I have a problem I am not sure how to solve in AppArmor.
Basically I have a profile that executes a program, let us say
profile myprof {
/my/executable ix,
}
The problem is that from that executable, I call another, spawning a process, let us call it, /the/other/executable.
How can I make AppArmor give /my/executable permissions to call /the/other/executable? This will be done when /my/executable is already running, of course.
profile myprof {
/my/executable ix,
}
When you do write a rule like this, what you do is to allow myprof to execute /my/executable with exactly the same permissions that myprof has.
So if you want to allow /my/executable to do something you just need to add that permission to myprof and it will be inherited by /my/executable.
But if you want to give that particular permission exclusively to /my/executable and to also to myprof you will need to use something else:
ux - unconfined execute
Ux - unconfined execute -- scrub the environment
px - discrete profile execute
Px - discrete profile execute -- scrub the environment
cx - transition to subprofile on execute
Cx - transition to subprofile on execute -- scrub the environment
pix - discrete profile execute with inherit fallback
Pix - discrete profile execute with inherit fallback -- scrub the environment
cix - transition to subprofile on execute with inherit fallback
Cix - transition to subprofile on execute with inherit fallback -- scrub the environment
pux - discrete profile execute with fallback to unconfined
PUx - discrete profile execute with fallback to unconfined -- scrub the environment
cux - transition to subprofile on execute with fallback to unconfined
CUx - transition to subprofile on execute with fallback to unconfined -- scrub the environment
The difference between a discrete profile and a subprofile is that a discrete profile is a normal profile, a subprofile is define inside the current profile.