Am 05.12.2016 um 09:57 schrieb intrigeri: > Michael Biebl: >> Somehow this feels like it should be solved within apparmor itself by >> resolving symlinks. > > Thanks for thinking about it. Perhaps I've misunderstood what you > mean, so here's my take on it. We need this patch precisely because > AppArmor resolves symlinks: when Evince runs /bin/gzip, that's > effectively a symlink to /usr/bin/gzip on a merged-/usr system, the > path AppArmor takes into account is /usr/bin/gzip.
Mind you, that I don't know how apparmor actually works. This is my idea basically: say you have a apparmor profile which contains /bin/foo. When that profile file is read by the apparmor profile parser, you check for symlinks in those paths. The parser notices on a merged user system that /bin is a path to /usr/bin, so it adds /bin/foo and /usr/bin/foo on the whitelist. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
