[apparmor] Question on script profile permissions
John Johansen
john.johansen at canonical.com
Tue Jul 22 19:16:53 UTC 2014
Recently a bug was opened due to a misunderstanding of how apparmor's
script handling and permissions work.
https://bugs.launchpad.net/apparmor/+bug/1346553
Basically the profile that a script runs under does not need r or x
permissions on the interpreter (generally). The question was raised
if this is the behavior that is desired, or whether a script profile
should require access permissions to the interpreters binary.
AppArmor used to do this years ago, and it would be fairly trivial to
add it back in (kernel change only). And it could be conditional on
ABI versioning to maintain compatability.
So that only leaves the question of whether we should keep the
current behavior or require explicit permissions for the interpreter
binary.
More information about the AppArmor
mailing list