On 08/28/2018 11:11 PM, intrigeri wrote: > Hi, > > John Johansen: >> We are proposing deprecating attachment based profile names in the >> apparmor 3 release > > Just curious: why? Is this primarily to simplify the code or is there > another reason? >
Its because path based profile names are problematic, they can contain any character except \000, and this is problematic for shared LSM interfaces like /proc/<pid>/attr/current where applications like ps may expect a more limited character set. The current handling is unpredictable, where ps is sanitizing in a different way than pstree top, and some of the other utilities. There are a couple of other more minor reasons. 1. It tends to result in shorter profile names, which is good for display in the above mentioned utilities, and even more so when stacking and delegation are taken into consideration. 2. It makes for more cross distro profile names. As programs my be stored in different locations. Several rule types allow specifying a target label which means updating policy for a location change also means updating all policy rules that reference the profile name as a label. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
