[apparmor] Apparmor rules for dconf confinement

William Hua william.hua at canonical.com
Thu Jun 11 17:18:09 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Added aa_query_label() support and tests. Haven't changed the kernel
patch, but attaching it again for reference.



On 2015-06-05 10:03 AM, William Hua wrote:
> Sorry about the delay. Here's a second pass at the original pass,
> with fewer memory allocations, and a more general API for
> requesting data in general.
> 
> The corresponding apparmor branch is at 
> https://code.launchpad.net/~attente/apparmor/dconf-rules-4.
> 
> 
> 
> On 2015-06-05 09:12 AM, Simon McVittie wrote:
>> On 05/06/15 12:13, John Johansen wrote:
>>> On 05/29/2015 09:29 AM, Simon McVittie wrote:
>>>> Here's a sketch of how [polkit mediation] could look, for 
>>>> instance:
>>>> 
>>>> audit polkit action=org.freedesktop.udisks2.filesystem-mount,
>>>>  audit deny polkit \ 
>>>> action=org.freedesktop.udisks2.filesystem-mount-system,
>>>> 
>>>> or if the syntax in policy files was entirely generic,
>>>> perhaps something more like:
>>>> 
>>>> userspace class=polkit \ 
>>>> action=org.freedesktop.udisks2.filesystem-mount, audit deny 
>>>> userspace class=polkit \ 
>>>> action=org.freedesktop.udisks2.filesystem-mount-system,
>>>> 
>>>> Does this sound like a reasonable generalization?
>>>> 
>>> generally speaking, yes :)
>>> 
>>> I can't say when polkit will get patched but I expect it will 
>>> happen sooner than later.
> 
>> If this becomes something that is concretely required, please
>> talk to the polkit mailing list - the polkit developers ought to
>> have an opportunity to review this. I've subscribed to that list
>> to be able to give D-Bus advice.
> 
>> My colleague Philip Withnall and I are not (currently) polkit 
>> maintainers, but we would potentially be interested in reviewing 
>> and/or helping with implementation for this feature.
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVecLQAAoJEGaNijJ4Mbw+wYAH/01DuR2LA8OeU0gjR7DFdwEB
SN6+8/Dw95lmIJtwmjZr4ctkzzBDZfmofUzvT8Viy2oQMvk+11t5DQvZhf8LVkla
JZgiSHK5ZNO54GPvNBzrHq31P4eQY3q6BO+Ycw5nmZja8st3rWy078c3bxlSrUXe
Zt7wDXCeiv8s6jUCiQCLJ9FQVm/R67UrQr3j3S4I4lPbSz/P8z6a56UOFBw/CbF7
GiV5pz3zNOYjCWP6epHzzKZqE/+fkO3VB7xRg31K9TktMpKeKJ+l5WEP2xuHLpPO
MhzsOr1BNAyPlgAL8yWKn2dYE7cSIGDC198Jm2ca8XZhXVPffYGEau+J152Sseg=
=80FQ
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-add-data-query-support.patch
Type: text/x-patch
Size: 10737 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150611/5a950f94/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apparmor-dconf.patch
Type: text/x-patch
Size: 31280 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150611/5a950f94/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-add-data-query-support.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150611/5a950f94/attachment-0002.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apparmor-dconf.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150611/5a950f94/attachment-0003.pgp>

More information about the AppArmor mailing list