[apparmor] dynamic profiles
Jamie Strandboge
jamie at canonical.com
Thu Aug 5 03:40:59 BST 2010
On Wed, 2010-08-04 at 12:56 -0700, Kees Cook wrote:
> We have a situation where "/etc/init.d/apparmor reload" will remove all
> profiles that are not listed in /etc/apparmor.d/ but this causes a problem
> for profiles that are dynamically generated (for example, libvirt's
> profiles).
>
> I'm not sure the best way to deal with this, though I would note that at
> least in libvirt's case, the profile name does not start with a leading
> "/", so it could be possible to just have apparmor leave profiles like that
> in place.
Right, this is due to how libvirt uses change_profile() and an excellent
observation. AFAIK, libvirt is the only application doing dynamic
profiles in this manner, so simply not reloading these seems to be a
good first step.
OTOH, typical (non-dynamic) transitions like 'px', child profiles and
change_hat() should not be affected by this change (they get reloaded
just fine). I guess it is imaginable that a dynamic profile could
transition to a profile name that starts with '/', but until we are
faced with an application that actually does this, I'm not sure we
should be overly concerned with it. We might simply mention in developer
documentation how AppArmor handles dynamic profiles (both with and
without a leading '/'), so people can make an informed decision when
developing them.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100804/7e8f416d/attachment.pgp
More information about the AppArmor
mailing list