[apparmor] give a permission to a specific process

Thu Nov 18 15:21:17 UTC 2021

On 16.11.21 22:20, Seth Arnold wrote:
> On Tue, Nov 16, 2021 at 11:44:15AM +0200, beroal wrote:
>> Hi. I wonder whether AppArmor allows to give a permission to a specific
>> process. A use case: there are UI programs (editors, viewers) that need
>> temporary access to a file specified by a user (to edit, to view).
> Work is ongoing to allow delegation of privileges via 'portals'
> (similar in spirit to the "PowerBox" style of capability object systems
> http://wiki.c2.com/?PowerBox  ). I'm not sure if this is what you're
> really asking about, however...
Yes, PowerBox is what I have in mind. The idea is ancient, but I'm not 
aware of any implementation for Linux except for Plash 
http://plash.beasts.org/contents.html .

At first, I planned to have directories ~/.phome/$PROGRAM for every 
$PROGRAM. (Of course, $PROGRAM doesn't have access to the home directory 
except for ~/.phome/$PROGRAM. This is the whole point and is achieved 
through AppArmor.) This would require crazy file moving for files that 
are accessed by many programs. For example, when writing documents, 
archiving them, and then sending them by email.

>> Unfortunately, AppArmor profiles give permissions to executable files. For
>> example, if a user gives executable $E access to /tmp/$F, any user will have
>> access to /tmp/$F by executing $E. Hence a user need a feature which gives
>> permission $R to any process that executes executable $E **as a user $U**
>> where $R, $E, and $U are specified by the user. A feature which gives
>> permission $R to process $P would be nice too, but isn't essential. There is
>> a problem how a non-root can use this feature, but it's a separate topic.
>>
>> Does AppArmor have such a feature? Maybe, there is a better tool for this
>> use case?
> Do note that in your description, User A creates /tmp/$F. User B can
> access /tmp/$F through cat, vim, dd, cp, etc. even without using
> executable $E IFF the permissions on /tmp/$F allow it.

It's okay since I want to protect files against malicious programs, not 
malicious users. (Protecting from malicious users is simple --- 
classical Unix file permissions.) But then it's okay that any user has 
access to /tmp/$F. Thank you for pointing this out :-) .

My plan is to make a daemon which allows a user to add file permissions 
to /etc/apparmor.d/temp/$PROGRAM. And there will be "include if exists 
<temp/$PROGRAM>" in /etc/apparmor.d/$PROGRAM.

This plan creates a vulnerability though. A malicious user $U0 can give 
a vulnerable program $E access to /home/$U1 and access /home/$U1 by 
controlling a process executing $E as $U1 (when $U1 uses $E) :-( .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20211118/7aab9632/attachment.html>