Hello,
Am Montag, 23. Januar 2023, 02:47:38 CET schrieb Murali Selvaraj:
> I am trying to use a global/system-wide Apparmor profile to restrict
> the executing of any scripts from /tmp folder.
> As a first step, I added this entry (audit deny /tmp/* x,) and I was
> expecting Apparmor audit logs while executing the script from /tmp/
> (sh /tmp/foo.sh).
^^
That's the problem: you called
sh /tmp/foo.sh
which means sh (/bin/sh) gets executed. sh then _reads_ the script,
but does not _execute_ it.
For comparison, try
chmod +x /tmp/foo.sh
/tmp/foo.sh
which should get blocked.
Unfortunately I can't offer an easy way to block sh /tmp/foo.sh
Maybe you could execute interpreters like sh, bash, perl, python etc. in
a separate profile that doesn't allow access to /tmp/, but that will also
block/break valid uses of files in /tmp/.
Regards,
Christian Boltz
--
Das einzige Instrument, das ich beherrsche, ist MP3-Player.
[Kristian Köhntopp]
signature.asc
Description: This is a digitally signed message part.
