apparmor

mir/apparmor

Fork 0

mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00

Commit Graph

Author	SHA1	Message	Date
Maxime Bélair	68c0dddf23	Add a script to verify attachment-path permissions Unconfined delegates access to open file descriptors. Therefore when running a confined binary from unconfined, it will work even when the attachment path is not read-allowed. However, as soon as these confined binaries are run from another confined process, this delegation is not permitted anymore and the program breaks. This has been the cause of several bugs such as https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or https://github.com/canonical/snapd/pull/15181 . Introduce `test_profile.sh`, a helper script that ensures confining AppArmor profiles explicitly allow (at least) read access to their attachment path. Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>	2025-04-18 12:41:54 +02:00

Author

SHA1

Message

Date

Maxime Bélair

68c0dddf23

Add a script to verify attachment-path permissions

Unconfined delegates access to open file descriptors. Therefore when
running a confined binary from unconfined, it will work even when the
attachment path is not read-allowed.

However, as soon as these confined binaries are run from another
confined process, this delegation is not permitted anymore and the
program breaks.

This has been the cause of several bugs such as
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or
https://github.com/canonical/snapd/pull/15181 .

Introduce `test_profile.sh`, a helper script that ensures confining
AppArmor profiles explicitly allow (at least) read access to their
attachment path.

Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>

2025-04-18 12:41:54 +02:00

1 Commits