Recently a bug was opened due to a misunderstanding of how apparmor's script handling and permissions work.
https://bugs.launchpad.net/apparmor/+bug/1346553 Basically the profile that a script runs under does not need r or x permissions on the interpreter (generally). The question was raised if this is the behavior that is desired, or whether a script profile should require access permissions to the interpreters binary. AppArmor used to do this years ago, and it would be fairly trivial to add it back in (kernel change only). And it could be conditional on ABI versioning to maintain compatability. So that only leaves the question of whether we should keep the current behavior or require explicit permissions for the interpreter binary. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
