[Apparmor-dev] AppArmor and interpreters,
AppArmor and config namespaces?
Rob Meijer
capibara at xs4all.nl
Mon Feb 11 15:42:35 MST 2008
I am currently working on a fuse based project (MinorFs), that should
implement some object cap like functionality for filesystem access using
password capabilities and private views. I would like MinorFs (to be able
to) work as closely as possible together with AppArmor.
I have two questions with respect to this:
1) In MinorFs, a fuse based tool run as an unpriviledged user I parse
/proc/<$PID>/maps in order to determine what executable is running.
For normal executables this works fine, and now after some tweaking
the mono stuff also works ok. However for java, perl, shell etc,
I end up with the interpreter instead of the interpreted.
Given that AppArmor solves this, is it possible to supply this
information (mapping pids to the relevant executable, even
if this is an interpreted executable like a perl script) to
user space tools like MinorFs.
2) MinorFs will also need a simple profile for executables. This
profile simply defines if the the processes for a given executable
path get private storage or not. It would be great if I could simply
piggyback this information on the AppArmor profiles. Are there, any
constructs that would allow me to do so?
T.I.A.
Rob J Meijer
More information about the Apparmor-dev
mailing list