[apparmor] dynamic profiles

Jamie Strandboge jamie at canonical.com
Thu Aug 5 14:39:23 BST 2010 

On Thu, 2010-08-05 at 01:31 -0700, John Johansen wrote:
> On 08/04/2010 07:40 PM, Jamie Strandboge wrote:
> > OTOH, typical (non-dynamic) transitions like 'px', child profiles and
> > change_hat() should not be affected by this change (they get reloaded
> named transitions can break.  ie. px ->
> 
Hmmm, I forgot about 'px ->'. I checked 'cx ->' (which works fine) and
know that 'Px,' works ok.

> > just fine). I guess it is imaginable that a dynamic profile could
> > transition to a profile name that starts with '/', but until we are
> that isn't such a problem as if the profile isn't there the transition
> will fail.  If there is a replacement profile it will get used.  Its
> the case of a none dynamic profile transitioning to a none dynamic
> profile with a name that doesn't begin with a '/' that is problematic.
> 
> > faced with an application that actually does this, I'm not sure we
> > should be overly concerned with it. We might simply mention in developer
> > documentation how AppArmor handles dynamic profiles (both with and
> > without a leading '/'), so people can make an informed decision when
> > developing them.
> > 
> but not having a leading '/' does not mean its dynamic.  It is merely
> a profile that doesn't automatically attach to an unconfined task.
> This means that it is only available through change_profile, named
> transitions or inheritance.

I wasn't clear. I was not saying that no leading '/' automatically means
it is dynamic, but rather that we can document how to do dynamic
profiles (perhaps giving direction, if warranted), and if they are done
in the same manner as libvirt, we could consider them dynamic. I forgot
about the 'px ->' case anyway, so it doesn't matter and I agree we
should look at other options.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100805/4ccdf6ce/attachment.pgp

More information about the AppArmor mailing list