You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While DAC rules prevent inotify from working on files not readable by the user, apparmor alone doesn't. Therefore, it's possible for a profile with minimal permissions to enumerate files on the system when they are open, so filenames and time of access aren't private.
I'm sure that this is known by the more experienced people here, but I figured that it was worth sharing as some may not know this.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
While DAC rules prevent inotify from working on files not readable by the user, apparmor alone doesn't. Therefore, it's possible for a profile with minimal permissions to enumerate files on the system when they are open, so filenames and time of access aren't private.
I'm sure that this is known by the more experienced people here, but I figured that it was worth sharing as some may not know this.
Beta Was this translation helpful? Give feedback.
All reactions