[apparmor] Question about attach_disconnected
John Johansen
john.johansen at canonical.com
Wed Jul 4 05:54:30 UTC 2018
On 07/03/2018 04:58 PM, apparmor at raf.org wrote:
> Hi again,
>
> New question: Why is it that when I add
> flags=(attach_disconnected) to a nested profile, and then run
> aa-enforce to load it, the flag clause disappears from the
> profile source code? It seems to be silently failing. I only
> noticed after I kept seeing apparmor messages for something I
> thought I had fixed.
>
> If I put the flag clause in the top-level profile and run
> aa-enforce it doesn't disappear. In fact, it gets added to all
> of the nested profiles. Is this what I'm supposed to do? The
> manpage is very light on details like this.
>
this would be a bug
> It seems that the flags clause must only be defined for the
> top-level profile and that it applies to all nested profiles as
> well. Is that correct? Will it cause any problems to have it
> apply to profiles that don't seem to need it?
>
No, this is not correct. Each level of profile gets its own
flags. Nested profiles do not share the parent profiles flags.
More information about the AppArmor
mailing list