Or maybe there are, or going to be implemented, some other alternatives? Maybe
upcoming delegation could offer different approach?
delegation could help some but we really need to finish with the better control
over env var scrubbing, relying on the secure exec flag in glibc isn't enough
in some cases
Maybe you mean like that _capital_ C in "Cx" does not help here enough?
correct the env var scrubbing is done by setting a flag in the kernel that the
elf loader/linker responds to scrubbing certain dangerous environment
variables. But script interpreters have their own dangerous set beyond what the
elf loader scrubs, we plan to make it so you can specify additional scrubbing
in policy.
I think now I got it. It's not enough to remove LD_PRELOAD and similar. There
are more, specific ones...
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
