On 10/1/19 10:25 AM, Abhishek Vijeev wrote:
> Hi,
>
> We had a small question regarding AppArmor's profile transitions.
>
> Currently, AppArmor allows 'pix' and 'cix' transitions. However, we would
> like to extend AppArmor to
> allow a 'pcix' transition. To clarify what we mean by 'pcix', we're looking
> for a way by which we
> can specify the following policy: 'look for a specific profile, but if one
> doesn't exist, look for a
> child profile, otherwise inherit the current profile'. Are there any
> challenges to implementing
> this? Also, is this a feature that is planned for release in future versions
> of AppArmor?
>
Unfortunately its not possible yet because of how the permission set is stored,
and computed (I can
provide details if you really want). This isn't hard blocker it is just
something that needs to be
changed/fixed in both the userspace and kernel. Fortunately that work is
already in process for other
features that are coming. Once the permission rework lands supporting this will
become much easier,
and your request lines up with a feature that has been on the roadmap for a
long time.
Basically there has been a desire/need for much more flexible profile
transitions, where you can
specify the order of the search. Something along the lines of
/** x -> profile1, ^profile2, @{exec}, @{inherit},
basically having a list in order of preference to search. There needs to be
some discussion still
to arrive at the actual syntax.
The work required to get to where we can do this is
1. kernel permission remap/rework
2. userspace, rework how permissions are handled and carried throughout
compile, map to what is
supported by kernel at the end.
3. kernel extend, search to support ordered list
4. userspace extend language to support ordered list/pcix what ever the syntax
is
1. and 2. are fairly involved. 3 and 4 are not too bad
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
