[apparmor] conflicting X permissions

Jamie Strandboge jamie at canonical.com
Thu Oct 6 19:06:25 UTC 2011 

On Thu, 2011-10-06 at 11:17 -0700, John Johansen wrote:
> On 10/06/2011 11:10 AM, Jamie Strandboge wrote:
> > 
> > At first I was trying to think if we could be smarter and say 'if the
> > permissions are tighter, prefer the rule', but quickly realized this is
> > fraught with peril and I think I like this. We need to account for when
> > '/bin/a*' in the above example doesn't exist any more but we still have
> > the override rule somewhere, for when we want to override abstractions
> I think the parser could issue a warning, or even error message
> 
I think a warning would be sufficient and just use the rule as if there
is no override in place (seems to make logical sense), assuming this is
not horribly difficult.

> > or when using the local/ so that things don't explode. Rules like this
> > also get kinda cryptic:
> > 
> hrmmm, do we really want to be able to say?
> 
>   /bin/foo px overrides include <local/>,
> 
> Or should we force it to be rule specific.  The parser error messages
> should be improved so that we know which rules conflict, when it fails
> with a conflicting message

That is an interesting idea, but the other way around (ie, anything in
local/ overrides other policy). In a lot of ways I like it because it
has the potential to solve several issues. However, I understand that
local/ is really not very popular in general and I think that rules like
that make it even more difficult to audit policy. If we are rule
specific, it still allows people to use local/ in a meaningful way.

> > /bin/a* ix,
> > /bin/*b Cx -> profilename overrides /bin/a*,
> > 
> > I'm not sure we care a lot about that, as it is a bit of a corner case,
> > but thought I would at least mention it.
> > 
> yeah it is, we can try tweaking the syntax to improve it a bit
> 
Another thing that occurs to me is that I but people will want to be
able to do this:

deny /bin/a* rmix,
/bin/*b overrides /bin/a*,

but it won't work cause of how deny rules are applied after. I mention
this only as a documentation point if we implement 'overrides'.

-- 
Jamie Strandboge             | http://www.canonical.com

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20111006/7e44e9a1/attachment.pgp>

More information about the AppArmor mailing list