[apparmor] Any plans for something like @{PROC}/@PID/ or @{PROCSELF} ?
Christian Boltz
apparmor at cboltz.de
Wed Sep 14 18:56:49 UTC 2011
Hello,
Am Mittwoch, 14. September 2011 schrieb Jamie Strandboge:
> On Tue, 2011-09-13 at 17:15 -0700, Seth Arnold wrote:
> > When I read the first proposal here, this was my exact thought; my
> > initial guess on what to do about it involved _two_ variables:
> >
> > @{PIDS}=[0-9][0-9]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?
> > @{MYPID}= @{PIDS} until @{__KERNEL_PID__} is available
Sounds like a good way, but are 7-digit PIDs really used out there?
> I'm not convinced about migration issues, as policy currently needs
> to be changed to use @{MYPID} -- people just have to wait until it
> is available (I could be missing something).
I'd say the migration path is needed for people who use new aa-tools
and/or new profiles on an old kernel, and doesn't hurt too much.
Without the migration path, we'll get quite some delay because of
dependencies - 1. push into kernel - 2. wait until major distros use
this kernel version - 3. update parser (and profiles) - 4. wait until
distros update to new parser and profiles.
With the migration fallback, you can remove the "wait" parts from the
previous paragraph.
> Why are we forcing this syntax:
> @{PROC}/@{MYPID}
>
> Instead of just:
> @{MYPID}
It's more flexible - @{MYPID} could also be used for something like
/tmp/ssh-*/agent.@{MYPID} (that's the socket for ssh-agent, however I'm
not sure if it's really the PID that is used)
> I also am not sure of the benefit of @{PROCSELF} since the path is
> unchanging (ie @{PROC}/self).
I'd say @{PROCSELF} is superfluous.
Additionally, most programs use @{PROC}/[0-9]*/, only sbin.dhclient uses
@{PROC}/self/ according to the profiles in bzr.
Regards,
Christian Boltz
--
* Linux Viruscan.....
Windows 95 found. Remove it? (y/n)
More information about the AppArmor
mailing list