It does seem odd, but if m and r permission are granted then the program could do the moral equivalent of an exec entirely in memory itself -- with the exception of setuid, setgid, or setfacl capabilities, which the profile will confine anyhow.
Thus I think the full set makes sense. ------Original Message------ From: John Johansen Sender: apparmor-boun...@lists.ubuntu.com To: apparmor Subject: [apparmor] File rule question Sent: Mar 10, 2012 5:50 PM So in 2.8 the ability to specify all files via file, instead of having to do /** rwlkmix, the question is should this short cut provide all those permissions or should we separate out exec permissions. It seems odd to me that saying you have access to all files means you also can exec anything even if it remains confined by the current profile. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor