[Apparmor-general] wildcards as prefix

S Kalyanasundaram skalyanasundaram at novell.com
Fri Feb 16 04:11:29 MST 2007 

Thanks Crispin,
   BTW, the method of having /**/ was working for only if i replaced the ** with some text other wise it is not working. If my conf files are exists at /var/lib/etc/app/conffile then it goes file. If suppose i replace the ** with zero characters (/etc/app/confile) it takes as //etc/app/conffile and says operation not permitted for //etc/app/conffile 

So I changed the rule to /**etc/app/myconf then it goes fine. Am i doing correct?

Thanks for your help,
   -"kalyan"



>>> On Wed, Feb 14, 2007 at  1:10 PM, in message <45D2BCF8.8070802 at novell.com>,
Crispin Cowan <crispin at novell.com> wrote: 
> S Kalyanasundaram wrote:
>>    Is there any way to use wildcards as prefixes. My application would be 
> using files at specific locations like /etc/app/conffile but there is 
> possibility that application might get loaded with chroot environment, so the 
> path would be /var/lib/etc/app/conffile and again it can be possible to run 
> on shared pool (/var/mnt/etc/app/conffile) . What i want is that the profile 
> should go fine with independent of path prefixes , something like 
> */etc/app/conffile.
>>   
> Your AppArmor access rules are required to begin with / however you
> could easily write "/**/etc/app/conffile" and get the effect you want.
> The security of such a rule is a little questionable, but not too
> horrible, especially if the fixed suffix is long and specific enough.
> 
>> Another thing i wanted to ask is my application use /tmp to create some file 
> for temporary access, the file name would vary (aa23Tf45.txt, some thing like 
> this. It is random always). So i am planning to give read, write permission 
> to /tmp folder. Is there any problem exist that you see?
>>   
> The easy answer is to use "#include <abstractions/user- tmp>" and rely on
> the pre- defined temporary file rules that AppArmor comes with. If you
> just run the profile generator, it will suggest this when it encounters
> a temporary file.
> 
> If you want a more specific rule for your example, you might write
> "/tmp/*.txt" assuming that the ".txt" part actually reflects the files
> your application uses.
> 
> For even more security, if your application respects the $TMPDIR
> environment variable, then set your $TMPDIR to be
> "/tmp/myapplicationsowntmpjail" and write an AppArmor rule of
> "/tmp/myapplicationsowntmpjail/**"
> 
> Crispin

More information about the Apparmor-general mailing list