* Aurelien Jarno: >> This doesn't seem correct to me. Is there any documentation giving a >> rationale for this ? Is there a way to change this locally ? > > I do not know enough about apparmor and its threat model to know if it > should be considered or not. From the glibc point of view, nothing can > be really done, it just obeys the AT_SECURE flag passed by the kernel. > > Now looking at apparmor.d(5), it seems it *might* be controlled by the > change_profile option with the safe and unsafe mode. But I don't speak > apparmor fluently enough to actually know how to introduce that option > in a profile.
I think LSMs can nowadays also express security transitions that trust the execution environment, that is, that they add more restrictions instead of increasing privileges. I believe we use this with SELinux, so that these transitions to do not cause AT_SECURE to be set. Maybe this is something that apparmor could do as well? Thanks, Florian