[apparmor] Confinement inheritance with ix
Jonas Große Sundrup
jgs-apparmor at letopolis.de
Fri Aug 14 22:09:55 UTC 2020
On 2020-08-12, Jonas Große Sundrup wrote:
> Or in other words: where is my mental model of AppArmor still
> incorrect?
After some further experimentation, I think I can now answer my own
question here, if anyone observes a similar problem and happens to find
my original mail:
The executable in question, in whose profile the ix-confinement did not
work, was in fact not the executable, but a symlink to it, which I
didn't directly notice. While htop will then note the process via its
*executed* name, aka the name of the symlink, AppArmor triggers only
for the *actual* executable. After realizing this and adapting the
profiles accordingly, everything now works smoothly according to the
documentation. :)
~ Jonas
More information about the AppArmor
mailing list