[apparmor] mount rules
Seth Arnold
seth.arnold at gmail.com
Sat Dec 24 05:27:28 UTC 2011
On Sun, Dec 18, 2011 at 4:00 AM, John Johansen
<john.johansen at canonical.com> wrote:
>> Policy compilation and load time are both far too static. Drives come and
>> go all the time and their scsi name /dev/sd* is next to useless. The
>> dynamic names are better but troublesome. The more I think about it, the
>> more I think labeling is the answer here.
>>
> possibly, patches welcome
>
>> (I wish the kernel just gave them persistent names.)
>>
> it would be nice
A (silly?) thought occurs -- perhaps udevd should be creating either new
device nodes or (this is where it gets devious): bind-mounting the device
nodes to their "friendly" names rather than simply symlinking. Everyone
loves bind mounts and symlinks are so Ye Olde Schoole.
Also, what do we do for FUSE mounts?
Simply allow/disallow FUSE? Or grant permissions to specific FUSE
transports? (Say, allow sshfs for one profile, allow ipod-name-demangling
for another profile.)
Thanks
More information about the AppArmor
mailing list