On Tue, Nov 16, 2021 at 11:44:15AM +0200, beroal wrote: > Hi. I wonder whether AppArmor allows to give a permission to a specific > process. A use case: there are UI programs (editors, viewers) that need > temporary access to a file specified by a user (to edit, to view).
Work is ongoing to allow delegation of privileges via 'portals' (similar in spirit to the "PowerBox" style of capability object systems http://wiki.c2.com/?PowerBox ). I'm not sure if this is what you're really asking about, however... > Unfortunately, AppArmor profiles give permissions to executable files. For > example, if a user gives executable $E access to /tmp/$F, any user will have > access to /tmp/$F by executing $E. Hence a user need a feature which gives > permission $R to any process that executes executable $E **as a user $U** > where $R, $E, and $U are specified by the user. A feature which gives > permission $R to process $P would be nice too, but isn't essential. There is > a problem how a non-root can use this feature, but it's a separate topic. > > Does AppArmor have such a feature? Maybe, there is a better tool for this > use case? Do note that in your description, User A creates /tmp/$F. User B can access /tmp/$F through cat, vim, dd, cp, etc. even without using executable $E IFF the permissions on /tmp/$F allow it. Your security policies need to be developed with a view to the total system. It's possible to design AppArmor profiles that will keep users from sharing data with each other: ensure users cannot start unconfined processes, ensure the profiles require 'owner' access to any locations that allow users to write to them. It's hard to give concrete advice for hypotheticals -- about all I can really suggest is that you need to keep the entire view of everything you allow on your systems in mind when you're writing policy. AppArmor's very flexible. You can confine just the network-oriented servers or clients. You can confine everything users do. You can confine the elements of a user interface. If you have unconfined processes in your environment, you've exempted those from AppArmor confinement. Don't lose sight of these. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
