[apparmor] apparmor.vim - profile format changes since 2.3?
Christian Boltz
apparmor at cboltz.de
Tue Feb 1 15:01:25 UTC 2011
Hello,
Am Dienstag, 1. Februar 2011 schrieb John Johansen:
> >>> ^foobar, # external hat
> >
> > You didn't answer that one ;-) - apparmor_parser doesn't like it...
>
> hrmm this seems to have been dropped when, some of the hat rule
> changes were reverted post 2.3 release to fix some problems that we
> had with policies that had large numbers of hats.
>
> This could be added back in, but is essentially a nop now, and since
> I don't think anyone is using it (they would have to be on a none
> updated 2.3) I think we will just drop it.
What does this mean regarding external hats?
My preferred solution would be to allow external hats without the need
to declare them in the main profile. It would make my automated profile
generation (for apache vhosts) much easier ;-)
(at the moment I have to grep -v '^}$', add a new hat and re-add the } )
> Hrmmm, yes well I discribed that one poor. Basically I meant that I
> would like to be able to use the current task value as the upper
> limit and use that as the upper limit instead of a manually
> specified value.
OK, now it's understandable and sounds like a valid idea.
> This has some use in locking down root processes, but its utility is
> limited so its rather low on the priority queue.
ACK.
> when is the RC1 deadline?
Coolo wrote "this week" in opensuse-packaging.
RC1 release is planned for Feb 10.
Regards,
Christian Boltz
--
Microsoft gives you Windows but Linux gives you the whole house!
More information about the AppArmor
mailing list