[apparmor] conflicting X permissions
John Johansen
john.johansen at canonical.com
Thu Oct 6 17:48:07 UTC 2011
So conflicting x permissions have always been a problem, currently the
compiler can only resolve overlaps where an exact match (ie rule with
no regexs) overlaps a rule with regexs
eg.
/bin/** ix,
/bin/foo px,
where the px permission is used for the exact match overlap
the next release should see the compiler able to resolve overlaps where
one rule completely dominates another,
eg.
/bin/** ix,
/bin/foo* px,
/bin/foo is the more specific rule and the px permission will be for the
overlap.
However rules like
/bin/a* ix,
/bin/*b px,
have an overlap where neither rule is more specific, so there is no easy
way to determine which permission should apply to the overlapping subset
of the match.
To fix this we need to extend the language, to provide a way to specify
that a run should be preferred.
I was thinking of doing something like
/bin/a* ix,
/bin/*b px overrides /bin/a*,
More information about the AppArmor
mailing list