[apparmor] Apparmor rules for dconf confinement

John Johansen john.johansen at canonical.com
Tue Oct 6 17:09:56 UTC 2015

On 06/25/2015 03:08 PM, William Hua wrote:
> Here's one more pass of the kernel and apparmor patches with all the
> changes you requested, John. Thanks for your patch, I copied it into
> the old one nearly verbatim without much trouble.
Sorry for the extremely long turn around time on these

I am going to reply with a reworked patch queue, it is not functioning
though it shouldn't be too far from working. It reorders and reworks
things, and addresses a few bigger issues.

Specifically it moves the parsed language back to an apparmor style
instead of dconf style. Currently it extracts only a "/" watch point
as data for each rule, so the data loaded will only be for "/".
I need to finish up the fn to extract the exact/closest approximate
watch point from the rule.

The data passed in is a set of paths only. It is not split into
r, w, rw paths. Again this is circumventing apparmors permission
system. This data can only be used to establish the watch points,
not what permissions those points have. It is entirely likely the
permissions will change over the life of the watch point due to

Library side the patches reorder/rework things to share a little
more code and drop splitting the read data back into r, w, rw.
Again its just a list of watch point paths.

More information about the AppArmor mailing list