[apparmor] Apparmor: global profile queries
Seth Arnold
seth.arnold at canonical.com
Thu Jan 26 02:16:45 UTC 2023
On Wed, Jan 25, 2023 at 01:49:09PM -0500, Murali Selvaraj wrote:
> profile sh_restriction /bin/sh flags=(attach_disconnected,complain) {
> /tmp/** r,
> }
If a shell can read it, then a shell can execute it. The only real options
I can think of:
- prevent the shell from reading it
- modify the shell to prevent it from executing anything it reads --
perhaps require shell scripts to be signed? Disable interactive use?
Do you even need a shell installed on your computer? If you can remove
system(3) and popen(3) calls from all your software, you might be able to
remove the shell, too.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20230126/45917c75/attachment.sig>
More information about the AppArmor
mailing list