[apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined

Steve Beattie steve at nxnw.org
Fri Jun 20 21:20:09 UTC 2014

On Fri, Jun 20, 2014 at 10:17:26AM -0700, John Johansen wrote:
> If any of the hats use the base provided abstraction they are going to
> get signals and tracing from unconfined anyways.

Not if they're using trunk's abstractions/base:

  $ bzr up
  All changes applied successfully.
  Updated to revision 2542 of branch bzr+ssh://bazaar.launchpad.net/+branch/apparmor
  $ grep signal profiles/apparmor.d/abstractions/base

So we on the ubuntu side need to push the patch that adds that to

> So I think it makes sense to have this as the default for apache
> hats, and if the user really wants something tighter they will need
> to tweak policy.

I expect that most hats will include abstractions/base. And if they
want it tighter, then they can do as you say, tweak policy.

Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140620/343e1f70/attachment.pgp>

More information about the AppArmor mailing list