[Bug 484786] Re: Too easy to circumvent AppArmor using btrfs snapshots
John Dong
jdong at johndong.com
Fri Nov 20 20:10:24 UTC 2009
Upon a bit of further investigation, it's interesting to note that btrfs
snapshots preserve ownership (i.e. btrfsctl -S test / --> test is owned
by root:root just like /)
So, one workaround is the policy invariant "Any directories where a
confined process can write to should only be granted owner read
permissions", though this is a pretty subpar workaround...
Even in a fairly restricted apparmor profile, as long as inherit-
execute permissions are available to the btrfsctl binary,and write
permissions exist to the snapshot destination, btrfs snapshotting will
succeed. No further AA capabilities are required, which is a bit
concerning.
--
Too easy to circumvent AppArmor using btrfs snapshots
https://bugs.launchpad.net/bugs/484786
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list