[apparmor] dbus/pair address rule encoding
Jamie Strandboge
jamie at canonical.com
Thu May 9 21:49:26 UTC 2013
On 05/09/2013 04:41 PM, John Johansen wrote:
> On 05/09/2013 02:12 PM, Jamie Strandboge wrote:
>> Since <access> *always* applies to <subject>, maybe it makes sense to
>> have it be next to it. Ie:
>>
>> dbus [<subject>] <access> [<peer>],
>>
>> such that:
>>
>> profile subject {
>> dbus name=well.known.address acquire,
>> dbus name=well.known.address receive,
>> dbus send -> name=a.peer.address,
>> dbus receive -> name=a.peer.address,
>>
>> # get as specific as you like:
>> dbus name=... interface=... (send, receive) -> name=... path=...,
>> }
>>
> that is a possibility, though it breaks with the "syntax" of having the
> permission at the end of the rule. This is actually a case where the
> permission at the start of the rule makes more sense, than at the tail.
>
> (send, receive) dbus name=... interface=... -> name=... path=...,
>
> of course I'd like to here seth and steve's input on that
>
Personally, I would be ok with it at the beginning-- it is still close
to the subject. Having the access after the subject feels more
consistent with my profiling habits, but I think I could live with
access first. I'll let others comment.
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130509/079b53c3/attachment.pgp>
More information about the AppArmor
mailing list