[apparmor] [RFC PATCH 1/1] libapparmor: Create man page for aa_stack_profile()/aa_stack_onexec()
Seth Arnold
seth.arnold at canonical.com
Mon Jan 25 23:56:35 UTC 2016
On Mon, Jan 25, 2016 at 05:54:32PM -0600, Tyler Hicks wrote:
> I think the use of the 'stack' keyword here would make things confusing
> in other areas of the policy language where the 'stack' keyword could
> not be used but a we're still referring to a stack of profiles.
>
> Stealing one of the examples you posted above:
>
> px /foo/bar -> A//&B,
>
> We'd have to modify it to be something like:
>
> px /foo/bar -> A stack B,
>
> That's actually pretty clear. I think the real problem comes when the
> policy admin is reading the audit logs or a dev is using aa_getcon(2).
> The audit logs and aa_getcon() will not use the form 'A stack B'. The
> 'A//&B' form will be used in those cases. Translating between those
> things and the policy language would be a issue.
Good point, I really do like output from logs that can be copy-and-pasted
into configurations to fix issues.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160125/a79c8fde/attachment-0001.pgp>
More information about the AppArmor
mailing list