[Apparmor-dev] readlink on non profile symlink succeeding?

John Johansen jjohansen at suse.de
Mon Aug 18 12:09:56 MDT 2008 

Rob Meijer wrote:
> In the process of creating some usefull exsample profiles for MinorFs, I
> ran into a problem when testing these profiles on the AppArmor instalation
> that comes with Suse 11.0. I would like to know if this is an old bug, an
> existing bug, or just my limited understanding of how the profiles work.
> 
> If MinorFs is running, the directory /mnt/minorfs/priv (that is a Fuse
> mountpoint) contains two symbolic links. The first called 'tmp' and the
> second called 'home'. I created a hardlink /bin/minorbash_base that links
> to /bin/bash and should run under a profile that gives access to all of
> the /mnt/minorfs tree with the exception of /mnt/minorfs/priv. all seems
> to be as expected, only when I do 'ls -la /mnt/minorfs/priv/home' from
> minorbash_base, I can read the symbolic link that points to a
> /mnt/minorfs/cap/$SOMECAPSTRING directory.
> 
> Is there something I am doing wrong here in my profiles, if not, is this
> an old bug that is fixed in the development tree, or is it a bug not seen
> and/or fixed yet?
> 

AppArmor currently does all its mediation post symlink resolution.  So
for the symlink /mnt/minorfs/priv/home the mediation is going to be for
/mnt/minorfs/cap/$SOMECAPSTRING dir, which according to the profile has
rw permissions.

The question of how to handle symlinks is a bit of a debate, the current
behavior, which has existed the entire time I have known AppArrmor, is
as fallows
- creation of a symlink requires write permission on the symlink file
- removal of a symlink requires write permission on the symlink file
- read and traversal of a symlink does not require any permissions
  but it does require read permission on the eventual target of the
  traversal.

this can be less than intuitive, in that you would expect at least a
read permission for the symlink file.

I don't know why the free symlink traversal was implemented but I would
guess it was done in a similar spirit of the free directory traversal.

It would certainly be easy to add mediation of symlink traversal, it
would then require read permission of each symlink file in a traversal.
The question being of whether to always enforce it or make it
conditional on either a profile or global flag.

More information about the Apparmor-dev mailing list