aa-logprof does not prompt for "owner @{HOME}" rules
Bug #1602770 reported by
Uzair Shamim
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
At the moment aa-logprof does not seem to prompt for rules that match "owner @{HOME}", instead it always offers rules like "/home/*/path" which would allow all users access to all other users home directories.
It would be much better if the parser prompts for the owner rules b y default (but still offers the /home/*/path rule as one of the options) as that would help mitigate unintended access to the home dir.
To post a comment you must log in.
Known issue - the problem is that the log parsing doesn't check if "owner" would be enough (the information is available in the log).
I have a big, nearly-finished patchset that rewrites the handling of file rules. When this patchset is finished and accepted, it shouldn't be too hard to add owner restrictions by default.
Proposing @{HOME} instead of /home/*/ is another can of worms ;-) - the biggest part of this can will be to teach aa-logprof about the variable content.