2016-05-10 22:59:19 |
Christian Boltz |
description |
In theory, deny rules should be enforced even in complain mode.
In practise, they aren't...
# echo 'profile test { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied
# echo 'profile test (audit) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied
# echo 'profile test (complain) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
## /tmp/foo gets created
# echo 'profile test (complain, audit) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p ## /tmp/foo gets created
This happens with kernel 4.5.3 on openSUSE Tumbleweed, using the 2.11 beta1 apparmor_parser. |
In theory, deny rules should be enforced even in complain mode.
In practise, they aren't...
# echo 'profile test { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied
# echo 'profile test (audit) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied
# echo 'profile test (complain) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
## /tmp/foo gets created
# echo 'profile test (complain, audit) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p
## /tmp/foo gets created
This happens with kernel 4.5.3 on openSUSE Tumbleweed, using the 2.11 beta1 apparmor_parser. |
|