[apparmor] Splitting unlink from write
Zygmunt Krynicki
me at zygoon.pl
Wed Nov 26 13:17:05 UTC 2025
Hello
I'd like to propose splitting the textual permission "w", so that it
does not imply AA_MAY_DELETE if the file is a device, fifo or socket.
Profiles routinely grant "w" permission, but nobody in their right mind
expects applications to delete such files.
Both userspace and kernel can already kind-of express this. The only
question is how to do that in a way that doesn't force a painful profile
transition. I think we need a new permission bit.
My suggestion would be to add a AA_MAY_DELETE_SPECIAL permission.
Starting with some future ABI deleting devices, fifos and sockets would
check AA_MAY_DELETE_SPECIAL. Compatibility layer in the kernel would
then continue to grant AA_MAY_DELETE_SPECIAL for older ABIs.
On the userspace side we might define new syntax such as:
allow file PATH D,
Where D implies delete special.
I'm happy to take a stab at implementing it. The only thing I'm not sure
is how to name the new feature "delete_special".
I'm grateful for your thoughts
Best regards
ZK
More information about the AppArmor
mailing list