Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Apparmor: is it possible to call another executable from within an executable?

Tags:

linux

security

server

ubuntu

apparmor

I have a problem I am not sure how to solve in AppArmor.

Basically I have a profile that executes a program, let us say

profile myprof {
    /my/executable ix,
}

The problem is that from that executable, I call another, spawning a process, let us call it, /the/other/executable.

How can I make AppArmor give /my/executable permissions to call /the/other/executable? This will be done when /my/executable is already running, of course.

like image 399
Germán Diago Avatar asked Oct 20 '25 02:10

Germán Diago

1 Answers

profile myprof {
    /my/executable ix,
}

When you do write a rule like this, what you do is to allow myprof to execute /my/executable with exactly the same permissions that myprof has. So if you want to allow /my/executable to do something you just need to add that permission to myprof and it will be inherited by /my/executable. But if you want to give that particular permission exclusively to /my/executable and to also to myprof you will need to use something else:

  • ux - unconfined execute

  • Ux - unconfined execute -- scrub the environment

  • px - discrete profile execute

  • Px - discrete profile execute -- scrub the environment

  • cx - transition to subprofile on execute

  • Cx - transition to subprofile on execute -- scrub the environment

  • pix - discrete profile execute with inherit fallback

  • Pix - discrete profile execute with inherit fallback -- scrub the environment

  • cix - transition to subprofile on execute with inherit fallback

  • Cix - transition to subprofile on execute with inherit fallback -- scrub the environment

  • pux - discrete profile execute with fallback to unconfined

  • PUx - discrete profile execute with fallback to unconfined -- scrub the environment

  • cux - transition to subprofile on execute with fallback to unconfined

  • CUx - transition to subprofile on execute with fallback to unconfined -- scrub the environment

The difference between a discrete profile and a subprofile is that a discrete profile is a normal profile, a subprofile is define inside the current profile.

like image 130
smeso Avatar answered Oct 22 '25 00:10

smeso
Sign in to Comment

Related questions

What is the significance of ".note.ABI-tag" section in ELF?
awk to print line greater than zero in column 1
Unauthenticated bind (DN with no password) disallowed [closed]
Unrecognized CPU by ARM gcc
Does unix 'find' give the same order every time? [closed]
What does the 'sched_feat' macro in scheduler mean?
Which hardware timer is used for hr timers in linux?
How to change the Jenkins Home Directory from /var/lib to app and create a symlink for orginal location as job wont get affected
Node: SerialPort is not a constructor
Can fnctl(F_SETOWN, <pid>) direct a signal to a pthread ID instead of a process ID?
How can I know the list of isolated cpu for the current running kernel?
Replace UUID value in fstab using sed
How to set QMainWindow as the modal one?
Read/Write block directly to disk in linux kernel
Can I use one Linux .so for all Linux compilers?
Writing and Compiling Program For OpenWrt
Create symlink in RPM
Most reliable way to identify the current user through a sudo
Readdir/closedir - Valgrind shows "invalid read"
Find cron jobs that run between given times

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!