[Bug 2058690] Re: aa-easyprof: allow mmap and link from easyprof generated profiles

[Ratchanan Srirattanamet]

Hmm... indeed! I'll re-investigate why we need `m` permission by the
default. I assume that if there's something that actually need `m`
permission, a new key in the easyprof manifest would be needed, right?

As for `l` rule for writes, do you think it's safe to add? Given that
"the new link MUST have a subset of permissions as the original file"
[1], this shouldn't be able to be used to open up more permission.

[1]:
https://manpages.debian.org/bookworm/apparmor/apparmor.d.5.en.html#l~2

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2058690

Title:
  aa-easyprof: allow mmap and link from easyprof generated profiles

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058690/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2058690] Re: aa-easyprof: allow mmap and link from easyprof generated profiles

[Seth Arnold]

The 'm' permission shouldn't be a default; restricting what the CPU will
execute is a very useful security mitigation.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2058690

Title:
  aa-easyprof: allow mmap and link from easyprof generated profiles

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058690/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs