[apparmor] Draft proposal for new apparmor virtual file system

John Johansen john.johansen at canonical.com
Thu Nov 4 21:41:48 GMT 2010


The upstreaming of apparmor removed the introspection portions of the apparmor filesystem.  Specifically
the features, matching and profile files.

Below is a proposed layout for the new introspection layer.  It is a sysfs style layout with a virtual file for each property.  I don't expect all entries to be implemented at first and some of them may be changed before implemented.

The are a couple important points to note, namespaces and profiles are placed under a common policy directory.  This is to aid in virtualizing the filesystem for a new container.  Basically a sub policy directory can be bind mounted over top the root policy directory to provide the correct view for a container that has a different apparmor namespace.

The profile name in a directory, is automatically created from loaded profile name by applying the standard recommended name mapping.  eg.
/foo/bar will be transformed to foo.bar  and  profile1 maps to profile1.  If a mapped profile name collides with an existing name then it has its has a unique id appended.


apparmorfs/
	.load
	.replace
	.remove

	features/
		file			# can we sneak having a multi entry file listing permissions types in :)
		network
		namespaces		# version supported 
		change_hat
		change_hatv
		change_profile
		change_onexec
		capability		# set of capabilities, capability mask???
		rlimits

	policy/
		profiles_max
		profiles_count
		namespaces_max
		namespaces_count
		memory_max
		memory_allocated
		owner

		namespaces/		#directory of subnamespaces
			namespace1/
				policy/	#nested policy dir
			namespace2/
				policy/
		profiles/
			usr.bin.evince/
				mode
				flags
				is_dynamic
				name                            # actual name may be same as attachment pattern
				attachment			# /usr/bin/evince   ??? do we need dir for multiple entries
				sha1				# hash of profile
				size				# how big the profile is
				dfa_file			# binary access to loaded file dfa
				dfa_network

				hats/				# could be called profiles again
					hat1/			# just like profile
						mode
						....
			profile.unattached/



More information about the AppArmor mailing list