Re: [apparmor] Confinement inheritance with ix
On Sat, Aug 15, 2020 at 12:09:55AM +0200, Jonas Große Sundrup wrote: > The executable in question, in whose profile the ix-confinement did not > work, was in fact not the executable, but a symlink to it, which I > didn't directly notice. While htop will then note the process via its > *executed* name, aka the name of the symlink, AppArmor triggers only > for the *actual* executable. After realizing this and adapting the > profiles accordingly, everything now works smoothly according to the > documentation. :) Oh, excellent, thanks for reporting back. Thanks signature.asc Description: PGP signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Confinement inheritance with ix
On 2020-08-12, Jonas Große Sundrup wrote: > Or in other words: where is my mental model of AppArmor still > incorrect? After some further experimentation, I think I can now answer my own question here, if anyone observes a similar problem and happens to find my original mail: The executable in question, in whose profile the ix-confinement did not work, was in fact not the executable, but a symlink to it, which I didn't directly notice. While htop will then note the process via its *executed* name, aka the name of the symlink, AppArmor triggers only for the *actual* executable. After realizing this and adapting the profiles accordingly, everything now works smoothly according to the documentation. :) ~ Jonas -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor