Public bug reported: Binary package hint: apparmor
It would be great if AppArmor had a flag to start a program in a way so that ptrace()/LD_PRELOAD and similar vectors are disabled, just what the kernel does when running a setuid/setgid binary. Doing this for normal user session programs like ssh, gnupg, gnome-screensaver, etc. would have the benefit that malicious programs in the user's session could not spy the password out of the program's memory. I gave some details about the rationale and an initial implementation idea on LKML: http://www.uwsg.indiana.edu/hypermail/linux/kernel/0712.1/2025.html However, Alan Cox raised a good point about using MAC systems for this, which already have a rich rule system, instead of fiddling with ELF headers, etc. Would it be possible to implement that in AppArmor? Thanks for considering! This is an upstream wishlist bug, but Launchpad does not allow me to file an upstream bug against AppArmor. ** Affects: apparmor (Ubuntu) Importance: Wishlist Status: New ** Changed in: apparmor (Ubuntu) Importance: Undecided => Wishlist -- Should provide a flag to disable ptrace()/LD_PRELOAD https://bugs.launchpad.net/bugs/176301 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
