[Apparmor-dev] RFC: local profiles

John Johansen jjohansen at suse.de
Thu Feb 28 19:54:39 MST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is an idea I have been kicking around for awhile for a new x
qualifier that I think would make profiling utility apps easier.

The idea is to have a local, or subprofile set.  The profiles in the set
are local to the parent profile (ie. not globally visible) so that the
utility programs can have profiles that make sense for that profile,
instead of using ix for all utilities.

To do this we can leverage profile namespaces, and stick the local
profiles in a namespace.  Then profile transitions from those profiles
will search the local profile namespace.

to hopefully clear things up, here is an example
  Mutt can call out to all kind of utils and many of them you may not
  want having their own global profile, or even may want them to behave
  with a different set of restrictions in mutt.

  So here is a partial mutt profile with some subprofiles

#include <tunables/global>
/usr/bin/mutt {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/nameservice>

  /etc/Muttrc r,
  /home/*/.muttrc r,
  /home/*/Mail w,
  /usr/bin/mutt mr,

  #local send mail profile
  /usr/bin/sendmai {
     ...
  }

  #local vim profile
  /usr/bin/vim {
     ...
	#named transition escaping to global profile namespace
	/bin/foo x -> default:,
  }

}

The syntax proposed above treats local profiles much like hats.  The
advantage of using the local profile over ix is the mutt profile doesn't
become with extra permissions that are required by sendmail, vim, or
what ever other viewer, editor external script is used.

The above syntax also doesn't specify an x transition rule, it assume
that since the local profile is present it is allowed and prefered over
the global one.  It would be easy to add a transition rule using lx, sx,
^x or some other syntax is that is desired.

The namespace used for the subprofiles keep these unique profiles from
polluting the global profile namespace.  The name of the namespace could
be derived from the namespace/profile that the subprofiles are in or it
could be annonoumous.

The advantage of using a namespace over just individual sub profiles is
that those sub profiles can do px transitions and they will search the
subprofile namespace instead of the global namespace.

It would still be possible for subprofiles to reference the global
namespace doing a named transition as shown as part of the vim profile.

So what do you think?  Any suggestion or improvements.  Is it worth the
extra cost in complexity?  Is it useful for anyones deployments.

thanks
john
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFHx3Pvi/GH5xuqKCcRAp8pAKCkCv0HIRl668oZoDwxIKp+Ty+brACgg3+U
FGYNfbBqCmAqh2w0dfBlHGQ=
=ZYvk
-----END PGP SIGNATURE-----

More information about the Apparmor-dev mailing list