[apparmor] give a permission to a specific process
Seth Arnold
seth.arnold at canonical.com
Tue Nov 16 20:20:44 UTC 2021
On Tue, Nov 16, 2021 at 11:44:15AM +0200, beroal wrote:
> Hi. I wonder whether AppArmor allows to give a permission to a specific
> process. A use case: there are UI programs (editors, viewers) that need
> temporary access to a file specified by a user (to edit, to view).
Work is ongoing to allow delegation of privileges via 'portals'
(similar in spirit to the "PowerBox" style of capability object systems
http://wiki.c2.com/?PowerBox ). I'm not sure if this is what you're
really asking about, however...
> Unfortunately, AppArmor profiles give permissions to executable files. For
> example, if a user gives executable $E access to /tmp/$F, any user will have
> access to /tmp/$F by executing $E. Hence a user need a feature which gives
> permission $R to any process that executes executable $E **as a user $U**
> where $R, $E, and $U are specified by the user. A feature which gives
> permission $R to process $P would be nice too, but isn't essential. There is
> a problem how a non-root can use this feature, but it's a separate topic.
>
> Does AppArmor have such a feature? Maybe, there is a better tool for this
> use case?
Do note that in your description, User A creates /tmp/$F. User B can
access /tmp/$F through cat, vim, dd, cp, etc. even without using
executable $E IFF the permissions on /tmp/$F allow it.
Your security policies need to be developed with a view to the total
system. It's possible to design AppArmor profiles that will keep users
from sharing data with each other: ensure users cannot start unconfined
processes, ensure the profiles require 'owner' access to any locations
that allow users to write to them.
It's hard to give concrete advice for hypotheticals -- about all I can
really suggest is that you need to keep the entire view of everything you
allow on your systems in mind when you're writing policy.
AppArmor's very flexible. You can confine just the network-oriented
servers or clients. You can confine everything users do. You can confine
the elements of a user interface. If you have unconfined processes in your
environment, you've exempted those from AppArmor confinement. Don't lose
sight of these.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20211116/11372981/attachment.sig>
More information about the AppArmor
mailing list