

Ask HN: Could apparmor help as a solution for the Shellshock? - goferito


======
lutusp
A qualified no. If a remote process can issue local shell commands, then
AppArmor has no protective role. If AppArmor prevents a process from running
at all, then yes, but that's a completely different question.

For a Web server using CGI, AppArmor has no role. For an SSH login process,
AppArmor has no role except to prevent the execution of certain programs. By
the time AppArmor is choosing which applications may run, a remote login could
have exploited the Shellshock bug and be past AppArmor's control.

