On 16.11.21 22:20, Seth Arnold wrote:
On Tue, Nov 16, 2021 at 11:44:15AM +0200, beroal wrote:
Hi. I wonder whether AppArmor allows to give a permission to a specific
process. A use case: there are UI programs (editors, viewers) that need
temporary access to a file specified by a user (to edit, to view).
Work is ongoing to allow delegation of privileges via 'portals'
(similar in spirit to the "PowerBox" style of capability object systems
http://wiki.c2.com/?PowerBox ). I'm not sure if this is what you're
really asking about, however...
Yes, PowerBox is what I have in mind. The idea is ancient, but I'm not
aware of any implementation for Linux except for Plash
http://plash.beasts.org/contents.html .
At first, I planned to have directories ~/.phome/$PROGRAM for every
$PROGRAM. (Of course, $PROGRAM doesn't have access to the home directory
except for ~/.phome/$PROGRAM. This is the whole point and is achieved
through AppArmor.) This would require crazy file moving for files that
are accessed by many programs. For example, when writing documents,
archiving them, and then sending them by email.
Unfortunately, AppArmor profiles give permissions to executable files. For
example, if a user gives executable $E access to /tmp/$F, any user will have
access to /tmp/$F by executing $E. Hence a user need a feature which gives
permission $R to any process that executes executable $E **as a user $U**
where $R, $E, and $U are specified by the user. A feature which gives
permission $R to process $P would be nice too, but isn't essential. There is
a problem how a non-root can use this feature, but it's a separate topic.
Does AppArmor have such a feature? Maybe, there is a better tool for this
use case?
Do note that in your description, User A creates /tmp/$F. User B can
access /tmp/$F through cat, vim, dd, cp, etc. even without using
executable $E IFF the permissions on /tmp/$F allow it.
It's okay since I want to protect files against malicious programs, not
malicious users. (Protecting from malicious users is simple ---
classical Unix file permissions.) But then it's okay that any user has
access to /tmp/$F. Thank you for pointing this out :-) .
My plan is to make a daemon which allows a user to add file permissions
to /etc/apparmor.d/temp/$PROGRAM. And there will be "include if exists
<temp/$PROGRAM>" in /etc/apparmor.d/$PROGRAM.
This plan creates a vulnerability though. A malicious user $U0 can give
a vulnerable program $E access to /home/$U1 and access /home/$U1 by
controlling a process executing $E as $U1 (when $U1 uses $E) :-( .
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
