[apparmor] Draft proposal for new apparmor virtual file system
John Johansen
john.johansen at canonical.com
Thu Nov 4 21:41:48 GMT 2010
The upstreaming of apparmor removed the introspection portions of the apparmor filesystem. Specifically
the features, matching and profile files.
Below is a proposed layout for the new introspection layer. It is a sysfs style layout with a virtual file for each property. I don't expect all entries to be implemented at first and some of them may be changed before implemented.
The are a couple important points to note, namespaces and profiles are placed under a common policy directory. This is to aid in virtualizing the filesystem for a new container. Basically a sub policy directory can be bind mounted over top the root policy directory to provide the correct view for a container that has a different apparmor namespace.
The profile name in a directory, is automatically created from loaded profile name by applying the standard recommended name mapping. eg.
/foo/bar will be transformed to foo.bar and profile1 maps to profile1. If a mapped profile name collides with an existing name then it has its has a unique id appended.
apparmorfs/
.load
.replace
.remove
features/
file # can we sneak having a multi entry file listing permissions types in :)
network
namespaces # version supported
change_hat
change_hatv
change_profile
change_onexec
capability # set of capabilities, capability mask???
rlimits
policy/
profiles_max
profiles_count
namespaces_max
namespaces_count
memory_max
memory_allocated
owner
namespaces/ #directory of subnamespaces
namespace1/
policy/ #nested policy dir
namespace2/
policy/
profiles/
usr.bin.evince/
mode
flags
is_dynamic
name # actual name may be same as attachment pattern
attachment # /usr/bin/evince ??? do we need dir for multiple entries
sha1 # hash of profile
size # how big the profile is
dfa_file # binary access to loaded file dfa
dfa_network
hats/ # could be called profiles again
hat1/ # just like profile
mode
....
profile.unattached/
More information about the AppArmor
mailing list