[apparmor] [PATCH 10/16] AppArmor: Make chroot relative the default path lookup type
Kees Cook
kees at ubuntu.com
Wed Feb 22 20:39:53 UTC 2012
On Wed, Feb 22, 2012 at 09:10:35AM -0800, John Johansen wrote:
> Profiles that want name lookup past the chroot to the namespace root
> must be marked as such, all other profiles should be chroot relative.
>
> Currently the autogenerated null (learning), and unconfined profiles are
> not marked as such. Make sure they are properly flagged. This should not
> affect behavior except for auto-generated profiles when a chroot is entered.
> Profiles loaded from userspace will not be affected as they provide their
> own value for the flag.
>
> This change does not affect mediation as it only changes the path reported by
> the unconfined (none mediating), an null learning profiles.
>
> Also ensure that if a profile is ever loaded with out path flags set, that
> it defaults to being chroot relative.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Signed-off-by: Kees Cook <kees at ubuntu.com>
--
Kees Cook
More information about the AppArmor
mailing list