[apparmor] Improving policy abstractions

John Johansen john.johansen at canonical.com
Tue Aug 10 10:43:38 BST 2010 

So this is just me poking at the future again looking for ideas so we
can work towards getting things onto the road map and maybe even to
the work item level.

One of the things I would like to see is improvements to the profile
language, as while simplistic and easy to read, pages and pages
of rules make profiles rather opaque.

On of the ideas that I have had kicking around for a while and a
little presentation on usability brought to the for is our abstractions.
Basically the include mechanism is functional but less than ideal
for creating abstractions, as it currently combines both permissions
and identifiers.

Basically we have something like

  #include <abstraction/foo>

  and foo does
  /bin/foo rw,
  /bin/bar rw,
  ...

And this works well for somethings, but for some abstractions it would be
nice to be able to separate out the permissions and identify lists of things
as a "type", and then let profiles have it own permissions.  Basically
I am poking at a way to do parameterized abstractions that are clean.

We can do this with variables some what but I'm not to found of how they
have worked out (maybe this is just me).
  eg.
  @{foo} = /bin/foo /bin/bar

and then one profile can do
  @{foo} r,

and another can do
  @{foo} rw,

But this only works for file rules and we aren't using it to any significant
degree.  So what do I do if I want to include a network access in that list?
We could add something like
  type foo = {
    /bin/foo,
    /bin/bar,
    network tcp,
  }

  @foo rw,

or some such, I'm really not sure on syntax or how best to express such
groupings.  I am not looking to replace includes or variables just probing
as to whether we need a different mechanism to complement them.  Basically
I am looking for ways to improve the readability and functionality of our
current policy.  Because I think we can do better, but I am not dealing
with this day to day, so I am looking for ideas.

So what is holding is back?  How can we improve?  How can we make policy
authoring easier, and cleaner?

More information about the AppArmor mailing list