[apparmor] AppArmor Child Profiles
Christian Boltz
apparmor at cboltz.de
Sun Aug 18 10:24:55 UTC 2019
Hello,
Am Dienstag, 13. August 2019, 14:21:13 CEST schrieb Abhishek Vijeev:
> In a scenario where 'parent_process' spawns (fork and exec) a number
> of child
> processes, we would like to achieve the following - if a profile
> exists for any child
> process, use it. Otherwise, don't inherit the parent's profile -
> instead, inherit a
> different default profile (presumably specified as a nested profile
> within the parent).
> Is there a way by which we could say this: for all children spawned by
> parent,
> check whether there exists a child profile (either a different profile
> in the
> file system, or a nested child profile) and if so use it, else use
> profile 'child_default'?
You can do that by using globs, which are "less specific" and only get
used if there is no exact match.
profile parent {
/bin/foo Cx,
/bin/bar Cx,
/bin/baz Cx,
profile foo /bin/foo {
}
profile default /bin/* { # or profile default /**
# gets used for /bin/bar and /bin/baz, but not for /bin/foo
}
}
You can also use wildcards in the Cx rules if you want to allow to
execute everything in /bin/. In this case, replace all Cx rules in my
example with /bin/* Cx, - the specific child profile for /bin/foo
will still be used.
Regards,
Christian Boltz
--
Oh, you mean hardware. You still own a real HW these days :P?
[Jiri Slaby in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190818/860497cb/attachment.sig>
More information about the AppArmor
mailing list