[apparmor] prompt qualifier?
John Johansen
john.johansen at canonical.com
Fri Nov 9 19:25:15 UTC 2012
On 11/09/2012 11:18 AM, Steve Beattie wrote:
> On Fri, Nov 09, 2012 at 09:17:11AM -0800, John Johansen wrote:
>> With the work on trusted userspace helpers now proceeding, it raises the
>> question as to whether profiles should be able to provide hints to the
>> helper what resources can be asked for.
>>
>> Take for example a trusted file picker that will be used to extend a
>> sandboxed application
>>
>> The file picker could extend the sandbox with anything that it can access,
>> but we may want to be able tell the trusted file picker that the profile
>> should only be able to ask for a certain type/set of files.
>>
>> We could do this by extending the profile syntax with an "ask" or "prompt"
>> qualifier (or some other word that better matches the intent). It would be
>> mutually exclusive to the deny/allow qualifier and a lower priority so that
>> any allow or deny rule would override it.
>>
>> eg.
>>
>> prompt @{HOME}/Documents/** rw,
>>
>> would allow a profile to specify that the trusted picker can be used to
>> pick files from the users documents.
>
> Supposing that this was in place, would the file picker then not even
> offer to open files outside of the @{HOME}/Documents/** tree? I'm
> trying to see what this enables in the file picker by adding this
> keyword.
Right, I think each picker would be free to interpret it as was appropriate
but the general idea is that it wouldn't even present files that where
denied (so only present allow and prompt set).
It would be a pretty poor user experience to present a list of files just
to have the picker deny access to it.
More information about the AppArmor
mailing list