Control: forwarded -1 https://bugs.launchpad.net/apparmor/+bug/1728551
Hi,
John Johansen:
> On 09/20/2017 07:32 AM, intrigeri wrote:
>> I see that tunables/sys was introduced in 2012 by John (Cc'ed) as part
>> of a commit that adds "abstractions to support the apparmor api".
>> On my system, nothing uses these abstractions nor the @{sys} tunable.
>> So I admit I have no idea what problem @{sys} is meant to solve.
>> If it _is_ useful then it should be used everywhere instead of /sys/,
>> which requires quite some work for no obvious (to me) benefit.
>>
>> John, what do you think?
> yeah, I think it would be worth starting to do the conversion of
> /sys/ to @{sys} as has been done with /proc/ to @{proc}
> with that said I haven't ever seen sys mounted somewhere different
> than /sys/ where I have seen that for proc.
> The big win of course is when fstype conditionals land at which
> point @{sys} could be further restricted to be /sys/ with and
> fs type of sysfs or even allowing disconnected access to sysfs.
> As for why this was introduced as part of the api abstraction
> profile management is done through sys and you probably haven't
> seen it because its not currently common to confine services
> doing profile management.
> I expect that will change more in the future as we open up policy
> namespaces more, which will safely allow users and applications
> to load their own policy.
Thanks for the explanation. I've filed an upstream bug about this.
Cheers,
--
intrigeri
