Hey, On Mon, Oct 30, 2017 at 10:41:56AM +0100, intrigeri wrote:
Control: forwarded -1 https://bugs.launchpad.net/apparmor/+bug/1728551Hi, John Johansen:On 09/20/2017 07:32 AM, intrigeri wrote:I see that tunables/sys was introduced in 2012 by John (Cc'ed) as part of a commit that adds "abstractions to support the apparmor api". On my system, nothing uses these abstractions nor the @{sys} tunable. So I admit I have no idea what problem @{sys} is meant to solve. If it _is_ useful then it should be used everywhere instead of /sys/, which requires quite some work for no obvious (to me) benefit. John, what do you think?yeah, I think it would be worth starting to do the conversion of /sys/ to @{sys} as has been done with /proc/ to @{proc}with that said I haven't ever seen sys mounted somewhere different than /sys/ where I have seen that for proc.The big win of course is when fstype conditionals land at which point @{sys} could be further restricted to be /sys/ with and fs type of sysfs or even allowing disconnected access to sysfs.As for why this was introduced as part of the api abstraction profile management is done through sys and you probably haven't seen it because its not currently common to confine services doing profile management.I expect that will change more in the future as we open up policy namespaces more, which will safely allow users and applications to load their own policy.Thanks for the explanation. I've filed an upstream bug about this.
Thanks a lot for handling this!
Cheers, -- intrigeri
Have a good day, Vincent
signature.asc
Description: PGP signature
