[apparmor] [PATCH RFC] Add profile-based libapparmor query interface
Seth Arnold
seth.arnold at canonical.com
Thu Mar 7 22:52:06 UTC 2013
On Tue, Mar 05, 2013 at 10:44:35PM -0800, Tyler Hicks wrote:
> + *allowed = mask & (allow & ~deny) ? 1 : 0;
> + if (!(*allowed))
> + audit = 0xFFFFFFFF;
> + *audited = mask & (audit & ~quiet) ? 1 : 0;
> +
> + return 0;
> +}
When I first saw this, I thought it through, and it made sense.
But it kept me awake last night, wondering about it.
It conflates the two concepts of "report this denial as usual" and "the
admin has written policy asking for this to be reported".
So long as everything is reported, the right thing happens in the end.
But I could easily see a trusted program wanting to rate limit the
"usual denials" to one per {client, method} per second. But if the
admin has asked specific resource denials to be audited, perhaps it
ought to log on every attempt, regardless of rate limiting?
Am I just overcomplicating things?
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130307/08157add/attachment.pgp>
More information about the AppArmor
mailing list