[Apparmor-dev] Network definitions in profile
Markku Savela
msa at moth.iki.fi
Tue Dec 4 03:04:21 MST 2007
Hi,
I'm not disagreeing strongly on anything. The following is only to
clarify my thoughs about this...
ext John Johansen wrote:
> ... and I also think quibbling about the syntax isn't actually all
> that important at this stage. Since the "bind" syntax version and
> the limited accept version are functionally equivalent, I would far
> rather focus on getting a working prototype and then playing with
> the syntax.
Whether "bind" or "accept" is used, I think the "quibbling about
syntax" is actually very important thing. Once past the prototype and
after first release, the syntax cannot be changed. The existing
profiles using the limited syntax must work as is even after future
extensions.
My vision for the profiles is that they should be generated by the
application writers, and included in packages in signed
repositories. An installer install the profile, and either refuse to
install or install with some predefined default profile, if profile is
missing.
The idea is that application comes with clear statement what resources
it intends to use (AppArmor profile). The repository maintainer or
anyone looking at the package could view the profile and evaluate
whether it is reasonable for the application in question.
For this to work, the profiles really must be simple and clear for
application writers to generate and easy to visually verify. This is
why I don't think "bind" keyword is such bad idea (but, "accept" works
too). If application writer is writing a server or otherwise needs
socket bound to specific port/address, the "bind" is the function to
use.
Application writer, of course, can use the predefined abstractions for
the generic stuff, and add only requirements which are directly
relevant to the application code.
--
Markku Savela
More information about the Apparmor-dev
mailing list