[apparmor] create permission

Christian Boltz apparmor at cboltz.de
Thu Dec 16 19:28:00 GMT 2010


Hello,

Am Donnerstag, 16. Dezember 2010 schrieb John Johansen:
> So apparmor has had a create permission for a while now, but it has
> not been directly expressible in policy.  I would like to fix this
> however the letter c which is a natural fit for create (and is what
> is used by the kernel when reporting it) is used as an x modifier
> for children profiles (cx, Cx).
> 
> So to expose the create permission we have a few possible choices.
> 1. choose a different letter

That would be my favorite solution.

What about "n" as in "new file" or uppercase "A" (similar to lowercase a 
for append)?

Not as obvious as c would be, but both variants still have a meaning.

> 2. use c and either require it is either
>    2.1 not used immediately to the left of x if it is to mean cx.
>        ie. xc == create and execute
>            cx == child profile transition

I'm afraid that's more confusing than using a different letter.
(And I don't even want to know how "interesting" it would make vim 
syntax highlighting...)

>    2.2 not used in a rule that has an x transition

create and execute for the same file sounds scary (same for write + 
exec) - but that's a very good reason to make this possible. (The 
alternative would be *xw instead of *x+create, which would be more 
scary.)

> 3. exposed through long for permissions, ie. using the create keyword
>    /foo create px,

No keywords for file permissions, please. That would be inconsistent 
syntax-wise (all other file permissions use letters).


Regards,

Christian Boltz
-- 
> > [telepathy] i doubt you refer to this paranormal phenomena stuff.
> Does software to do that exists ? **grin** :-)
Yep, It does, it's called emacs }:-)
[>> Marcus Rueckert, > Cristian Rodriguez R. and Manuel Arostegui
Ramirez in opensuse-buildservice]



More information about the AppArmor mailing list