[Apparmor-dev] AppArmor Development

[John Johansen]

Jacob I. Torrey wrote:
> John,
>     It's good to hear that there is still progress being made. I guess I
> can start on the user-land side of things, as I'm more comfortable
> there, and hopefully move further down as I get more comfortable. I also
> have heard the desire from a few users to make a directory context, so
> that apparmor can restrict untrusted user's self compiled apps. For
> example, if I have a server, and I give Jim access, who decides to go on
> a rampage against my system, I would be able to define a default,
> restrictive profile for /home/** or /tmp/**. Not sure if that's an
> interesting idea or not, but it might be a nice feature.
>     I look forward to reading more about how AppArmor is going to evolve!
> 

By directory context you mean allow specifying profile attachment based
off of a regex correct?  So that if your profile name is /home/** it
will attach to any any unconfined applications launched from within the
/home/** directory.

This is an idea that has been bantered around for as long I as I can
remember and has just never been implemented.  Basically it provides a
way of specifying default profiles, and taken to it logical conclusion
you would apply the most specific profile.  So you could have a profile
list like

  /usr/bin/foo            #specific profile match first.
  /usr/bin/**             #fall back profile for executables
  /**                     #default profile


The idea certainly has its uses and it could be one of the features that
go into AA 2.4/3.0.

In general it hasn't been done yet because there have been more pressing
issues to deal with.  AA2.3 made some steps towards providing for more
generic profiles and this is the next logical step.

cheers
john