[apparmor] create permission
Christian Boltz
apparmor at cboltz.de
Thu Dec 16 19:28:00 GMT 2010
Hello,
Am Donnerstag, 16. Dezember 2010 schrieb John Johansen:
> So apparmor has had a create permission for a while now, but it has
> not been directly expressible in policy. I would like to fix this
> however the letter c which is a natural fit for create (and is what
> is used by the kernel when reporting it) is used as an x modifier
> for children profiles (cx, Cx).
>
> So to expose the create permission we have a few possible choices.
> 1. choose a different letter
That would be my favorite solution.
What about "n" as in "new file" or uppercase "A" (similar to lowercase a
for append)?
Not as obvious as c would be, but both variants still have a meaning.
> 2. use c and either require it is either
> 2.1 not used immediately to the left of x if it is to mean cx.
> ie. xc == create and execute
> cx == child profile transition
I'm afraid that's more confusing than using a different letter.
(And I don't even want to know how "interesting" it would make vim
syntax highlighting...)
> 2.2 not used in a rule that has an x transition
create and execute for the same file sounds scary (same for write +
exec) - but that's a very good reason to make this possible. (The
alternative would be *xw instead of *x+create, which would be more
scary.)
> 3. exposed through long for permissions, ie. using the create keyword
> /foo create px,
No keywords for file permissions, please. That would be inconsistent
syntax-wise (all other file permissions use letters).
Regards,
Christian Boltz
--
> > [telepathy] i doubt you refer to this paranormal phenomena stuff.
> Does software to do that exists ? **grin** :-)
Yep, It does, it's called emacs }:-)
[>> Marcus Rueckert, > Cristian Rodriguez R. and Manuel Arostegui
Ramirez in opensuse-buildservice]
More information about the AppArmor
mailing list