[apparmor] conflicting X permissions
John Johansen
john.johansen at canonical.com
Thu Oct 6 18:17:51 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/06/2011 11:10 AM, Jamie Strandboge wrote:
> On Thu, 2011-10-06 at 10:48 -0700, John Johansen wrote:
>> However rules like
>> /bin/a* ix,
>> /bin/*b px,
>
>> have an overlap where neither rule is more specific, so there is no easy
>> way to determine which permission should apply to the overlapping subset
>> of the match.
>>
>> To fix this we need to extend the language, to provide a way to specify
>> that a run should be preferred.
>>
>> I was thinking of doing something like
>>
>> /bin/a* ix,
>> /bin/*b px overrides /bin/a*,
>>
>
> At first I was trying to think if we could be smarter and say 'if the
> permissions are tighter, prefer the rule', but quickly realized this is
> fraught with peril and I think I like this. We need to account for when
> '/bin/a*' in the above example doesn't exist any more but we still have
> the override rule somewhere, for when we want to override abstractions
I think the parser could issue a warning, or even error message
> or when using the local/ so that things don't explode. Rules like this
> also get kinda cryptic:
>
hrmmm, do we really want to be able to say?
/bin/foo px overrides include <local/>,
Or should we force it to be rule specific. The parser error messages
should be improved so that we know which rules conflict, when it fails
with a conflicting message
> /bin/a* ix,
> /bin/*b Cx -> profilename overrides /bin/a*,
>
> I'm not sure we care a lot about that, as it is a bit of a corner case,
> but thought I would at least mention it.
>
yeah it is, we can try tweaking the syntax to improve it a bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6N8MMACgkQxAVxIsEKI+ZrCgCgqZiSndtEhe5vMrsCGYpimofn
poIAniXcaDN4sSCvxkabmW9P8AWMSbIR
=wafF
-----END PGP SIGNATURE-----
More information about the AppArmor
mailing list