[apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined

John Johansen john.johansen at canonical.com
Fri Jun 20 17:17:26 UTC 2014

On 06/18/2014 05:44 PM, Steve Beattie wrote:
> Allow apache hats to receive signals from unconfined.
> [I'm on the fence about this. On the one hand, unconfined should be able
> to kill thing in hats. On the other, using apache2ctl/apachectl is
> preferred to shutdown apache, and it uses the apache binary itself (and
> the profile it runs under) to kill its children.]
Generally speaking taking away signals from unconfined is unexpected and
can really break the system, its really unexpected for most sysadmins. So
the general rule for includes has been to mimic the old unconfined behavior,
and if tighter confinement is needed then a profile can use denies or not
use the base includes we supply.

If any of the hats use the base provided abstraction they are going to
get signals and tracing from unconfined anyways. So I think it makes sense
to have this as the default for apache hats, and if the user really wants
something tighter they will need to tweak policy.

More information about the AppArmor mailing list