[apparmor] Support for owner specification
John Johansen
john.johansen at canonical.com
Thu Aug 25 12:48:20 UTC 2016
On 08/24/2016 12:10 PM, azurit at pobox.sk wrote:
>
> Citát Seth Arnold <seth.arnold at canonical.com>:
>
>> On Wed, Aug 24, 2016 at 10:46:49AM +0200, azurit at pobox.sk wrote:
>>> owner=fred
>>> owner=1001
>>> owner=(fred)
>>> owner=(fred george)
>>> owner=(fred 1001)
>>
>>> Is this still not supported? If not, when it will be? Is support missing
>>> only in userspace tools or directly in kernel?
>>
>> Hello Azur, none of these are supported yet; they aren't on any roadmap
>> either. It would be a nice feature to have but other features and bugfixes
>> are currently higher priority.
>>
>> THanks
>
>
>
> Hello Arnold,
>
> can i, somehow, speed up the implementation? To financially sponsor it for example?
>
can you code? :)
I can give you a little status on this. It has been largely been waiting on support
for extended conditionals. Kernel side (dev tree) this is partially done, but of course
the code needs to be extended to leverage it. That and some effort/thought needs to
be spent on how such policy interacts with user namespaces.
The majority of the work left is in the userspace. At a minimum the parser needs to
be extended to support it. The majority of the work in the parser is reworking how
its backend carrier permissions through.
This work has been started, as part of a larger effort to improve performance,
support rule priority and boolean operations. But the progress is slow as Seth already
mentioned everyone is over tasked.
The current priority is fixing bugs, and upstreaming the development kernel code.
More information about the AppArmor
mailing list