[apparmor] Question regarding confining sudo in a child profile
Hanno Stock
hanno.stock at gmx.net
Tue Oct 22 09:37:19 UTC 2013
On 21.10.2013 20:50, John Johansen wrote:
> On 10/21/2013 06:14 AM, Simon Deziel wrote:
> [...]
>> I think that changing to a subprofile from another subprofile only works
>> when using fully qualified profile name.
>>
>> Here is an extract of a profile that does a similar thing:
>>
>> /usr/local/bin/backuppc-wrapper {
>> ...
>> /usr/bin/sudo Cx -> sudo_rsync,
>>
>> profile sudo_rsync {
>> ...
>> # XXX: Cx doesn't work. For details, see
>> # https://lists.ubuntu.com/archives/apparmor/2012-November/003114.html
>> #/usr/bin/rsync Cx -> rsync,
>> /usr/bin/rsync px -> /usr/local/bin/backuppc-wrapper//rsync,
>> }
>>
>> profile rsync {
>> #include <abstractions/base>
>> }
>> ...
>> }
>>
> yep,
>
> The ability to specify a sibling transition directly is coming soon (hopefully
> in the 3.0 release).
>
> At some point nested child profiles will happen, so a child can have its own
> children. Cx from a child will transition to its children.
Thanks, both of you! The fully qualified version works fine.
Regards
Hanno
More information about the AppArmor
mailing list