[apparmor] profile naming and attachment
Kees Cook
kees.cook at canonical.com
Fri Nov 19 00:11:14 GMT 2010
Hi,
On Wed, Nov 17, 2010 at 05:19:17PM -0800, John Johansen wrote:
> = Profile naming =
> ...
> I would like to extend to extend the syntax slightly to allow for a name to be
> specified separate of the profile attachment. The syntax extension would be of
> the form
> profile [name] attachment [flags] { }
+1
> = multiple attachment specification for profiles =
> This one has been discussed in the past and I don't believe it is needed
> anymore. The idea was to allow a profile to have multiple names. So it
> could attach to multiple programs.
Right, no need for this any more.
> = conditional profile attachment =
> ...
> I think it is worth making this functionality available to profile attachment
> as well.
> eg.
> profile confined_user user=guest /bin/bash { }
>
> Thus only attaching the profile for specific users, etc.
It's interesting and expands the ways that AA could be used. I would
say it would make a good future goal, but we shouldn't worry about it
at the moment and instead focus on polishing userspace and finishing
the kernel network and interface bits.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the AppArmor
mailing list