[Apparmor-dev] mediating file locking
Crispin Cowan
crispin at novell.com
Tue May 8 15:16:54 MDT 2007
Forwarding JJ's private mail:
> Currently apparmor does not mediate file locking. It isn't a critical
> problem but we should consider whether we want to and what the semantics
> should be.
>
> file locking can only be done on a file that has been opened so an
> application can only access the files it has access to. What we
> need to decide is if file locking should be limited to a
> subset of current permission set and if so whether we should
> distinguish between shared (read). locks and exlusive (potential
> writer) locks. I don't think we need to distinguish between advisory
> and manditory locking.
>
> So we could:
> - not mediate locking (current situation)
> - map shared locks to read perm and exclusive locks to write perm
> - potentially widens access writes to a program that takes exclusive
> lock but only reads.
> - mediate locking with extra permission or key word
> - mediate locking right with extra perm/keyword and map lock type to
> r & w perms
> - mediate different lock types each with their own permission or keyword
>
More information about the Apparmor-dev
mailing list