Thank you for the reply John, Seth. It's great to know that a more expressive
policy language is in the works.
We had a good look at stacking, but it doesn't seem to help accomplish quite
what we have in mind:
a) Confine 'init'
b) When init executes any other process, perform a discrete profile transition.
But, if no discrete profile exists, transition to a 'default' (highly
restricted) child profile defined in init's profile (this is basically what
would be a 'pcx' transition).
Even if we were to specify the default profile as a discrete profile, the
following example is the closest that stacking can bring us to what we would
like, and hopefully illustrates our problem better:
profile init-systemd /**
{
/program px -> program //& default
}
profile default
{
. . .
}
a) If the discrete profile for 'program' doesn't exist, I understand that
'program //& default' would evaluate to just 'default', which is what we would
like. So far so good.
b) But, if the discrete profile for 'program' does exist, we would like it to
transition here, and not perform an intersection of 'program' and 'default'.
Since 'default' is highly restrictive, this would result in the intersection of
the 2 profiles becoming highly restrictive as well.
________________________________
From: Seth Arnold
Sent: Tuesday, 01 October 2019 23:47
To: Abhishek Vijeev
Cc: apparmor@lists.ubuntu.com; Rakesh Rajan Beck
Subject: Re: [apparmor] Query about AppArmor's Profile Transitions
On Tue, Oct 01, 2019 at 05:25:21PM +0000, Abhishek Vijeev wrote:
> Currently, AppArmor allows 'pix' and 'cix' transitions. However, we would
> like to extend AppArmor to
> allow a 'pcix' transition. To clarify what we mean by 'pcix', we're looking
> for a way by which we
> can specify the following policy: 'look for a specific profile, but if one
> doesn't exist, look for a
> child profile, otherwise inherit the current profile'. Are there any
> challenges to implementing
> this? Also, is this a feature that is planned for release in future versions
> of AppArmor?
I do have to wonder if whatever you're trying to solve would be better
handled via stacking profiles instead.
What are you trying to achieve?
Thanks
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
