On 11/16/21 1:44 AM, beroal wrote:
> Hi. I wonder whether AppArmor allows to give a permission to a specific
> process. A use case: there are UI programs (editors, viewers) that need
> temporary access to a file specified by a user (to edit, to view).
>
As Seth has already pointed out, what you are looking for is more of a
capability model. While there is work to extend AppArmor in this direction,
user space integration so trusted helpers (portals, snap, ..) can use object
delegation or extend profiles, currently AppArmor is more of an ambient
authority model.
> Unfortunately, AppArmor profiles give permissions to executable files. For
> example, if a user gives executable $E access to /tmp/$F, any user will have
> access to /tmp/$F by executing $E. Hence a user need a feature which gives
> permission $R to any process that executes executable $E **as a user $U**
> where $R, $E, and $U are specified by the user. A feature which gives
> permission $R to process $P would be nice too, but isn't essential. There is
> a problem how a non-root can use this feature, but it's a separate topic.
>
> Does AppArmor have such a feature? Maybe, there is a better tool for this use
> case?
>
>
No, and yes. It really depends on how you set up AppArmor. Running with the
default of having users unconfined, behavior is limited to using profile
attachments to determine who can execute which application and what its
confinement is. Basically in terms of apparmor profile rules, unconfined has an
exec rule of
/** pix,
Which as you said allows any user to run $E and gain access to /tmp/$F
If you want to control which applications a user can use execute you need to
confine the user. The user profile can then be used to determine what can be
executed, and what the confinement can be. It can be locked into a single
profile, allow transitioning to a different profile (say executable) or be a
dynamic combination via profile stacking. Confining users is a huge topic
beyond what I can spend the time writing here. Unfortunately pam_apparmor (the
primary way to achieve this) has not been updated in years and is a real pita
to work with atm.
Better user confinementis something that is being worked on currently from
multiple-angles.
- We have someone working on improving pam_apparmor.
- There is work to extend profile attachments so that they can have a user
conditional eg.
profile example /bin/example user=foo { ... }
- There is work to extend the profile attachment syntax to allow blocking of
executing an application
deny /sbin/** user=foo,
profile bar /bin/bar { ... }
sadly none of this is available to you atm.
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
