[apparmor] Apparmor: Queries
Seth Arnold
seth.arnold at canonical.com
Tue Apr 13 18:33:13 UTC 2021
On Tue, Apr 13, 2021 at 11:18:12PM +0530, Murali Selvaraj wrote:
> We have observed few configuration files are present in /tmp which are
> needed for certain processes.
> For example, few of the files are hidden files located in /tmp/.
>
> In that case, shall we add below entry
>
> /tmp/** rw,
>
> or Do we need to add entries for file specific as below
>
> /tmp/file.txt r,
> /tmp/.init_complete rw,
>
> Which would be the best way for security concern as well as embedded devices ?
> Please advise.
I'm worried that applications that are writing to /tmp/ using fixed
filenames like this are likely to be susceptible to file /tmp/ races. You
can enable the kernel's mitigations (see sysctl -a | grep fs.protected)
for this but that's only a partial mitigation for the problem.
Better is for the applications to write their temporary files into
per-application directories as appropriate.
Certainly I'd want to give tighter rules than /tmp/** rw, wherever
possible.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20210413/1a140a13/attachment.sig>
More information about the AppArmor
mailing list