[apparmor] File rule question
Steve Beattie
steve at nxnw.org
Mon Mar 12 17:58:10 UTC 2012
On Sat, Mar 10, 2012 at 05:50:38PM -0800, John Johansen wrote:
> So in 2.8 the ability to specify all files via
>
> file,
(As an aside, I missed when this syntactic sugar went in, I think. I'd
actually prefer the syntax to be a little more explicit and add an
'all' keyword, e.g. file all, capability all, network all, etc. I
realize this isn't quite in alignment with how our existing network
rules work, but they're an intermediate step that we eventually hope
to replace someday.)
> instead of having to do
>
> /** rwlkmix,
>
> the question is should this short cut provide all those permissions or should
> we separate out exec permissions. It seems odd to me that saying you have
> access to all files means you also can exec anything even if it remains
> confined by the current profile.
As Seth pointed out, with the exception of setuid/setgid binaries,
it's not a significant extension over 'wm' in terms of abilities. So I
think this is okay.
I do wonder if Pix would be a more sane default.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120312/12daf5ba/attachment.pgp>
More information about the AppArmor
mailing list