[Apparmor-general] wildcards as prefix

[Crispin Cowan]

S Kalyanasundaram wrote:
>    Is there any way to use wildcards as prefixes. My application would be using files at specific locations like /etc/app/conffile but there is possibility that application might get loaded with chroot environment, so the path would be /var/lib/etc/app/conffile and again it can be possible to run on shared pool (/var/mnt/etc/app/conffile) . What i want is that the profile should go fine with independent of path prefixes , something like */etc/app/conffile.
>   
Your AppArmor access rules are required to begin with / however you
could easily write "/**/etc/app/conffile" and get the effect you want.
The security of such a rule is a little questionable, but not too
horrible, especially if the fixed suffix is long and specific enough.

> Another thing i wanted to ask is my application use /tmp to create some file for temporary access, the file name would vary (aa23Tf45.txt, some thing like this. It is random always). So i am planning to give read, write permission to /tmp folder. Is there any problem exist that you see?
>   
The easy answer is to use "#include <abstractions/user-tmp>" and rely on
the pre-defined temporary file rules that AppArmor comes with. If you
just run the profile generator, it will suggest this when it encounters
a temporary file.

If you want a more specific rule for your example, you might write
"/tmp/*.txt" assuming that the ".txt" part actually reflects the files
your application uses.

For even more security, if your application respects the $TMPDIR
environment variable, then set your $TMPDIR to be
"/tmp/myapplicationsowntmpjail" and write an AppArmor rule of
"/tmp/myapplicationsowntmpjail/**"

Crispin

-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
     Hacking is exploiting the gap between "intent" and "implementation"