[apparmor] dynamic profiles
John Johansen
john.johansen at canonical.com
Thu Aug 5 02:09:57 BST 2010
On 08/04/2010 12:56 PM, Kees Cook wrote:
> We have a situation where "/etc/init.d/apparmor reload" will remove all
> profiles that are not listed in /etc/apparmor.d/ but this causes a problem
> for profiles that are dynamically generated (for example, libvirt's
> profiles).
>
> I'm not sure the best way to deal with this, though I would note that at
> least in libvirt's case, the profile name does not start with a leading
> "/", so it could be possible to just have apparmor leave profiles like that
> in place.
>
> Thoughts?
>
Hrmm no I would rather not just leave profiles without a leading '/' in place.
Instead I would rather tag the profiles that need to be left alone. I can
think of a few possible ways.
1. Userspace
Have a set location for dynamic profile eg. /etc/apparmor/dynamic/
that way the tools can pick up what profiles should be dynamic. The problem
with this method is that the parser is going to have to parse the profiles
to get the names.
2. Userspace
Have special userspace file that lists dynamic profiles. When a dynamic
profile is loaded its name is added to the file (or some variation of
this, we could have multiple files). Problems with this are the file becomes
a potential contention point in the future, and keeping this list up to
date is problematic. Eg. what if a dynamic profile is removed and a profile
of the same name that isn't dynamic is added.
3. userspace + kernel
Add a new profile flag, that indicates the profile is dynamic and report it
as part of the profile list.
This way the initscripts could screen out the dynamic profiles.
I also think generally it would be appropriate to tag dynamic profiles as
autoremove when unused. Basically the profile gets added to the list, but
once a task attaches to it, it becomes eligible for automatic removal
once its last reference is put. This isn't available currently as it had
a bug and was removed as part of upstreaming, but I would like to reintroduce
it (null- profiles will use it).
More information about the AppArmor
mailing list