[apparmor] default profile
John Johansen
john.johansen at canonical.com
Mon May 13 21:47:39 UTC 2013
On 05/13/2013 02:24 PM, Jamie Strandboge wrote:
> On 05/13/2013 03:38 PM, John Johansen wrote:
>> so one more issue around this
>>
>> the current proc attr interface doesn't specify a mode for a profile with the name of unconfined.
>>
> Was this intentional? If so, why?
>
yes, for backwards compatibility reasons.
originally unconfined was not a profile, it was just a mode. There was
no tracking of unconfined processes.
This got changed in 2.3 when namespaces where introduced (as an experimental
feature). The unconfined state needed to be tracked on a per namespace
basis, so a special unconfined profile was used, but the interface remained
the same.
As we already support
<profile> (<mode>)
in the tools moving to this universally should not break existing tools,
though it may break the special casing they do for unconfined.
Eg. If we output
unconfined (unconfined)
this would cause aa-status to not correctly report its last line which is
X processes are unconfined and currently have a profile defined.
And the aa-unconfined tool
would not correctly report processes as not confined.
But neither tool outright breaks either because the expect the profile (mode)
output for everything not unconfined already. There is also already a need
to update these tools as neither of them correctly supports the unconfined
mode. ie when we have a default profile that has not been replaced.
More information about the AppArmor
mailing list