[apparmor] profile naming and attachment
John Johansen
john.johansen at canonical.com
Thu Nov 18 17:06:10 GMT 2010
On 11/18/2010 06:13 AM, Jamie Strandboge wrote:
> On Wed, 2010-11-17 at 17:19 -0800, John Johansen wrote:
>> = Profile naming =
>> ...
>> so the name would be optional and only available when using the profile keyword,
>> which is currently used to specify profile that don't have an attachment
>> specification. If a name was not specified the attachment specification would
>> be used for the name as it currently is. For our firefox example this would be
>>
>> profile firefox /usr/lib/firefox-3.6.12/firefox-*bin { }
>
> Assuming that current behavior is still supported, I like this idea.
>
yes no change to current behavior
<< snip >>
>> Basically the ability will be present in the enforcement engine its just
>> a matter of where/when we choose to expose it. Also just because we
>> choose to expose it doesn't mean we have to use it in a given situation.
>
> Right, but perhaps because I am not imaginative enough, this seems more
> like TIMTOWTDI and added complexity rather than something that is really
> needed. Granted, I do see supporting non-pam systems as a worthy goal,
> but not high priority atm. I'd love to be proven wrong, as conditional
> profile attachment looks interesting....
>
right this isn't a current goal, it just is something to think about.
It came up specifically because of someone asking for user attachment
on a none pam system.
More information about the AppArmor
mailing list