[apparmor] create permission

Seth Arnold seth.arnold at gmail.com
Thu Dec 16 19:48:51 GMT 2010


wux is very scary, wpx is moderately scary, and wix is scary only if other domains (or unconfined) can also execute the target. (Or it is a data file corrupted enough to influence other programs, of course.)

I know changing a letter is not going to go over well, but I think using 'c' makes the most sense. Our current 'cx' can be implemented with other mechanisms; it is a nice syntactic sugar, but I think 'c' _feels_ a lot more like 'creat' than 'child'.

Incidentally, a create permission only makes sense to me if there is a permission that says "modify but not create". what's the plan there?

Do we care about creat vs mknod vs mkdir?

Thanks

-----Original Message-----
From: Christian Boltz <apparmor at cboltz.de>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Thu, 16 Dec 2010 20:28:00 
To: <apparmor at lists.ubuntu.com>
Subject: Re: [apparmor] create permission

Hello,

Am Donnerstag, 16. Dezember 2010 schrieb John Johansen:
> So apparmor has had a create permission for a while now, but it has
> not been directly expressible in policy.  I would like to fix this
> however the letter c which is a natural fit for create (and is what
> is used by the kernel when reporting it) is used as an x modifier
> for children profiles (cx, Cx).
> 
> So to expose the create permission we have a few possible choices.
> 1. choose a different letter

That would be my favorite solution.

What about "n" as in "new file" or uppercase "A" (similar to lowercase a 
for append)?

Not as obvious as c would be, but both variants still have a meaning.

> 2. use c and either require it is either
>    2.1 not used immediately to the left of x if it is to mean cx.
>        ie. xc == create and execute
>            cx == child profile transition

I'm afraid that's more confusing than using a different letter.
(And I don't even want to know how "interesting" it would make vim 
syntax highlighting...)

>    2.2 not used in a rule that has an x transition

create and execute for the same file sounds scary (same for write + 
exec) - but that's a very good reason to make this possible. (The 
alternative would be *xw instead of *x+create, which would be more 
scary.)

> 3. exposed through long for permissions, ie. using the create keyword
>    /foo create px,

No keywords for file permissions, please. That would be inconsistent 
syntax-wise (all other file permissions use letters).


Regards,

Christian Boltz
-- 
> > [telepathy] i doubt you refer to this paranormal phenomena stuff.
> Does software to do that exists ? **grin** :-)
Yep, It does, it's called emacs }:-)
[>> Marcus Rueckert, > Cristian Rodriguez R. and Manuel Arostegui
Ramirez in opensuse-buildservice]

-- 
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor


More information about the AppArmor mailing list