[apparmor] Apparmor Link rules
Hans Gruber
moocan2112 at yahoo.fr
Thu Apr 22 01:23:40 UTC 2021
Hello,
I'm trying to secure and restrict access of a bash script which need to perform actions on a symlink (update timestamp and create it if missing).
Is it possible to use an AppArmor Link Rules for a symbolic link or is it only for hard link ?
I don't find information about symbolic link.
According to AppArmor Core Policy Reference at https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference only hard link is specified.
Bash script use ln which requires two rules/path/symlink rw,/path/[A-Za-Z0-9][A-Za-Z0-9][A-Za-Z0-9][A-Za-Z0-9][A-Za-Z0-9][A-Za-Z0-9][A-Za-Z0-9][A-Za-Z0-9] rw,
The second one is required because ln create a temporary file as /path/CgX8vf6d and it names
changes each time. Without this rule ln fail and audit record denied access for /path/CgX8vf6d in creation.But I don't like this rule because it opens potential access to all files in /path in rw which is a sensitive folder.
I would like to know if it's possible to use a link rule to avoid the second one which require rw for read and creation.
I tried using a link rule but it never worked but it could be misuse by myself.
Thank you in advance.
Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20210422/ca29d505/attachment.html>
More information about the AppArmor
mailing list