[apparmor] environment variables
Kees Cook
kees at ubuntu.com
Wed Nov 9 20:35:35 UTC 2011
On Tue, Nov 08, 2011 at 03:24:27PM -0800, John Johansen wrote:
> On 11/08/2011 02:20 PM, Kees Cook wrote:
> > On Mon, Nov 07, 2011 at 11:13:49PM -0800, John Johansen wrote:
> >> 2. Environment filtering
> >>
> >> Environment filtering would be like extending the existing secure exec, except
> >> with policy involvement, so the environment variable filtering could be defined
> >> per rule or profile.
> >>
> >> It has many of the same questions as Matching.
> >>
> >> 2a. Should environment variable filtering be on the rule, profile or both?
> >
> > It seems like "both" would be the place to do it.
> >
>
> Interesting, would you envision them being applied together, or as an intersection.
> ie. Do the profile and file rules accumulate to increase the set of environment
> vars that are passed, or do they intersect reducing the set.
Hm, you caught me. I hadn't thought this through. :)
I guess I was thinking about it from the Ux perspective, but in really
pondering it, I think probably it would be most sensible to do it only from
the profile side.
-Kees
--
Kees Cook
More information about the AppArmor
mailing list