[apparmor] Handling meta-read permissions
Jamie Strandboge
jamie at canonical.com
Tue Aug 10 06:16:07 BST 2010
On Mon, 2010-08-09 at 20:24 -0400, John Johansen wrote:
> On 08/09/2010 04:55 PM, Jamie Strandboge wrote:
> Basically I agree with you that this is the way to go and that the
> meta-r nometa-r is UGLY. Actually I was hoping for a better proposal on
> what to name extend permissions. I want to make them available at
> the rule level, but with the common case of r, w etc expanding out to
> the extended list internally.
>
Yeah, meta-r and nometa-r is totally icky and I am *not* advocating it
for the profile language. ;)
I agree that the extend permissions should be on the rule level and the
'r' and 'w' should extend out internally. Perhaps thinking more broadly
would shed some light on this. Are there other extend permissions we may
want sometime in the future (delete, create, chmod, others)?
What about expanding out farther and thinking about all the potential
policy language changes such as the capability additions (chown, ptrace,
chroot and setuid) and 'owner'. Are there others? Thinking about
everything we want to support may show one method is better over
another...
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100810/1cf3e31f/attachment.pgp
More information about the AppArmor
mailing list