[apparmor] re-enabling set profile

John Johansen john.johansen at canonical.com
Thu Dec 16 00:08:57 GMT 2010

AppArmor used to have the ability for an unconfined administrator to set the profile of an
individual task via the /proc/<pid>/attr/current file

When apparmor was rewritten to support creds, and the lsm path_permissions the ability to set
an individual tasks profile was lost.  Due to the necessary changes in locking and task
restrictions for creds.

While the security value of setting the profile can be argued, it does have value in debugging
and when creating profiles.

I have been kicking around ideas of how to reenable set profile, and I would like to propose
doing it by extending the profile replacement update mechanism.

We make the replacement profile forwarding an indirection stub that can contain a profile
pointer as well as a task pid and and some flags.

Make profile replacement chains rcu based

Replacement is flagged for all tasks using the profile being updated, causing them to enter
the replacement routine, where a secondary test to see if the replacement matches the task is
  If the replacement is task specific the task being replaced is responsible for cleaning
  up the forwarding once it has done its replacement, or when it exits (which ever comes

I don't envision this happening in the 2.6 time frame, but it might be possible for the
next release after 2.6

More information about the AppArmor mailing list