[apparmor] give a permission to a specific process

Thu Nov 18 18:47:33 UTC 2021

On 11/16/21 1:44 AM, beroal wrote:
> Hi. I wonder whether AppArmor allows to give a permission to a specific process. A use case: there are UI programs (editors, viewers) that need temporary access to a file specified by a user (to edit, to view).
> 

As Seth has already pointed out, what you are looking for is more of a capability model. While there is work to extend AppArmor in this direction, user space integration so trusted helpers (portals, snap, ..) can use object delegation or extend profiles, currently AppArmor is more of an ambient authority model.

> Unfortunately, AppArmor profiles give permissions to executable files. For example, if a user gives executable $E access to /tmp/$F, any user will have access to /tmp/$F by executing $E. Hence a user need a feature which gives permission $R to any process that executes executable $E **as a user $U** where $R, $E, and $U are specified by the user. A feature which gives permission $R to process $P would be nice too, but isn't essential. There is a problem how a non-root can use this feature, but it's a separate topic.
> 
> Does AppArmor have such a feature? Maybe, there is a better tool for this use case?
> 
> 
No, and yes. It really depends on how you set up AppArmor. Running with the default of having users unconfined, behavior is limited to using profile attachments to determine who can execute which application and what its confinement is. Basically in terms of apparmor profile rules, unconfined has an exec rule of

  /** pix,

Which as you said allows any user to run $E and gain access to /tmp/$F

If you want to control which applications a user can use execute you need to confine the user. The user profile can then be used to determine what can be executed, and what the confinement can be. It can be locked into a single profile, allow transitioning to a different profile (say executable) or be a dynamic combination via profile stacking. Confining users is a huge topic beyond what I can spend the time writing here. Unfortunately pam_apparmor (the primary way to achieve this) has not been updated in years and is a real pita to work with atm. 

Better user confinementis something that is being worked on currently from multiple-angles.
- We have someone working on improving pam_apparmor.

- There is work to extend profile attachments so that they can have a user conditional eg.

    profile example /bin/example user=foo { ... }

- There is work to extend the profile attachment syntax to allow blocking of executing an application

    deny /sbin/** user=foo,
    profile bar /bin/bar  { ... }

sadly none of this is available to you atm.