[apparmor] default profile
John Johansen
john.johansen at canonical.com
Fri May 10 22:02:52 UTC 2013
On 05/10/2013 11:24 AM, John Johansen wrote:
<< snip >>
> 3. Profile/Namespace removal
> Currently when a profile or namespace is removed it inherits the task
> that where confined by the profile inherit the unconfined profile.
>
> If the default profile is selected should this be inherited instead of
> the unconfined profile.
>
I just thought of another problem with making default be the one inherited.
What if it is removed?
The unconfined profile is special and is immutable. The default profile
can be removed currently, in which case it inherits unconfined.
There are some solutions to this
- keep the current behavior and fall back to unconfined
- tag the "default" profile so that if it is removed it is just marked
as unconfined, not actually removed
Also currently the unconfined profile doesn't show up on the profile list
while the default does. Does anyone foresee an issue if we make it so
that it can't be removed, ie. just falls back to the unconfined behavior?
The other issue is around stacking of namespaces for containers the parameter
affects the container as well currently. We need to think about if we need
to make this controllable at the namespace level (probably).
- my guess is inherit the behavior of the parent but allow it to be set
More information about the AppArmor
mailing list