search

roddhjav / apparmor.d

Full set of AppArmor profiles (~ 1500 profiles)
https://apparmor.pujol.io
GNU General Public License v2.0
453 stars 43 forks source link

New feature: re-attached path #559

Open roddhjav opened 1 week ago

roddhjav commented 1 week ago

For more context, see https://apparmor.pujol.io/development/internal/#re-attached-path

AppAmor 4.0 provides the attach_disconnect.path flag allowing to reattach this path to a prefix that is not /. When used it provides an important security improvement from AppArmor 3.0.

The plan is to uses attach_disconnect.path by default and automatically on all profiles with the attach_disconnect flag. The attached path is set to a @{att}, a new dynamically generated variable set at build time in the preamble of all profile to be:

Internal

Tasks

curiosityseeker commented 3 days ago

The plan is to uses attach_disconnect.path by default and automatically on all profiles with the attach_disconnect flag. The attached path is set to a @{att}, a new dynamically generated variable set at build time in the preamble of all profile to be:

* `@{att}=/att/<profile_name>` for profile with `attach_disconnect` flag.

* `@{att}=/` for other profiles

This is what I don't understand. @{att}=/att/<profile_name> is for profiles with the attach_disconnect flag - okay. But @{att}=/ for other profiles, i.e. without the attach_disconnect flag? Why should this be needed for such profiles at all? That sounds to me like a oxymoron :)

roddhjav commented 2 days ago

As @{att} can be used in abstraction, profile without the attach_disconnect flag need to have the variable defined. It is mostly a safety measure to ensure the profiles compile.

curiosityseeker commented 1 day ago

Ah, understood! Thanks!

beroal commented 18 hours ago

As @{att} can be used in abstraction, profile without the attach_disconnect flag need to have the variable defined. It is mostly a safety measure to ensure the profiles compile.

Why not @{att}=/giekxhayfnjdhaeb?