[Apparmor-dev] RFC: local profiles

[Steve Beattie]

On Fri, Mar 07, 2008 at 04:32:35PM -0800, John Johansen wrote:
> Well I am going to reply to myself here and say that, the more I think
> about it the less I like not having a transition rule.  It just seems
> inconsistent.  So I am going to propose changing the syntax slightly,
> expanding on the syntax of the generalized transition model.
> 
>    ...
>    #local send mail profile
>    /usr/bin/sendmail x -> {
>       ...
>    }
> 
>    # in permission first format
>    x /usr/bin/sendmail -> {
>      ...
>    }
> 
> doing this makes the format a transition rule with the profile name
> coming from the transition rule it self.  I suppose it could go
> as far as supplying a different profile name is so desired.
> eg.
>    x /usr/bin/sendmail -> fooprofile {
>       ...
>    }
> 
> which might be useful to humans looking at attached profile names,
> but I expect its use would be rare in actual use

Personally, I don't much care whether they have a transition arrow
indicator, I just want the ability to have what I've referred to in the
past as anonymous inner profiles, to which your local profiles are very
similar. I suppose it's probably useful to have the transition indicator
to be consistent with other profile transitions, but it's not something
I feel adamant about.

It might be nice support the naming of them, in case you have a weird
situation where you want to define the same local policy for multiple
programs (e.g. I don't care which of the various greps this program
decides to run, this is what I want to allow them to do). You could get
a similar effect via #includes, but it seems less ugly to me if you can
refer to them by name.

-- 
Steve Beattie
<steve at nxnw.org>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20080307/52699356/attachment.pgp