[apparmor] Learning apparmor
Christian Boltz
apparmor at cboltz.de
Mon Dec 17 23:29:55 UTC 2012
Hello,
Am Montag, 17. Dezember 2012 schrieb John Johansen:
> 4. Once a profile is attached to an application the exec rules in the
> profile determine domain (profile) transitions.
>
> ux - have the child go unconfined (not recommended)
[...]
> px - will use the profile attachment specification and application
> name to attach a profile
[...]
> cx - like cx but use embedded children (local) profiles instead of the
That should probably be "like px", not "like cx" ;-)
Besides that, John forgot to mention Ux, Px and Cx (and Pix, Cix and
PUx). They basically do the same as their lowercase counterparts, but
are more secure because they clean the environment variables
(LD_PRELOAD, PATH etc.) before executing the "child" program.
In other words: It's recommended to use the uppercase variant of the
exec rules (except if a program really needs unmodified environment
variables).
Regards,
Christian Boltz
--
Please don't ruin a perfectly good argument with facts!
[James Knott in opensuse-factory]
More information about the AppArmor
mailing list