Hi,
We're looking for some help with respect to AppArmor child profiles.
In a scenario where 'parent_process' spawns (fork and exec) a number of child
processes, we would like to achieve the following - if a profile exists for any
child
process, use it. Otherwise, don't inherit the parent's profile - instead,
inherit a
different default profile (presumably specified as a nested profile within the
parent).
We have taken a good look at the use cases for the 'p', 'c', and 'i' exec flags,
however, no combination of these flags seems to solve the problem:
a) px - Uses the child's profile (different) if it exists
b) cx - Uses the child's profile (nested) if it exists
c) pix - Uses the child's profile (different) if it exists, else inherits the
parent's profile
d) cix - Uses the child's profile (nested) if it exists, else inherits the
parent's profile
Here's an example of what we would like:
Parent Process' Profile:
profile parent
{
...
...
profile child_default
{
...
...
}
...
...
}
Is there a way by which we could say this: for all children spawned by parent,
check whether there exists a child profile (either a different profile in the
file system, or a nested child profile) and if so use it, else use profile
'child_default'?
We understand that doing this for a parent that spawns around 5 children just
involves creating 5 different profiles for each of them, and specifying exec
transitions on each. However, doing this for a process that spawns more than
20 children (something like the init process) becomes cumbersome. Does
AppArmor provide support for this out of the box?
Thank you.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
