Add profile for origami
Jamie Strandboge
jamie at canonical.com
Wed Jun 9 05:05:39 BST 2010
On Tue, 2010-06-08 at 11:17 -0500, Jamie Strandboge wrote:
> Seth Arnold submitted[1] AppArmor profiles for origami[2][3] some time
> * the writing of cron files seems to be a hole, since those are
> unconfined. Is this strictly required? Should a profile
> for /var/spool/cron/crontabs/origami be developed?
After thinking about this, I realized I wasn't very clear. What I was
trying to get at was:
* maybe the commands added to /var/spool/cron/crontabs/origami could
each have a profile (I don't know if origami has canned commands that
it adds to its crontab or not)
* maybe origami could be adapted to call a helper program to manage
its crontab file (which could then also have a profile and origami
would transition using Px). This helper could then limit what is
added to the crontab. I don't know if this is feasible either...
The idea being that without putting some sort of limit on what origami
can put in its crontab, I'm not sure trying to confine origami is worth
the trouble. Thoughts?
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100608/752e206c/attachment.pgp
More information about the AppArmor
mailing list