Re: [apparmor] Apparmor: global profile queries

Wed, 25 Jan 2023 11:04:07 -0800 

On 1/25/23 10:49, Murali Selvaraj wrote:

Hi Christian,

Thanks for the explanation.

My requirement is to find a way to avoid/block the script (sh /tmp/foo.sh) 
execution  from directories like (/tmp/).
However I am unable to meet this requirement using the profile below.

cat bin.sh
profile sh_restriction /bin/sh  flags=(attach_disconnected,complain) {
   ptrace,
   signal,
   capability,
   /tmp/** r,
   audit /tmp/** x,
   / r,
   /** rwixkml,
}




If I update the line *audit /tmp/** r, *I am able to get all the read 
operations in /tmp/.
Do we have any options to get ONLY execute operations (*sh /tmp/foo.sh*) from the list ( 
without audit "read" operation logs ).



sadly this isn't supported atm. It has been something we have wanted for a long 
time but is tricky from an LSM pov. There are some proposed ways of dealing 
with this that may be acceptable upstream (Linux kernel) but until we get that 
resolved we can't land this in apparmor.

The goal is to get to something like

  profile /tmp/* interpreter=/bin/bash { ... }

this would allow for a trap profile (a profile with no permissions) to stop 
such executions. But there is also work on having deny entries for attachments. 
ie.

  deny /tmp/* interpreter=/** { ... }

which would allow a straight denial instead of a trap profile



audit: type=1400 audit(1674669489.761:6): apparmor="AUDIT" operation="open" profile="sh_restriction" 
name="/tmp/foo.sh" pid=8910 comm="sh" requested_mask="r" fsuid=0 ouid=0

Please share your inputs.

Thanks
Murali.S

On Wed, Jan 25, 2023 at 7:56 AM Christian Boltz <[email protected] 
<mailto:[email protected]>> wrote:

    Hallo,

    Am Mittwoch, 25. Januar 2023, 03:44:59 CET schrieben Sie:
     > Thanks for the details. I have created a profile for /bin/bash to add
     > a restriction to run the script in /tmp using sh /tmp/foo.sh.
     > For testing purposes, I added an audit as follows but it is NOT
     > working as expected.

    I'd argue it _does_ work as expected ;-)

     > profile bash /bin/bash.bash  flags=(attach_disconnected,complain) {
     >   ptrace,
     >   signal,
     >   capability,
     > *  audit /tmp/** ix,*

    So you still only audit execution, but "sh /tmp/foo.sh" only _reads_ the
    script. Add

         audit /tmp/** r,


    BTW: If you have more questions, please answer on the mailinglist again.


    Regards,

    Christian Boltz
-- each feature contain at least one bug :) 
    [Josef Reidinger in yast-devel]

Reply via email to