[apparmor] [PATCH 2/4] 0002-aa-easyprof-policy.patch
Jamie Strandboge
jamie at canonical.com
Tue Feb 7 16:58:18 UTC 2012
On Tue, 2012-02-07 at 16:50 +0100, Christian Boltz wrote:
> Hello,
>
> Am Dienstag, 7. Februar 2012 schrieb Jamie Strandboge:
> > diff -Naurp -x .bzr -x common apparmor-trunk/utils/easyprof/policygroups/opt-application apparmor-trunk-easyprof/utils/easyprof/policygroups/opt-application
> > --- apparmor-trunk/utils/easyprof/policygroups/opt-application 1969-12-31 18:00:00.000000000 -0600
> > +++ apparmor-trunk-easyprof/utils/easyprof/policygroups/opt-application 2012-02-06 16:39:38.000000000 -0600
> > @@ -0,0 +1,3 @@
> > +# Policy group for applications installed in /opt
> > +/opt/@{APPNAME}/ r,
> > +/opt/@{APPNAME}/** mrlk,
>
> Is the "l" permission really needed for /opt?
Maybe? I thought it conceivable that applications might have their own
tmp directory in /opt which is why I added 'l' (ie, we do that in the
user-tmp abstraction). Of course, that falls apart because I forgot 'w'.
Maybe I'll drop 'l' for now and add 'l' if we need 'w' later on. It is
not known if this is strictly required, but the point of this
policy-group is to make sure that applications can do mostly whatever
they need to in /opt/@{APPNAME}/ (excepting execs). We'll know more when
people start trying to use the aa-easyprof.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120207/903889e4/attachment.pgp>
More information about the AppArmor
mailing list