[apparmor] give a permission to a specific process
beroal
me at beroal.in.ua
Wed Nov 24 11:41:57 UTC 2021
On 18.11.21 17:21, beroal wrote:
> My plan is to make a daemon which allows a user to add file
> permissions to /etc/apparmor.d/temp/$PROGRAM. And there will be
> "include if exists <temp/$PROGRAM>" in /etc/apparmor.d/$PROGRAM.
>
> This plan creates a vulnerability though. A malicious user $U0 can
> give a vulnerable program $E access to /home/$U1 and access /home/$U1
> by controlling a process executing $E as $U1 (when $U1 uses $E) :-( .
>
If anybody's interested, I have a better plan. The daemon creates a
temporary executable $E1 which `execv` to $E and a temporary profile
containing permissions $R for $E1 where $E and $R are provided by a
client. The client is supposed to execute $E1 themselves.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20211124/9c358c7c/attachment.html>
More information about the AppArmor
mailing list