On 7/27/21 4:45 PM, Seth Arnold wrote:
> On Tue, Jul 27, 2021 at 06:51:34PM -0300, Georgia Garcia wrote:
>> + if (aa_g_raw_text) {
>> + dent = aafs_create_file("raw_text", S_IFREG | 0444, dir,
>> + rawdata, &rawtext_fops);
>
> Cool :) The only thing that stood out to me is the permission: some people
> like to store their policy in /etc/apparmor.d/ with restrictive modes for
> whatever reason, and this may be more open than they'd like. 0400 might be
> a better fit for some.
>
hrmmm actually we should be using the policy admin check instead. 0400
doesn't virtualize to policy namespaces etc. Instead we need to be wide
open and then do our own additional internal permission check.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
