[apparmor] AppArmor Child Profiles

[Abhishek Vijeev]

Hi,


We're looking for some help with respect to AppArmor child profiles.


In a scenario where 'parent_process' spawns (fork and exec) a number of child

processes, we would like to achieve the following - if a profile exists for any child

process, use it. Otherwise, don't inherit the parent's profile - instead, inherit a

different default profile (presumably specified as a nested profile within the parent).


We have taken a good look at the use cases for the 'p', 'c', and 'i' exec flags,

however, no combination of these flags seems to solve the problem:


a) px - Uses the child's profile (different) if it exists

b) cx - Uses the child's profile (nested) if it exists

c) pix - Uses the child's profile (different) if it exists, else inherits the parent's profile

d) cix - Uses the child's profile (nested) if it exists, else inherits the parent's profile


Here's an example of what we would like:


Parent Process' Profile:


profile parent

{

     ...

     ...

     profile child_default

     {

          ...

          ...

     }

     ...

     ...

}


Is there a way by which we could say this: for all children spawned by parent,

check whether there exists a child profile (either a different profile in the

file system, or a nested child profile) and if so use it, else use profile 'child_default'?


We understand that doing this for a parent that spawns around 5 children just

involves creating 5 different profiles for each of them, and specifying exec

transitions on each. However, doing this for a process that spawns more than

20 children (something like the init process) becomes cumbersome. Does

AppArmor provide support for this out of the box?


Thank you.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190813/e1adde81/attachment.html>