[apparmor] How to setup apparmor for calling an executable from another executable with a profile
Germán Diago Gómez
germandiago at gmail.com
Tue May 29 05:05:28 UTC 2018
Hello everyone,
I have a question I posted in Stackoverflow and ubuntu stack exchange
with no luck.
My problem is the following:
I have a problem I am not sure how to solve in AppArmor.
Basically I have a profile that executes a program, let us say
|profile myprof { /my/executable ix, } |
The problem is that from that executable, I call another executable,
spawning a process, let us call it, /the/other/executable.
How can I make AppArmor give /my/executable permissions to call
/the/other/executable? This will be done when /my/executable is already
running, of course.
I saw the API for aa_change_hat and subprofiles: is that the way to go?
My ideal would be to be able to tell from the profile directly that
/my/executable can use /the/other/executable. /the/other/executable
should be able to read and write in the same places as /my/executable,
so this could be maybe inherited.
Thanks for your time!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180529/e9756c56/attachment.html>
More information about the AppArmor
mailing list