I think the profile change on chroot is the way to go, although it may
be interesting to make rules explicit for both pre and post chroot. Eg.
>
> profile foo {
>
> /etc/shells r # Applies to both but the chroot uses the full path,
> so only affects prechroot
> @{root}/etc/nsswitch.conf r # The file with path /etc/nsswitch.conf
> can be read both outside and inside the chroot
>
> chroot none {
> # pre chroot rules
> @{root}/etc/passwd r # Can only be read before chrooting
> }
>
> chroot /var/lib/foo-chroot {
> # post chroot rules
> @{root}/etc/foo-users.conf r # Equivalent to
> /var/lib/foo-chroot/etc/foo-users.conf r
> }
> }
I'm assuming a variable @{root} which would be automatically set to the
process root folder, either by the kernel or by apparmor_parser.
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
