[apparmor] Learning apparmor
Diane Trout
diane at ghic.org
Mon Dec 17 04:11:24 UTC 2012
Hi,
I was trying to wrap a third-party application using apparmor and had a few questions.
(I was trying to wrap http://spectrum.im, I put my experimental profiles at https://github.com/detrout/apparmor-det)
1) Are there common patterns for letting manager program control its children? As I was debugging the package it wanted things like "capability nice", and permission to look at /proc/child/statm.
2) to protect an application that has several seperate executables, does each piece need to be in a seperate apparmor file? e.g. usr.bin.manager and usr.sbin.daemon? or is there some way of using one profile?
3) if you've got multiple profiles, then can you put application specific shared pieces in apparmor.d/abstractions? Or is there some better way of sharing common permissions. (Like logging & reading config files).
Diane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20121216/9a679a22/attachment.pgp>
More information about the AppArmor
mailing list