[apparmor] dconf patches
John Johansen
john.johansen at canonical.com
Tue Aug 16 11:17:43 UTC 2016
On 08/02/2016 04:32 PM, William Hua wrote:
> Hello,
>
> If I may, I'd like to revive the old dconf confinement patches that we started over a year ago, but were never merged.
>
> All necessary patches are attached, as well as an extra test profile and program. I've refreshed them to work properly against kernel 4.6.4 and current AppArmor trunk.
>
Hey William
the kernel patch still looks good, and pathes 1-3 have my ACK
the issue lies with 04 the actual dconf patch. The code looks good however
I said it before and I will say it again we can not be putting permission
information into the query data.
You have separated out the query data into
rpaths
rwpaths
arpaths
arwpaths
this is replicating the permission information into the key value storage
but we can not do this. The only thing that can go in here are the paths
that need to be watched, with absolutely no permission information.
This requirement is critical as we are dynamically composing profiles and
something in the rwpaths may not be in the rwpath under another profile.
The dynamic permission query has to be able to return the
correct composed permissions.
A watch on a path that ends up having no permissions will result in extra
overhead but not the wrong permissions.
The other issue is the paths themselves need to be able to support
apparmor regexs, which in itself is easy to fix but plays back into the
path issue above, because it is a second reason that the dconf paths
can't be handled as separate lists based on permissions.
Your queries would have to do the dynamic composition of the regexs to
find the actual permissions between the lists.
I need to grab a few hours of sleep, and then I will try finishing up my
counter patch, that hopefully better demonstrates what I am looking for
More information about the AppArmor
mailing list