[apparmor] Apparmor rules for dconf confinement
Jamie Strandboge
jamie at canonical.com
Wed May 27 19:37:50 UTC 2015
On 05/27/2015 12:22 PM, William Hua wrote:
> Hi,
>
Hi!
> Currently, there's no way in Apparmor to sandbox applications from
> accessing any setting in a user's dconf database other than preventing
> access altogether. We want to add a new rule to the policy format to
> permit this. Here's the proposed syntax:
>
> [audit] dconf <dconf-path> [r|rw],
>
I'll let others comment on the kernel patch, but I'm wondering if explicit deny
rules make sense for dconf? I'm not sure why they wouldn't; this would change
the above to:
[audit] [deny] dconf <dconf-path> [r|rw],
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150527/c82a6cf8/attachment.pgp>
More information about the AppArmor
mailing list