[apparmor] apparmor.vim - profile format changes since 2.3?

[John Johansen]

On 02/01/2011 01:43 PM, Christian Boltz wrote:
> Hello,
> 
> Am Dienstag, 1. Februar 2011 schrieb John Johansen:
>> On 02/01/2011 07:01 AM, Christian Boltz wrote:
> 
>>> What does this mean regarding external hats?
>>
>> Your wish is granted, well sort of.  They don't have to be declared
>> in the main profile.  You just create the profile and load it and as
>> long as it has the hat flag it will work.
>>
>> however it looks like the ability to add the hat flag is missing.  It
>> would look something like
>>
>> /some/profile//external_hat (hat) {
> 
> Never heard about the "hat" flag before ;-)
> 
it gets implicitly added when you do declare a hat

>> }
>>
>> Its an easy fix to add back in and I'll see if I can't get the patch
>> out today.
> 
> I just did a short test and apparmor_parser seems to load the following 
> successfully: (one of my test profiles for apparmor.vim)
> 
yep

> /foo {
> }
> 
> /foo//externalhat {
>         /in/the/hat Ux,
>         network raw,
> }
> 
> I can see /foo and /foo//externalhat in rcapparmor status.
> What I don't know is if /foo would be allowed to change to the hat.
> 
it can't because it isn't a hat, its a child profile

> BTW: IMHO the "hat" flag is superfluous - the // in the profile name 
> should be enough to mark a profile as hat...
> 
well we actually need to distinguish between child profiles and hats.
Hats are a child profile with a flag indicating that they can be used
with change_hat.

So cx and px can be used to transition to any child profile (hats
included).  But the change_hat call is restricted because the request
comes from userspace so we want tighter controls.