[apparmor] Query about AppArmor's Profile Transitions
Abhishek Vijeev
abhishekvijeev at iisc.ac.in
Thu Oct 3 05:21:26 UTC 2019
Thank you for the reply John, Seth. It's great to know that a more expressive policy language is in the works.
We had a good look at stacking, but it doesn't seem to help accomplish quite what we have in mind:
a) Confine 'init'
b) When init executes any other process, perform a discrete profile transition. But, if no discrete profile exists, transition to a 'default' (highly restricted) child profile defined in init's profile (this is basically what would be a 'pcx' transition).
Even if we were to specify the default profile as a discrete profile, the following example is the closest that stacking can bring us to what we would like, and hopefully illustrates our problem better:
profile init-systemd /**
{
/program px -> program //& default
}
profile default
{
. . .
}
a) If the discrete profile for 'program' doesn't exist, I understand that 'program //& default' would evaluate to just 'default', which is what we would like. So far so good.
b) But, if the discrete profile for 'program' does exist, we would like it to transition here, and not perform an intersection of 'program' and 'default'. Since 'default' is highly restrictive, this would result in the intersection of the 2 profiles becoming highly restrictive as well.
________________________________
From: Seth Arnold
Sent: Tuesday, 01 October 2019 23:47
To: Abhishek Vijeev
Cc: apparmor at lists.ubuntu.com; Rakesh Rajan Beck
Subject: Re: [apparmor] Query about AppArmor's Profile Transitions
On Tue, Oct 01, 2019 at 05:25:21PM +0000, Abhishek Vijeev wrote:
> Currently, AppArmor allows 'pix' and 'cix' transitions. However, we would like to extend AppArmor to
> allow a 'pcix' transition. To clarify what we mean by 'pcix', we're looking for a way by which we
> can specify the following policy: 'look for a specific profile, but if one doesn't exist, look for a
> child profile, otherwise inherit the current profile'. Are there any challenges to implementing
> this? Also, is this a feature that is planned for release in future versions of AppArmor?
I do have to wonder if whatever you're trying to solve would be better
handled via stacking profiles instead.
What are you trying to achieve?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20191003/b73e37f6/attachment.html>
More information about the AppArmor
mailing list