On Wed, Jan 25, 2023 at 01:49:09PM -0500, Murali Selvaraj wrote:
> profile sh_restriction /bin/sh flags=(attach_disconnected,complain) {
> /tmp/** r,
> }
If a shell can read it, then a shell can execute it. The only real options
I can think of:
- prevent the shell from reading it
- modify the
On 1/25/23 10:49, Murali Selvaraj wrote:
Hi Christian,
Thanks for the explanation.
My requirement is to find a way to avoid/block the script (sh /tmp/foo.sh)
execution from directories like (/tmp/).
However I am unable to meet this requirement using the profile below.
cat bin.sh
profile sh_r
Hi Christian,
Thanks for the explanation.
My requirement is to find a way to avoid/block the script (sh /tmp/foo.sh)
execution from directories like (/tmp/).
However I am unable to meet this requirement using the profile below.
cat bin.sh
profile sh_restriction /bin/sh flags=(attach_disconnect
Hello,
Am Montag, 23. Januar 2023, 02:47:38 CET schrieb Murali Selvaraj:
> I am trying to use a global/system-wide Apparmor profile to restrict
> the executing of any scripts from /tmp folder.
> As a first step, I added this entry (audit deny /tmp/* x,) and I was
> expecting Apparmor audit logs wh
Hi All,
I am trying to use a global/system-wide Apparmor profile to restrict the
executing of any scripts from /tmp folder.
As a first step, I added this entry (audit deny /tmp/* x,) and I was
expecting Apparmor audit logs while executing the script from /tmp/ (sh
/tmp/foo.sh).
Can you please sugg
