Hi, I have recently locked down a bunch of electron apps using AppArmor and I noticed something that doesn't yet make sense in my mind:
All electron-apps I'm using do split into multiple executables, for one the named executable which I call to start it and for two the app.asar, which seems to be the electron executable, which is in turn started by the "named executable". I locked down the named executable and added /path/to/app.asar rix, to the profile and I would expect that this app.asar is then confined just like the executable the profile is made for (and which is originally called). According to htop, the app.asar is indeed a subprocess of the named executable. However, it doesn't seem to be so (at least with regards to the filesystem access). To achieve this, I have to add an additional profile for /path/to/app.asar, and then modify the line above to /path/to/app.asar rpx, which achieves the desired containment effect. In practice this is what I'm doing anyways mostly, as the app.asar usually works with a tighter harness, but according to the documentation, shouldn't "ix" also have such an effect instead of the subprocess falling out of confinement? Or in other words: where is my mental model of AppArmor still incorrect? (I do have other execution flags in the profiles in question, but all of them are ix.) Thanks in advance, Jonas -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
