[apparmor] [Patch] mod_apparmor: try uri hat after AADefaultHatName, not before

Steve Beattie steve at nxnw.org
Fri Jun 13 06:41:46 UTC 2014

On Thu, Jun 12, 2014 at 06:12:09PM -0700, John Johansen wrote:
> The problem is that mod_apparmor had a behavior that all profiles developed
> for it depend on.

It's not true for *all* mod_apparmor profiles — I personally make
use of AAHatName's features on a couple of different host — but yes,
I think it affects the most common usages out there, given the lack
of good complex example setups out there.

> A change was made based off of documentation (not
> implementation) that broke a lot of people. As much as I don't like that
> error, and the name confusion it causes, that is what exists.
> At this point we need to accept the old behavior as the behavior and
> move forward (fix the regression and the documentation). We can introduce
> a new feature/hat type to introduce new behavior (ie. AAAfterURLHatName)
> but we should stay backwards compatible with existing policy

I'm personally less and less convinced of the utility of the URI based
hat names, especially if we add support for the Files directives. But
I also don't want to break the odd two or three people in the world
that have URI based hats, so I don't think they should go away.

Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140612/8a411a7c/attachment.pgp>

More information about the AppArmor mailing list