Can apparmor restrict interpreted languages?

python security apparmor

For interpreted/vm languages(e.g. python, java, shell scripts) can apparmor be set to only confine a particular script or program? If so, how?


Yes it's possible. It's also in use in Ubuntu, especially on the phone.

To get a basic apparmor script, you can use aa-autodep from the apparmor-utils package.

Quick example for python:

cat >> ~/myapp << EOF
#! /usr/bin/python
EOF

sudo aa-autodep ~/myapp

cat /etc/apparmor.d/home.<user-name>.myapp

This will give you something like:

# Last Modified: Mon Feb 24 18:31:50 2014
#include <tunables/global>

/home/sam/myapp flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/python>

  /home/sam/myapp r,
  /usr/bin/python2.7 ix,

}

Then you can expand on that.

Related

Xorg.conf (nvidia) Second Monitor getting settings of first
Does Ubuntu 13.10 still encounter issues with UEFI and Windows 8?
Telnet Server not starting
apt-get install <package> equivalent using C++ apt-pkg library
UK Macintosh USB keyboard mapping incorrect after 14.04 update. How can I fix it?
Launchpad: CLI "Copying packages"
Is there an equivalent to windows+p hotkey (change between mirrored/extended monitor) in Ubuntu?
Backup LVM snapshots and Grub2 problem
Boot hangs after upgrade to kernel 3.13.0-43
Is there a way to prevent your windows from moving when an external monitor is connected?
Setting up Freestyle 2 keyboard in Ubuntu 14.04
unmet dependencies for synaptics touchpad driver