[apparmor] [PATCH] apparmor: enable raw text policy
John Johansen
john.johansen at canonical.com
Tue Jul 27 23:58:02 UTC 2021
On 7/27/21 4:45 PM, Seth Arnold wrote:
> On Tue, Jul 27, 2021 at 06:51:34PM -0300, Georgia Garcia wrote:
>> + if (aa_g_raw_text) {
>> + dent = aafs_create_file("raw_text", S_IFREG | 0444, dir,
>> + rawdata, &rawtext_fops);
>
> Cool :) The only thing that stood out to me is the permission: some people
> like to store their policy in /etc/apparmor.d/ with restrictive modes for
> whatever reason, and this may be more open than they'd like. 0400 might be
> a better fit for some.
>
hrmmm actually we should be using the policy admin check instead. 0400
doesn't virtualize to policy namespaces etc. Instead we need to be wide
open and then do our own additional internal permission check.
More information about the AppArmor
mailing list