[apparmor] Understanding child profiles and file_inherit
intrigeri
intrigeri at debian.org
Sun Nov 12 14:16:16 UTC 2017
hi,
Vincas Dargis:
> On 2017.11.05 13:10, intrigeri wrote:
>>> Is it possible to deny all of these file_inherit somehow?
>>
>> Probably, with a wide deny rule such as (/**).
> It it possible to select file_inherit only?
I don't think so.
> I mean, this will not allow even mmap
> executable itself, and it would deny all these file rules in <abstraction/base>,
> wouldn't it?
> In this case:
> ```
> /{,usr}/bin/locale Cx -> locale,
> profile locale {
> #include <abstractions/base> # has to work
> /{,usr}/bin/locale mr, # has to work
> deny /* something something ? What could I write here? Is there deny file_inherit /** ? */
> }
Sorry, I have no good solution to propose. Either you need to
explicitly deny each inherited file. Or you can deny everything ("deny
/**") and then add exceptions for what locale really needs to access,
but that'll make either debugging harder (without "audit", you'll get
bug reports without any useful info) or the logs super noisy (with
"audit", which is equivalent to your starting point so not terribly
useful).
Best would of course be to modify skypeforlinux so it does not gives
locale all these open filehandles, but I guess it's not an option here
if we're talking about proprietary software :/
I hope I'm missing another, better solution :)
Cheers,
--
intrigeri
More information about the AppArmor
mailing list