[apparmor] Profile Templating

John Johansen john.johansen at canonical.com
Sat Mar 26 08:36:37 UTC 2011

So this is to propose another extension to the profile language, and get
feed back on different possible syntax.

The basic idea is creating new profiles based off of already existing
profiles.  Instead of manually duplicating the profile it would be nice
to be able say this new profile is the same as X but I want to add Y
to it.

so there are few basic ways I have kicked around to go about this

1.  Declare the profile as part of an exec rule

  profile /foo {

    /bar  px -> /foo + { deny network, }


this seem convenient but makes it hard to reuse the profile if it
is used in multiple rules.  It also further clutters the exec rule.
It also doesn't provide for a profile name so the tools would have
to generate one and it may be hard to which profile maps to which

2. Extend profile declaration to allow combining profiles/rules.

  profile foo2 is /foo + { deny network, }

  profile /foo {

    /bar px -> foo2,

this allows keeping profile creation separate from x transition
rules, provides a name for the profiles, and I think has the
potential to be extended more easily in the future.

It also has the potential to have generic template blocks declared
that could be reused with out creating a profile from them

  template base {

  profile foo is base + { deny network, }

The other thing to work out is of course syntax,  Should + used
or a more explicit keyword like union, etc.

The goal here is to make things cleaner, and enabled better reuse.
Which brings the third option,

3. Just make better use of includes
Templating can largely be achieved by just using includes, by
sticking the profile contents in an include and doing

  profile /foo {
    #include <foo_base>

  profile foo2 {
     #include <foo_base>
     deny network,

in many ways this is an appealing option but its not always the
most convenient.  I know this discussion is actually similar to
a previous discussion but it came up again this week so I am
interested in more feedback.

More information about the AppArmor mailing list