[apparmor] Apparmor: global profile queries
Murali Selvaraj
murali.selvaraj2003 at gmail.com
Wed Jan 25 18:49:09 UTC 2023
Hi Christian,
Thanks for the explanation.
My requirement is to find a way to avoid/block the script (sh /tmp/foo.sh)
execution from directories like (/tmp/).
However I am unable to meet this requirement using the profile below.
cat bin.sh
profile sh_restriction /bin/sh flags=(attach_disconnected,complain) {
ptrace,
signal,
capability,
/tmp/** r,
audit /tmp/** x,
/ r,
/** rwixkml,
}
If I update the line *audit /tmp/** r, *I am able to get all the read
operations in /tmp/.
Do we have any options to get ONLY execute operations (*sh /tmp/foo.sh*)
from the list ( without audit "read" operation logs ).
audit: type=1400 audit(1674669489.761:6): apparmor="AUDIT" operation="open"
profile="sh_restriction" name="/tmp/foo.sh" pid=8910 comm="sh"
requested_mask="r" fsuid=0 ouid=0
Please share your inputs.
Thanks
Murali.S
On Wed, Jan 25, 2023 at 7:56 AM Christian Boltz <apparmor at cboltz.de> wrote:
> Hallo,
>
> Am Mittwoch, 25. Januar 2023, 03:44:59 CET schrieben Sie:
> > Thanks for the details. I have created a profile for /bin/bash to add
> > a restriction to run the script in /tmp using sh /tmp/foo.sh.
> > For testing purposes, I added an audit as follows but it is NOT
> > working as expected.
>
> I'd argue it _does_ work as expected ;-)
>
> > profile bash /bin/bash.bash flags=(attach_disconnected,complain) {
> > ptrace,
> > signal,
> > capability,
> > * audit /tmp/** ix,*
>
> So you still only audit execution, but "sh /tmp/foo.sh" only _reads_ the
> script. Add
>
> audit /tmp/** r,
>
>
> BTW: If you have more questions, please answer on the mailinglist again.
>
>
> Regards,
>
> Christian Boltz
> --
> each feature contain at least one bug :)
> [Josef Reidinger in yast-devel]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20230125/6cd851c4/attachment.html>
More information about the AppArmor
mailing list