On 08/02/2016 04:32 PM, William Hua wrote: > Hello, > > If I may, I'd like to revive the old dconf confinement patches that we > started over a year ago, but were never merged. > > All necessary patches are attached, as well as an extra test profile and > program. I've refreshed them to work properly against kernel 4.6.4 and > current AppArmor trunk. > Hey William
the kernel patch still looks good, and pathes 1-3 have my ACK the issue lies with 04 the actual dconf patch. The code looks good however I said it before and I will say it again we can not be putting permission information into the query data. You have separated out the query data into rpaths rwpaths arpaths arwpaths this is replicating the permission information into the key value storage but we can not do this. The only thing that can go in here are the paths that need to be watched, with absolutely no permission information. This requirement is critical as we are dynamically composing profiles and something in the rwpaths may not be in the rwpath under another profile. The dynamic permission query has to be able to return the correct composed permissions. A watch on a path that ends up having no permissions will result in extra overhead but not the wrong permissions. The other issue is the paths themselves need to be able to support apparmor regexs, which in itself is easy to fix but plays back into the path issue above, because it is a second reason that the dconf paths can't be handled as separate lists based on permissions. Your queries would have to do the dynamic composition of the regexs to find the actual permissions between the lists. I need to grab a few hours of sleep, and then I will try finishing up my counter patch, that hopefully better demonstrates what I am looking for -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
