[apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
Jamie Strandboge
jamie at canonical.com
Fri Jun 20 22:08:09 UTC 2014
On 06/20/2014 04:20 PM, Steve Beattie wrote:
> On Fri, Jun 20, 2014 at 10:17:26AM -0700, John Johansen wrote:
>> If any of the hats use the base provided abstraction they are going to
>> get signals and tracing from unconfined anyways.
>
> Not if they're using trunk's abstractions/base:
>
> $ bzr up
> All changes applied successfully.
> Updated to revision 2542 of branch bzr+ssh://bazaar.launchpad.net/+branch/apparmor
> $ grep signal profiles/apparmor.d/abstractions/base
> $
>
> So we on the ubuntu side need to push the patch that adds that to
> abstractions/base.
>
Hrmm, this was clearly an oversight on my part:
[ Jamie Strandboge ]
* debian/patches/update-base-abstraction-for-signals-and-ptrace.patch:
Adjust the base abstraction for signals and ptrace mediation. Profiles
that use the base abstraction can deny any of the granted permissions to
achieve tighter confinement.
I've taken a todo to post this to the list. Sorry...
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140620/97072d1e/attachment.pgp>
More information about the AppArmor
mailing list