[apparmor] conflicting X permissions

Jamie Strandboge jamie at canonical.com
Thu Oct 6 18:10:38 UTC 2011


On Thu, 2011-10-06 at 10:48 -0700, John Johansen wrote:
> However rules like
>   /bin/a* ix,
>   /bin/*b px,

> have an overlap where neither rule is more specific, so there is no easy
> way to determine which permission should apply to the overlapping subset
> of the match.
> 
> To fix this we need to extend the language, to provide a way to specify
> that a run should be preferred.
> 
> I was thinking of doing something like
> 
>   /bin/a* ix,
>   /bin/*b px  overrides /bin/a*,
> 

At first I was trying to think if we could be smarter and say 'if the
permissions are tighter, prefer the rule', but quickly realized this is
fraught with peril and I think I like this. We need to account for when
'/bin/a*' in the above example doesn't exist any more but we still have
the override rule somewhere, for when we want to override abstractions
or when using the local/ so that things don't explode. Rules like this
also get kinda cryptic:

/bin/a* ix,
/bin/*b Cx -> profilename overrides /bin/a*,

I'm not sure we care a lot about that, as it is a bit of a corner case,
but thought I would at least mention it.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20111006/63c2c140/attachment.pgp>


More information about the AppArmor mailing list