On 9/4/20 3:46 PM, Marius Gripsgard wrote: > Hi, > > > I saw a email from 2014 in this list about this exact topic, so I was > wondering if the situation has changed since then? > > > What I'm looking for is a way to allow a userspace service to reject or > allow certain rules, like for example a prompt that will ask the user > "Do you want to give app X access to Network". Ideally without the need > for the application to request access before making the call, where > apparmor would send a callback to a userspace helper on a call, this > helper would then process the event (asking the user or whatnot) and > send it back to apparmor with a allow or deny. This could be extremely > powerful in a way to provide a generic *permission handler* regardless > of application. Alternatively the app would need to request access > before doing the call, the userspace handler would then change if > apparmor should allow the calls in question or not . >
This does not exist in apparmor at this time. There has been prototype work around this but I can not say when or if that work will land upstream. It certainly has its uses but is also limited in that it will never be able to work with every permission mediation that apparmor does in the kernel. The prototype can be fun to play with but I wouldn't do anything with it atm as there is a lot of work to be done and things are guaranteed to change. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
