[apparmor] prompt qualifier?
John Johansen
john.johansen at canonical.com
Fri Nov 9 17:17:11 UTC 2012
With the work on trusted userspace helpers now proceeding, it raises the
question as to whether profiles should be able to provide hints to the
helper what resources can be asked for.
Take for example a trusted file picker that will be used to extend a
sandboxed application
The file picker could extend the sandbox with anything that it can access,
but we may want to be able tell the trusted file picker that the profile
should only be able to ask for a certain type/set of files.
We could do this by extending the profile syntax with an "ask" or "prompt"
qualifier (or some other word that better matches the intent). It would be
mutually exclusive to the deny/allow qualifier and a lower priority so that
any allow or deny rule would override it.
eg.
prompt @{HOME}/Documents/** rw,
would allow a profile to specify that the trusted picker can be used to
pick files from the users documents.
We do need to be careful with this as the kernel can't enforce this nor will
it be available for all types (capabilities, ...), nor will it even work
for regular file accesses only for applications that go through an api to
reach the trusted picker.
There is the possibility of extending this for some permission requests as
a kernel call out to a userspace daemon at some point in the future, but
that is NOT what I am proposing providing atm nor should we assume such
an ability will ever happen.
More information about the AppArmor
mailing list