[apparmor] environment variables
Christian Boltz
apparmor at cboltz.de
Thu Nov 10 20:00:38 UTC 2011
Hello,
Am Donnerstag, 10. November 2011 schrieb John Johansen:
> Ah okay, so basically this is env filtering in the profile and at the
> rule level.
>
> So do you see an advantage of using an exec section
>
> /bin/foo {
> /bin/bar Px,
> exec /bin/bar {
> env PATH /usr/bin:/usr/sbin:*
> over directly attaching it to the matching rule
>
> /bin/foo {
> /bin/bar Px {
> env PATH /usr/bin:/usr/sbin:*
> or
>
> /bin/foo {
> /bin/bar Px env {
> PATH /usr/bin:/usr/sbin:*
>
> or even
>
> /bin/foo {
> /bin/bar Px env=(
> PATH=/usr/bin:/usr/sbin:*
Separate exec sections would have the advantage that we could use one
for separate programs ("exec /bin/*").
That reminds me that we already have a similar syntax for child profiles
(including named transition) - what about just using that syntax and
putting only[1] env rules into it?
This would mean
/bin/foo {
/bin/bar Ux,
profile /bin/bar {
env PATH [...]
}
}
Maybe it could even use named transitions:
/bin/foo {
/bin/bar -> cleanenv Ux, # I hope I remember the syntax correctly
profile cleanenv {
env PATH [...]
}
}
The only disadvantage is: it might be confusing when used with px/Px.
But that's still less confusing than having to learn another syntax that
is specific for env vars. Additionally, Px'ed programs will/should have
the env rules in the target profiles in most cases.
Regards,
Christian Boltz
[1] if cx/Cx is used, the child profile should of course also contain
other rules ;-)
--
> > Gruß,
> > Jörg
> Huch? Wo ist denn Ratti hingekommen? ;-)
Das ist eine sehr gute Frage... ich weiss auch nicht...
[> Christian Boltz und (>>) Ratti in fontlinge-devel]
More information about the AppArmor
mailing list