Linux security non-modules and AppArmor
Posted Jun 30, 2007 6:34 UTC (Sat) by dlang
(✭ supporter ✭
In reply to: Linux security non-modules and AppArmor
Parent article: Linux security non-modules and AppArmor
where did you get the idea that AppArmor can't constrain a process running as root?
one of the things that AppArmor does is limit what links a constrained process can create, exactly to prevent the type of loophole that you are trying to make (IIRC they do something along the lines of 'you can't make a link to a file that you can't write to' or something along those lines)
AppArmor is limiting what the httpd process can do, not what the apache user can do, it doesn't matter what userid the process is running as.
to post comments)