[apparmor] PUx permissions?
Steve Beattie
steve at nxnw.org
Tue Apr 19 21:35:09 UTC 2011
On Tue, Apr 19, 2011 at 11:16:09PM +0200, Christian Boltz wrote:
> Final question: Is the order of P and U fixed or can I also use UPx and
> upx?
UPx and upx aren't meaningful permissions, as what they would mean
is to default to unconfining the exec'ed binary and fall back to the
appropriate profile if the unconfined "profile" doesn't exist. Given
that the unconfined state is always available[1], it would never be
possible for the px transition to occur. So, no, it's not a valid
permission.
[1] Long ago, we used to have a global paranoid mode toggle, which
required that any new process that was exec()ed had to have a
profile defined or the exec would fail. I don't believe that
exists anymore as it was generally not useful, but even if it
came back, it would make UPx/upx meaningful, but only marginally,
IMO. Realistically, you'd need to treat all bare ux permissions
as upx in that situation.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110419/07c55605/attachment.pgp>
More information about the AppArmor
mailing list