[apparmor] create permission

John Johansen john.johansen at canonical.com
Thu Dec 16 00:24:27 GMT 2010


So apparmor has had a create permission for a while now, but it has not been directly
expressible in policy.  I would like to fix this however the letter c which is a natural
fit for create (and is what is used by the kernel when reporting it) is used as an x
modifier for children profiles (cx, Cx).

So to expose the create permission we have a few possible choices.
1. choose a different letter
2. use c and either require it is either
   2.1 not used immediately to the left of x if it is to mean cx.
       ie. xc == create and execute
           cx == child profile transition
   2.2 not used in a rule that has an x transition
3. exposed through long for permissions, ie. using the create keyword
   /foo create px,



More information about the AppArmor mailing list