[apparmor] Query about AppArmor's Profile Transitions
John Johansen
john.johansen at canonical.com
Tue Oct 1 17:56:18 UTC 2019
On 10/1/19 10:25 AM, Abhishek Vijeev wrote:
> Hi,
>
> We had a small question regarding AppArmor's profile transitions.
>
> Currently, AppArmor allows 'pix' and 'cix' transitions. However, we would like to extend AppArmor to
> allow a 'pcix' transition. To clarify what we mean by 'pcix', we're looking for a way by which we
> can specify the following policy: 'look for a specific profile, but if one doesn't exist, look for a
> child profile, otherwise inherit the current profile'. Are there any challenges to implementing
> this? Also, is this a feature that is planned for release in future versions of AppArmor?
>
Unfortunately its not possible yet because of how the permission set is stored, and computed (I can
provide details if you really want). This isn't hard blocker it is just something that needs to be
changed/fixed in both the userspace and kernel. Fortunately that work is already in process for other
features that are coming. Once the permission rework lands supporting this will become much easier,
and your request lines up with a feature that has been on the roadmap for a long time.
Basically there has been a desire/need for much more flexible profile transitions, where you can
specify the order of the search. Something along the lines of
/** x -> profile1, ^profile2, @{exec}, @{inherit},
basically having a list in order of preference to search. There needs to be some discussion still
to arrive at the actual syntax.
The work required to get to where we can do this is
1. kernel permission remap/rework
2. userspace, rework how permissions are handled and carried throughout compile, map to what is
supported by kernel at the end.
3. kernel extend, search to support ordered list
4. userspace extend language to support ordered list/pcix what ever the syntax is
1. and 2. are fairly involved. 3 and 4 are not too bad
More information about the AppArmor
mailing list