[Apparmor-dev] [rfr] new profile abstractions
Seth Arnold
seth.arnold at suse.de
Mon Aug 27 18:46:33 MDT 2007
On Tue, Aug 14, 2007 at 04:06:46PM -0400, Mathias Gug wrote:
> diff -uNr upstream-trunk/profiles/apparmor.d/abstractions/gnupg ubuntu-mathiaz/profiles/apparmor.d/abstractions/gnupg
> --- upstream-trunk/profiles/apparmor.d/abstractions/gnupg 1969-12-31 19:00:00.000000000 -0500
> +++ ubuntu-mathiaz/profiles/apparmor.d/abstractions/gnupg 2007-08-06 14:35:48.000000000 -0400
> @@ -0,0 +1,13 @@
> +# vim:syntax=apparmor
> +# gnupg sub-process running permissions
> +
> + # executable itself
> + /usr/bin/gpg mixr,
Putting these rules in abstractions seriously limits flexibility for end
profiles, it's best to avoid x rules in abstractions entirely. (End users
can do whatever they want on deployed systems, but as profile providers
for them, we shouldn't hinder their choices quite this much.)
> + @{HOME}/.gnupg/so/*.x86_64 mr,
What on -earth-? Creepy.
Thanks :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070827/34f03762/attachment.pgp
More information about the Apparmor-dev
mailing list