AppArmor

symlink support

Bug #1485055 reported by Patrick Schleizer on 2015-08-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Won't Fix
Undecided
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Could you please add an option to AppArmor to follow symlinks?

That would allow a cleaner solution than the workarounds that have been added by other projects. Such as:

- https://bugs.launchpad.net/bugs/132468
- https://bugs.launchpad.net/bugs/203898
- https://debathena.mit.edu/trac/ticket/166
- https://phabricator.whonix.org/T396

Seth Arnold (seth-arnold) wrote :

This is not a design choice that can be revisited; this is a consequence of the kernel internal implementation. Sorry.

Changed in apparmor:
status: New → Won't Fix
Christian Boltz (cboltz) wrote :

You can use alias rules for directory symlinks - add them to /etc/apparmor.d/tunables/alias. This avoids the need to modify all profiles.

For example, my /tmp/ is a symlink to /home/sys-tmp/, and the alias rule for it is
    alias /tmp/ -> /home/sys-tmp/,

Another possible solution is using mount --bind instead of symlinks.

Patrick Schleizer (adrelanos) wrote :

Alright. Thank you, Christian! This is a much better solution to our issue.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers