Both of those flags would be easy to implement, the question is it worth it? As Kees pointed out an unconfined user can easily circumvent policy attachment and thus the flags that AppArmor would be enforcing. There are four cases I can see this working in: - trusted start up of deamon, only worried about ptrace attack on it. In this case we need to be able to stop an unconfined user process from ptraceing the deamon - app launched by trusted process that relies mandates the application start from a fixed location (eg. /usr/bin/whatever) - app is launched by a wrapper script in a profile that enforces the launch location. - confine the user
The 1st case is really being concerned about ptrace attacks from something that gets compromised after login. The 2nd and 3rd are ways of preventing something that is compromised from circumventing the protections. The last one is not trusting the user, and can be done quite well with the most recent version of apparmor (not in gutsy). In general I like the idea of adding some flags to facilitate this, how did you envision the flags being set up and what are some more specific use cases (examples). Basically I am looking for design cues, as deciding how to express it is going to be the hardest point of implementing it. -- Should provide a flag to disable ptrace()/LD_PRELOAD https://bugs.launchpad.net/bugs/176301 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
