[apparmor] re-enabling set profile
John Johansen
john.johansen at canonical.com
Thu Dec 16 00:08:57 GMT 2010
AppArmor used to have the ability for an unconfined administrator to set the profile of an
individual task via the /proc/<pid>/attr/current file
When apparmor was rewritten to support creds, and the lsm path_permissions the ability to set
an individual tasks profile was lost. Due to the necessary changes in locking and task
restrictions for creds.
While the security value of setting the profile can be argued, it does have value in debugging
and when creating profiles.
I have been kicking around ideas of how to reenable set profile, and I would like to propose
doing it by extending the profile replacement update mechanism.
We make the replacement profile forwarding an indirection stub that can contain a profile
pointer as well as a task pid and and some flags.
Make profile replacement chains rcu based
Replacement is flagged for all tasks using the profile being updated, causing them to enter
the replacement routine, where a secondary test to see if the replacement matches the task is
done.
If the replacement is task specific the task being replaced is responsible for cleaning
up the forwarding once it has done its replacement, or when it exits (which ever comes
first).
I don't envision this happening in the 2.6 time frame, but it might be possible for the
next release after 2.6
More information about the AppArmor
mailing list