[apparmor] conflicting X permissions
Jamie Strandboge
jamie at canonical.com
Thu Oct 6 18:10:38 UTC 2011
On Thu, 2011-10-06 at 10:48 -0700, John Johansen wrote:
> However rules like
> /bin/a* ix,
> /bin/*b px,
> have an overlap where neither rule is more specific, so there is no easy
> way to determine which permission should apply to the overlapping subset
> of the match.
>
> To fix this we need to extend the language, to provide a way to specify
> that a run should be preferred.
>
> I was thinking of doing something like
>
> /bin/a* ix,
> /bin/*b px overrides /bin/a*,
>
At first I was trying to think if we could be smarter and say 'if the
permissions are tighter, prefer the rule', but quickly realized this is
fraught with peril and I think I like this. We need to account for when
'/bin/a*' in the above example doesn't exist any more but we still have
the override rule somewhere, for when we want to override abstractions
or when using the local/ so that things don't explode. Rules like this
also get kinda cryptic:
/bin/a* ix,
/bin/*b Cx -> profilename overrides /bin/a*,
I'm not sure we care a lot about that, as it is a bit of a corner case,
but thought I would at least mention it.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20111006/63c2c140/attachment.pgp>
More information about the AppArmor
mailing list