[apparmor] prompt qualifier?
John Johansen
john.johansen at canonical.com
Sat Nov 10 01:03:59 UTC 2012
On 11/09/2012 04:43 PM, Steve Beattie wrote:
> On Fri, Nov 09, 2012 at 02:04:40PM -0800, John Johansen wrote:
>> On 11/09/2012 01:43 PM, Steve Beattie wrote:
>>> Hrm. What additional value does prompt add over only displaying that
>>> which is allowed by existing apparmor policy? Unless you're concerned
>>> about the difficulty of computing the latter... but don't you need to
>>> compute that anyway, to ensure that the prompt rules aren't overruled
>>> by deny rules?
>>>
>> Because this is about trusted pickers that are being used to extend apparmor
>> policy. ie. the application may not have access to the file at all (so
>> definitely not in the allowed set). The picker has access to the file but
>> at this point its entirely at the pickers discretion what to display,
>> policy has no hints as to possible restrictions beyond what is allowed (not
>> even explicit deny is available atm).
>
> Ah, right. Though if we exported the explicit Deny rules as a separate
> DFA rather than incorporate it into the single DFA, you could prompt
> about anything that wasn't explicitly denied.
>
well we could export the explicit denies as a separate mask in the current
dfa once the extended permissions are done at the cost of a larger dfa
because we can't combine none accepting and explicit deny states.
> That said, I think you've convinced me that this additional hint over
> just Deny rules is probably for the best.
>
Heh thats funny I'm not sure and asking for input, its certainly the
direction I am leaning but ...
More information about the AppArmor
mailing list