[apparmor] stack and stack_onexec semantics again
Seth Arnold
seth.arnold at canonical.com
Wed Mar 9 20:28:39 UTC 2016
On Wed, Mar 09, 2016 at 09:35:59AM -0600, Tyler Hicks wrote:
> > well that really comes down to your use case. Seth's use case is not having to
> > modify distro policy directly, which this tries to accommodate some. Honestly
> > I feel that not modifying the distro policy is more of a packaging problem but
> > I can see its uses. Whether it is worth supporting ...?
>
> I don't understand the "not having to modify distro policy" use case.
> We're talking about the aa_stack_onexec() libapparmor API. Programs must
> be modified to call that libapparmor function. A small modification to
> the profile will be trivial in comparison to modifying the program.
pam_apparmor currently supports only aa_changehat().
I've wanted to add aa_change_onexec() and aa_change_profile() support
to pam_apparmor for a few years.
I'll finally get a round tuit once stacking profiles is viable and I'll
add aa_stack_*(), aa_change_onexec(), and aa_change_profile() support for
pam_apparmor.
This will make it easy to provide policy for classes of users, e.g.
administrators vs users vs guests; or e.g. finance vs engineering vs
operations. (When we eventually support persistent labels on objects it
might also allow adding Bell-LaPadula or Chinese Wall or similar policies
to users, again orthogonal to the current approach the distro-supplied
policy is taking.)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160309/ef8a5029/attachment.pgp>
More information about the AppArmor
mailing list