Hello, Am Dienstag, 13. August 2019, 14:21:13 CEST schrieb Abhishek Vijeev: > In a scenario where 'parent_process' spawns (fork and exec) a number > of child > processes, we would like to achieve the following - if a profile > exists for any child > process, use it. Otherwise, don't inherit the parent's profile - > instead, inherit a > different default profile (presumably specified as a nested profile > within the parent).
> Is there a way by which we could say this: for all children spawned by
> parent,
> check whether there exists a child profile (either a different profile
> in the
> file system, or a nested child profile) and if so use it, else use
> profile 'child_default'?
You can do that by using globs, which are "less specific" and only get
used if there is no exact match.
profile parent {
/bin/foo Cx,
/bin/bar Cx,
/bin/baz Cx,
profile foo /bin/foo {
}
profile default /bin/* { # or profile default /**
# gets used for /bin/bar and /bin/baz, but not for /bin/foo
}
}
You can also use wildcards in the Cx rules if you want to allow to
execute everything in /bin/. In this case, replace all Cx rules in my
example with /bin/* Cx, - the specific child profile for /bin/foo
will still be used.
Regards,
Christian Boltz
--
Oh, you mean hardware. You still own a real HW these days :P?
[Jiri Slaby in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
