AppArmor

symlink support

Bug #1485055 reported by Patrick Schleizer
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
AppArmor
Won't Fix
Undecided
Unassigned

Bug Description

Could you please add an option to AppArmor to follow symlinks?

That would allow a cleaner solution than the workarounds that have been added by other projects. Such as:

- https://bugs.launchpad.net/bugs/132468
- https://bugs.launchpad.net/bugs/203898
- https://debathena.mit.edu/trac/ticket/166
- https://phabricator.whonix.org/T396

Tags: aa-kernel
Revision history for this message
Seth Arnold (seth-arnold) wrote :

This is not a design choice that can be revisited; this is a consequence of the kernel internal implementation. Sorry.

Changed in apparmor:
status: New → Won't Fix
Revision history for this message
Christian Boltz (cboltz) wrote :

You can use alias rules for directory symlinks - add them to /etc/apparmor.d/tunables/alias. This avoids the need to modify all profiles.

For example, my /tmp/ is a symlink to /home/sys-tmp/, and the alias rule for it is
    alias /tmp/ -> /home/sys-tmp/,

Another possible solution is using mount --bind instead of symlinks.

Revision history for this message
Patrick Schleizer (adrelanos) wrote :

Alright. Thank you, Christian! This is a much better solution to our issue.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.