On Tue, Apr 13, 2021 at 11:18:12PM +0530, Murali Selvaraj wrote: > We have observed few configuration files are present in /tmp which are > needed for certain processes. > For example, few of the files are hidden files located in /tmp/. > > In that case, shall we add below entry > > /tmp/** rw, > > or Do we need to add entries for file specific as below > > /tmp/file.txt r, > /tmp/.init_complete rw, > > Which would be the best way for security concern as well as embedded devices ? > Please advise.
I'm worried that applications that are writing to /tmp/ using fixed filenames like this are likely to be susceptible to file /tmp/ races. You can enable the kernel's mitigations (see sysctl -a | grep fs.protected) for this but that's only a partial mitigation for the problem. Better is for the applications to write their temporary files into per-application directories as appropriate. Certainly I'd want to give tighter rules than /tmp/** rw, wherever possible. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
