AppArmor

Bug #1346553
Comment #1

Comment 1 for bug 1346553

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-07-22:

confined_interpreter.c Edit (283 bytes, text/x-csrc)

Okay, I've got a minimal test for this that doesn't rely upon anything outside of these files.

cp ~/Downloads/confined_interpreter.c /tmp
cd /tmp
make confined_interpreter
sudo -s
apparmor_parser --replace <<EOF
profile /tmp/confined_interpreter {
  /etc/ld.so.cache r,
  /lib/x86_64-linux-gnu/libc-2.19.so rm,
  /tmp/confined_interpreter ix,
  /tmp/runme.pl wix,
}
EOF
exit
/tmp/confined_interpreter

Even though /tmp/confined_interpreter is executing in a profile that doesn't include /usr/bin/perl in any way, the /usr/bin/perl executable is started, as evidenced by failure to load perl libraries:

/usr/bin/perl: error while loading shared libraries: libperl.so.5.18: cannot open shared object file: Permission denied

type=AVC msg=audit(1405991249.694:8453): apparmor="DENIED" operation="open" profile="/tmp/confined_interpreter" name="/usr/lib/libperl.so.5.18.2" pid=13472 comm="runme.pl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0