[apparmor] Improving policy abstractions
Kees Cook
kees.cook at canonical.com
Wed Aug 18 16:56:32 BST 2010
On Tue, Aug 10, 2010 at 10:01:48AM +0000, Seth Arnold wrote:
> Of course, I'm scared of parameterized policy, it runs the very real
> risk of growing into a hydra, perhaps your idea of further constraining
> it into types makes sense. (And types would be neat for networking and
> probably IPC too.)
Yeah, I worry too, especially after seeing the kind of policy messes
SELinux has gotten itself into.
I'm not saying I want to block the idea, but we should tread very carefully
here. :)
--
Kees Cook
Ubuntu Security Team
More information about the AppArmor
mailing list