[apparmor] dconf patches

John Johansen john.johansen at canonical.com
Fri Dec 16 17:54:41 UTC 2016


On 08/16/2016 04:17 AM, John Johansen wrote:
> On 08/02/2016 04:32 PM, William Hua wrote:
>> Hello,
>>
>> If I may, I'd like to revive the old dconf confinement patches that we started over a year ago, but were never merged.
>>
>> All necessary patches are attached, as well as an extra test profile and program. I've refreshed them to work properly against kernel 4.6.4 and current AppArmor trunk.
>>
> Hey William
> 
> the kernel patch still looks good, and pathes 1-3 have my ACK
> 
> the issue lies with 04 the actual dconf patch. The code looks good however
> I said it before and I will say it again we can not be putting permission
> information into the query data.
> 
> You have separated out the query data into
>   rpaths
>   rwpaths
>   arpaths
>   arwpaths
> 
> this is replicating the permission information into the key value storage
> but we can not do this. The only thing that can go in here are the paths
> that need to be watched, with absolutely no permission information.
> 
> This requirement is critical as we are dynamically composing profiles and
> something in the rwpaths may not be in the rwpath under another profile.
> The dynamic permission query has to be able to return the
> correct composed permissions.
> 
> A watch on a path that ends up having no permissions will result in extra
> overhead but not the wrong permissions.
> 
> The other issue is the paths themselves need to be able to support
> apparmor regexs, which in itself is easy to fix but plays back into the
> path issue above, because it is a second reason that the dconf paths
> can't be handled as separate lists based on permissions.
> 
> Your queries would have to do the dynamic composition of the regexs to
> find the actual permissions between the lists.
> 
> I need to grab a few hours of sleep, and then I will try finishing up my
> counter patch, that hopefully better demonstrates what I am looking for
> 

Sorry this has been so long. I am going to reply to this with the full set
that I currently have since I can't recall if I tweaked any of the
earlier patches.

I do have some follow on patches that are in dev around local caching
of perms and policy change events. Which I realize will be critical
to making this work well.

The other part is the extracting of the watch point data from the rules.
I am still tinkering with it, so currently the broadest possible watch
point is inserted.

However this should not be a problem from a dev standpoint as it just
means more events to check perms against.




More information about the AppArmor mailing list