[apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
Steve Beattie
steve at nxnw.org
Fri Jun 20 21:20:09 UTC 2014
On Fri, Jun 20, 2014 at 10:17:26AM -0700, John Johansen wrote:
> If any of the hats use the base provided abstraction they are going to
> get signals and tracing from unconfined anyways.
Not if they're using trunk's abstractions/base:
$ bzr up
All changes applied successfully.
Updated to revision 2542 of branch bzr+ssh://bazaar.launchpad.net/+branch/apparmor
$ grep signal profiles/apparmor.d/abstractions/base
$
So we on the ubuntu side need to push the patch that adds that to
abstractions/base.
> So I think it makes sense to have this as the default for apache
> hats, and if the user really wants something tighter they will need
> to tweak policy.
I expect that most hats will include abstractions/base. And if they
want it tighter, then they can do as you say, tweak policy.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140620/343e1f70/attachment.pgp>
More information about the AppArmor
mailing list