[apparmor] [PATCH 08/36] apparmor: provide the ability to boot with a default profile set on init

Thu May 9 09:40:01 UTC 2013

On 05/08/2013 05:40 PM, Seth Arnold wrote:
> On Wed, May 01, 2013 at 02:30:53PM -0700, John Johansen wrote:
>> --- a/security/apparmor/Kconfig
>> +++ b/security/apparmor/Kconfig
>> @@ -29,3 +29,14 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
>>  	  boot.
>>  
>>  	  If you are unsure how to answer this question, answer 1.
>> +
>> +config SECURITY_APPARMOR_UNCONFINED_INIT
>> +	bool "Set init to unconfined on boot"
>> +	depends on SECURITY_APPARMOR
>> +	default y
>> +	help
>> +	  This option determines policy behavior during early boot by
>> +	  placing the init process in the unconfined state, or the
>> +	  'default' profile.
>> +
>> +	  If you are unsure how to answer this question, answer Y.
> 
> I think this description needs some enhancement; I thought the boolean
> was the other way around until I thought I spotted a bug with a ! in
> the conditionals.
> 
> How about:
> 
>> +	  This option determines policy behavior during early boot by
>> +	  placing the init process in the unconfined state, or the
>> +	  'default' profile.
>> +
>> +       'Y' means init and its children are not confined, and never
>> +       can be confined; loaded policy will only apply to processes
>> +       started afterwards.
>> +
>> +       'N' means init and its children are confined in a profile
>> +       named 'default', which can be replaced later and thus
>> +       provide for confining even processes started early at boot,
>> +       though not confined during early boot. This can provide for
>> +       complete system confinement.
>> +
>> +	  If you are unsure how to answer this question, answer Y.
> 
> Thanks
> 
sure thats better