[apparmor] Handling chroot, pivotroot, and file system namespaces
Ángel González
ingenit at zoho.com
Wed Dec 7 22:36:33 UTC 2011
I think the profile change on chroot is the way to go, although it may
be interesting to make rules explicit for both pre and post chroot. Eg.
>
> profile foo {
>
> /etc/shells r # Applies to both but the chroot uses the full path, so only affects prechroot
> @{root}/etc/nsswitch.conf r # The file with path /etc/nsswitch.conf can be read both outside and inside the chroot
>
> chroot none {
> # pre chroot rules
> @{root}/etc/passwd r # Can only be read before chrooting
> }
>
> chroot /var/lib/foo-chroot {
> # post chroot rules
> @{root}/etc/foo-users.conf r # Equivalent to /var/lib/foo-chroot/etc/foo-users.conf r
> }
> }
I'm assuming a variable @{root} which would be automatically set to the
process root folder, either by the kernel or by apparmor_parser.
More information about the AppArmor
mailing list