[apparmor] any way of denying profiled executable(s) to be ran at all
janko metelko
janko.itm at gmail.com
Wed Nov 16 19:59:55 UTC 2022
Thank you for making AppArmor, if any of the developers are here. I am not
a security guy, but such a solution seems like it should or will become an
absolute must-use for any application deployment, locally or on a server.
I have a question. I want to make a profile that prevents execution of any
file from user-writable directories like /home /tmp, *except* if the
executable has a AA profile.
This would effectively mean that the user (or user level process) can't
(knowingly or unknowingly) "install" and run anything that wasn't
"confirmed" by root.
It seems I can do this by creating an empty profile for /home/** which
denies everything and then creating separate AA profiles for specific
executable files inside /home that I allow to run.
If I understand it right, all executables in /home without profiles will in
this case crash or at least can't do any side effects since they are
blocked from all IO/shared libs/configs/etc. In practice, they will
probably just crash. It would be much nicer experience if such apps would
be prevented to run, not start and crash.
But I can only find directives in AA, that limit or allow certain resorces
to the executable, and no directive, that would prevent executable to be
ran in the first place.
Is there any such solution? Am I maybe looking at it all wrong? Should I do
this on another level, not with AppArmor?
*Example*
Maybe stupid example, but still. Let's say I want to prevent non-root users
or RCEs from wget-ing into any other directory other than /tmp. I can
simply create a profile for /usr/bin/wget { ... /tmp w, } and the job is
done. But user/RCE can then simply do cp /usr/bin/wget ~/mywget and use
wget for whatever it wants. If we prevent execution of non-profiled
executables in user writable directories then he/it can't do that and our
primary objective stands.
I hope it makes some sense ... Thank you again. Ubuntu rocks also, and
Xubuntu! :)
Janko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20221116/ce1c24c7/attachment.html>
More information about the AppArmor
mailing list