[apparmor] prompt qualifier?
John Johansen
john.johansen at canonical.com
Fri Nov 9 22:04:40 UTC 2012
On 11/09/2012 01:43 PM, Steve Beattie wrote:
> On Fri, Nov 09, 2012 at 11:25:15AM -0800, John Johansen wrote:
>>> Supposing that this was in place, would the file picker then not even
>>> offer to open files outside of the @{HOME}/Documents/** tree? I'm
>>> trying to see what this enables in the file picker by adding this
>>> keyword.
>>
>> Right, I think each picker would be free to interpret it as was appropriate
>> but the general idea is that it wouldn't even present files that where
>> denied (so only present allow and prompt set).
>
> Hrm. What additional value does prompt add over only displaying that
> which is allowed by existing apparmor policy? Unless you're concerned
> about the difficulty of computing the latter... but don't you need to
> compute that anyway, to ensure that the prompt rules aren't overruled
> by deny rules?
>
Because this is about trusted pickers that are being used to extend apparmor
policy. ie. the application may not have access to the file at all (so
definitely not in the allowed set). The picker has access to the file but
at this point its entirely at the pickers discretion what to display,
policy has no hints as to possible restrictions beyond what is allowed (not
even explicit deny is available atm).
Beyond hard coding hints based on type into a picker it makes sense to
allow policy to say these are the types of things that a picker could/should
extend the profile with.
More information about the AppArmor
mailing list