[apparmor] Mapping end-user applications to security contexts

[Alberto Mardegan]

On 08/26/2013 09:42 PM, John Johansen wrote:
> yes but is apparmor the right place for this information? Its clearly not part
> of the security policy. However there is a desire to link this information to
> the security policy. So the real question is where is the right place? I am
> just trying to raise issues to help us figure that out

Maybe another possibility would be storing the name of the apparmor
profile in the application .desktop file (I seem to understand that a
single process can have more than one profile, and that this can also
change at runtime -- but we should ensure that every application has at
least one profile which is unique to it, to make the mapping possible).

The problem with this is that the field would be non standard and would
require patching all the .desktop files for Ubuntu.

A third option would be to have the information stored in separate
files, which aren't .desktop files nor apparmor profiles, and then have
an Ubuntu-specific API to access the information. Maybe a directory
/usr/share/apparmor/applications/ (and ~/.local/share/ for
user-installed apps) could contain files named after the apparmor
profiles, containing just the name (with path) of the .desktop file for
the application.
But then extra care should be put to ensure that these files don't go
out of sync if apparmor profile names change (though I guess this
doesn't happen often?).

Ciao,
  Alberto