[apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined

Jamie Strandboge jamie at canonical.com
Fri Jun 20 22:08:09 UTC 2014


On 06/20/2014 04:20 PM, Steve Beattie wrote:
> On Fri, Jun 20, 2014 at 10:17:26AM -0700, John Johansen wrote:
>> If any of the hats use the base provided abstraction they are going to
>> get signals and tracing from unconfined anyways.
> 
> Not if they're using trunk's abstractions/base:
> 
>   $ bzr up
>   All changes applied successfully.
>   Updated to revision 2542 of branch bzr+ssh://bazaar.launchpad.net/+branch/apparmor
>   $ grep signal profiles/apparmor.d/abstractions/base
>   $
> 
> So we on the ubuntu side need to push the patch that adds that to
> abstractions/base.
> 
Hrmm, this was clearly an oversight on my part:

  [ Jamie Strandboge ]
  * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch:
    Adjust the base abstraction for signals and ptrace mediation. Profiles
    that use the base abstraction can deny any of the granted permissions to
    achieve tighter confinement.

I've taken a todo to post this to the list. Sorry...

-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140620/97072d1e/attachment.pgp>


More information about the AppArmor mailing list