[apparmor] Any plans for something like @{PROC}/@PID/ or @{PROCSELF} ?
Rob Meijer
pibara at gmail.com
Tue Sep 6 07:24:29 UTC 2011
I've just started with the design for a rewrite of MinorFs that aims
to be multi granular. My (still fluid) thoughts on MinorFs2:
http://minorfs.polacanthus.net/wiki/Concepts_for_MinorFs2
One of my main thoughts is to isolate the determination of a
'persistence-id' in a dbus service running as root, in such a way that
this may in term eventually move to kernel space. I'm also in this
same line looking at piggy-backing that part of the MinorFs
configuration
into AppArmor profiles.
One issue with the old AppArmor/MinorFs combination seems to remain
still is the fact that also the new MinorFs2 as I envision it
will rely on the proc sub dir pointed to by /proc/self being process
private. The most trivial way this could be enabled would be for
AppArmor profiles to support a notation like @{PROC}/@PID/ or
@{PROCSELF} in its profiles. Is such a thing still anywhere on
the road map? If not, is there any other way of allowing a profile to
mark a process its /proc/$PID as private that is planed for any
future version of AppArmor?
Tnx,
Rob J Meijer
More information about the AppArmor
mailing list