[apparmor] conflicting X permissions

John Johansen john.johansen at canonical.com
Thu Oct 6 18:17:51 UTC 2011

Hash: SHA1

On 10/06/2011 11:10 AM, Jamie Strandboge wrote:
> On Thu, 2011-10-06 at 10:48 -0700, John Johansen wrote:
>> However rules like
>>   /bin/a* ix,
>>   /bin/*b px,
>> have an overlap where neither rule is more specific, so there is no easy
>> way to determine which permission should apply to the overlapping subset
>> of the match.
>> To fix this we need to extend the language, to provide a way to specify
>> that a run should be preferred.
>> I was thinking of doing something like
>>   /bin/a* ix,
>>   /bin/*b px  overrides /bin/a*,
> At first I was trying to think if we could be smarter and say 'if the
> permissions are tighter, prefer the rule', but quickly realized this is
> fraught with peril and I think I like this. We need to account for when
> '/bin/a*' in the above example doesn't exist any more but we still have
> the override rule somewhere, for when we want to override abstractions
I think the parser could issue a warning, or even error message

> or when using the local/ so that things don't explode. Rules like this
> also get kinda cryptic:
hrmmm, do we really want to be able to say?

  /bin/foo px overrides include <local/>,

Or should we force it to be rule specific.  The parser error messages
should be improved so that we know which rules conflict, when it fails
with a conflicting message

> /bin/a* ix,
> /bin/*b Cx -> profilename overrides /bin/a*,
> I'm not sure we care a lot about that, as it is a bit of a corner case,
> but thought I would at least mention it.
yeah it is, we can try tweaking the syntax to improve it a bit

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the AppArmor mailing list