x,
>    / r,
>    /** rwixkml,
> }
> 

> If I update the line *audit /tmp/** r, *I am able to get all the read operations in /tmp/.
> Do we have any options to get ONLY execute operations (*sh /tmp/foo.sh*) from the list ( without audit "read" operation logs ).
> 

sadly this isn't supported atm. It has been something we have wanted for a long time but is tricky from an LSM pov. There are some proposed ways of dealing with this that may be acceptable upstream (Linux kernel) but until we get that resolved we can't land this in apparmor.

The goal is to get to something like

   profile /tmp/* interpreter=/bin/bash { ... }

this would allow for a trap profile (a profile with no permissions) to stop such executions. But there is also work on having deny entries for attachments. ie.

   deny /tmp/* interpreter=/** { ... }

which would allow a straight denial instead of a trap profile


> audit: type=1400 audit(1674669489.761:6): apparmor="AUDIT" operation="open" profile="sh_restriction" name="/tmp/foo.sh" pid=8910 comm="sh" requested_mask="r" fsuid=0 ouid=0
> 
> Please share your inputs.
> 
> Thanks
> Murali.S
> 
> On Wed, Jan 25, 2023 at 7:56 AM Christian Boltz <apparmor at cboltz.de <mailto:apparmor at cboltz.de>> wrote:
> 
>     Hallo,
> 
>     Am Mittwoch, 25. Januar 2023, 03:44:59 CET schrieben Sie:
>      > Thanks for the details. I have created a profile for /bin/bash to add
>      > a restriction to run the script in /tmp using sh /tmp/foo.sh.
>      > For testing purposes, I added an audit as follows but it is NOT
>      > working as expected.
> 
>     I'd argue it _does_ work as expected ;-)
> 
>      > profile bash /bin/bash.bash  flags=(attach_disconnected,complain) {
>      >   ptrace,
>      >   signal,
>      >   capability,
>      > *  audit /tmp/** ix,*
> 
>     So you still only audit execution, but "sh /tmp/foo.sh" only _reads_ the
>     script. Add
> 
>          audit /tmp/** r,
> 
> 
>     BTW: If you have more questions, please answer on the mailinglist again.
> 
> 
>     Regards,
> 
>     Christian Boltz
>     -- 
>     each feature contain at least one bug :)
>     [Josef Reidinger in yast-devel]
>

More information about the AppArmor mailing list