[apparmor] PUx permissions?
John Johansen
john.johansen at canonical.com
Tue Apr 19 21:55:30 UTC 2011
On 04/19/2011 02:35 PM, Steve Beattie wrote:
> On Tue, Apr 19, 2011 at 11:16:09PM +0200, Christian Boltz wrote:
>> Final question: Is the order of P and U fixed or can I also use UPx and
>> upx?
>
> UPx and upx aren't meaningful permissions, as what they would mean
> is to default to unconfining the exec'ed binary and fall back to the
> appropriate profile if the unconfined "profile" doesn't exist. Given
> that the unconfined state is always available[1], it would never be
> possible for the px transition to occur. So, no, it's not a valid
> permission.
>
> [1] Long ago, we used to have a global paranoid mode toggle, which
> required that any new process that was exec()ed had to have a
> profile defined or the exec would fail. I don't believe that
> exists anymore as it was generally not useful, but even if it
It doesn't, and I don't think I ever even knew about it, but back
then all px transitions where what we call pux today, so it had more
utility than today.
I really don't see a need for it, so unless some one can come up
with a really good reason for it. Its not coming back any time soon
More information about the AppArmor
mailing list