Hi Christian >> This is the usual review policy for AppArmor (...) >> Maybe you heard about usrMerge
OK, thanks for explanations. It is logical. Yes, I've read about usrMerge - but it was a long time ago. If I remember correctly, it was on Fedora project website. Anyway, I would like to ask about two rules - basically permissions - used in the logrotate profile; /{usr/,}sbin/initctl Ux, /{usr/,}sbin/runlevel Ux, It is secure to use "Ux"? According to this website [1]; "In the case of an allowed application with a Ux rule, the kernel sets the AT_SECURE auxilary vector in the loaded ELF image. This results in the linker (ld.so) sanitizing many dangerous environment variables, including LD_PRELOAD and LD_LIBRARY_PATH (...)" Seth answer [2]. I'm just asking - maybe it's OK, but I'm just curious. What is your opinion about this one? Should it be changed, or as Seth has wrote; "depending upon what they do with init, you could drag in a huge amount of privileges to this profile that logically belong to upstart instead (...)" Best regards. _____________ [1] http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html [2] https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor