[Apparmor-dev] Towards AppArmor 3.0
John Johansen
jjohansen at suse.de
Fri Dec 5 18:27:48 MST 2008
Rob Meijer wrote:
> On Fri, December 5, 2008 07:42, John Johansen wrote:
>> If you have
>> an idea or feature you would like to see, please don't hesitate to join
>> into the discussion, or email me privately.
>>
>>
>> john
>
> Hi John,
>
> I have a few features that would be very interesting with respect to
> using AppArmor as the base for using MinorFs.
>
>
> 1) Reading of symbolic links governed by explicit profile rules.
yes, the exact details yet to be resolved but this will happen
> 2) A way to express /proc/$SELFPID in a profile.
yep again. The plan is to have a few special variables that get
expanded in the kernel.
@{PID} was what I was going to propose for this, as this follows
AppArmors current syntax but that is open for debate.
> 3) A facility for use by a user space process (such as minorviewfs) that
> can be used to map a process-id to a unforgeable call-chain-id.
I am unsure of what you mean by unforgetable call-chain-id here.
Do you mean
- an interface to set/get a special call-chain-id on a process or
AppArmor setting a special call-chain-id and just an interface to
retrieve it.
- If AppArmor is setting the call-chain-id is it based off of the parent
child relationship or processes, or should it be based on the parent
child relationship of profiles, or even a special id based off of both
More information about the Apparmor-dev
mailing list