[apparmor] [PATCH 08/36] apparmor: provide the ability to boot with a default profile set on init
Seth Arnold
seth.arnold at canonical.com
Thu May 9 00:40:21 UTC 2013
On Wed, May 01, 2013 at 02:30:53PM -0700, John Johansen wrote:
> --- a/security/apparmor/Kconfig
> +++ b/security/apparmor/Kconfig
> @@ -29,3 +29,14 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
> boot.
>
> If you are unsure how to answer this question, answer 1.
> +
> +config SECURITY_APPARMOR_UNCONFINED_INIT
> + bool "Set init to unconfined on boot"
> + depends on SECURITY_APPARMOR
> + default y
> + help
> + This option determines policy behavior during early boot by
> + placing the init process in the unconfined state, or the
> + 'default' profile.
> +
> + If you are unsure how to answer this question, answer Y.
I think this description needs some enhancement; I thought the boolean
was the other way around until I thought I spotted a bug with a ! in
the conditionals.
How about:
> + This option determines policy behavior during early boot by
> + placing the init process in the unconfined state, or the
> + 'default' profile.
> +
> + 'Y' means init and its children are not confined, and never
> + can be confined; loaded policy will only apply to processes
> + started afterwards.
> +
> + 'N' means init and its children are confined in a profile
> + named 'default', which can be replaced later and thus
> + provide for confining even processes started early at boot,
> + though not confined during early boot. This can provide for
> + complete system confinement.
> +
> + If you are unsure how to answer this question, answer Y.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130508/a2a9c4ae/attachment.pgp>
More information about the AppArmor
mailing list