Hi,
Strategy employed in abstractions/ubuntu-helpers for environment sanitizing is
ineffective for python programs. For example, the check prohibiting user owned
python imports ("audit deny owner /**/*.py* r"), can be avoided as follows:
Using symbolic link to avoid check for python extension:
* Save code to execute in a file without .py extension, for example site.code.
* Create symbolic link from site.py to site.code
* Execute a python program that transitions to sanitized_helper profile with
PYTHONPATH=directory containing site.py
Using python built-in support for zip imports:
* Create zip file with code to execute.
* Execute python program that transitions to sanitized_helper profile with
PYTHONPATH=zip file
Cheers,
--
Tomasz
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
