[apparmor] RFC: Policy versioning
John Johansen
john.johansen at canonical.com
Mon Dec 11 18:43:55 UTC 2017
>>
>> #
>> # foo rules
>> #
>> /usr/bin/foo ix,
>> # needed by foo for ...
>> /etc/blah r,
>> # foo connects to this for ...
>> unix ...,
>>
>> #
>> # bar rules
>> #
>> /usr/bin/bar ix,
>> # bar connects to this for ...
>> unix ...,
>>
>> IIUC, the rule templates put the unix rules somewhere else, outside of
>> the context of the need for the rule.
>>
>
> No, no. They are just a way to expand a parsers ability to parse an
> unknown rule just enough so it can skip it and keep processing the
> rules it does know about.
>
> Think of it as being able to drop a set of rule templates into an
> older version apparmor, so it will support newer policy (yes ignoring)
> without doing a full SRU, which will still just result in the rule
> being dropped unless they are using a newer kernel as well.
>
> The goal is to make it so you won't have to change your policy or
> have multiple versions of policy just because your application is
> running on systems with different versions of apparmor.
>
>
Another way of putting it, is they are NOT policy rules, but a
way of extending the parser but updating dropping a text file
in.
More information about the AppArmor
mailing list