[apparmor] Any plans for something like @{PROC}/@PID/ or @{PROCSELF} ?

Jamie Strandboge jamie at canonical.com
Wed Sep 14 13:10:08 UTC 2011


On Tue, 2011-09-13 at 17:15 -0700, Seth Arnold wrote:
> When I read the first proposal here, this was my exact thought; my initial
> guess on what to do about it involved _two_ variables:
> 
> @{PIDS}=[0-9][0-9]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?
> @{MYPID}= @{PIDS} until @{__KERNEL_PID__} is available

I think I prefer this myself. I don't like the 'until' though because,
as mentioned, it causes @{MYPID} to be overloaded and its meaning
dependent on the kernel installed. IMO these two variables should be
unambiguous which is obviously good for auditing policy. I'm not
convinced about migration issues, as policy currently needs to be
changed to use @{MYPID} -- people just have to wait until it is
available (I could be missing something).

Why are we forcing this syntax:
@{PROC}/@{MYPID}

Instead of just:
@{MYPID}

I also am not sure of the benefit of @{PROCSELF} since the path is
unchanging (ie @{PROC}/self). Was this intended to be what @{MYPID} is
for?

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110914/fde36946/attachment.pgp>


More information about the AppArmor mailing list