Hello, Am Donnerstag, 3. Oktober 2019, 07:21:26 CEST schrieb Abhishek Vijeev: > We had a good look at stacking, but it doesn't seem to help accomplish > quite what we have in mind: > > a) Confine 'init' > b) When init executes any other process, perform a discrete profile > transition. But, if no discrete profile exists, transition to a > 'default' (highly restricted) child profile defined in init's profile > (this is basically what would be a 'pcx' transition).
Ah, so you are looking for full system confinement with profiles for
specific programs, and a default profile for everything else.
You might want to check the list archives [1] from May and June 2019 for
[apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...
This thread should answer quite some questions around confining init and
doing a full system confinement.
> Even if we were to specify the default profile as a discrete profile,
> the following example is the closest that stacking can bring us to
> what we would like, and hopefully illustrates our problem better:
>
> profile init-systemd /**
> {
> /program px -> program //& default
> }
>
> profile default
> {
> . . .
> }
>
> a) If the discrete profile for 'program' doesn't exist, I understand
> that 'program //& default' would evaluate to just 'default', which is
I'm afraid you are wrong here - either both profiles "program" and
"default" exist (and get both used), or you'll get an exec denial if one
of the target profiles doesn't exist.
Regards,
Christian Boltz
[1] https://lists.ubuntu.com/archives/apparmor/
--
... you start off with a typical message,
let's say a 2.5MB Word document containing
three lines of text and a macro virus ...
[Peter Gutmann]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
