On 08/16/2016 04:17 AM, John Johansen wrote: > On 08/02/2016 04:32 PM, William Hua wrote: >> Hello, >> >> If I may, I'd like to revive the old dconf confinement patches that we >> started over a year ago, but were never merged. >> >> All necessary patches are attached, as well as an extra test profile and >> program. I've refreshed them to work properly against kernel 4.6.4 and >> current AppArmor trunk. >> > Hey William > > the kernel patch still looks good, and pathes 1-3 have my ACK > > the issue lies with 04 the actual dconf patch. The code looks good however > I said it before and I will say it again we can not be putting permission > information into the query data. > > You have separated out the query data into > rpaths > rwpaths > arpaths > arwpaths > > this is replicating the permission information into the key value storage > but we can not do this. The only thing that can go in here are the paths > that need to be watched, with absolutely no permission information. > > This requirement is critical as we are dynamically composing profiles and > something in the rwpaths may not be in the rwpath under another profile. > The dynamic permission query has to be able to return the > correct composed permissions. > > A watch on a path that ends up having no permissions will result in extra > overhead but not the wrong permissions. > > The other issue is the paths themselves need to be able to support > apparmor regexs, which in itself is easy to fix but plays back into the > path issue above, because it is a second reason that the dconf paths > can't be handled as separate lists based on permissions. > > Your queries would have to do the dynamic composition of the regexs to > find the actual permissions between the lists. > > I need to grab a few hours of sleep, and then I will try finishing up my > counter patch, that hopefully better demonstrates what I am looking for >
Sorry this has been so long. I am going to reply to this with the full set that I currently have since I can't recall if I tweaked any of the earlier patches. I do have some follow on patches that are in dev around local caching of perms and policy change events. Which I realize will be critical to making this work well. The other part is the extracting of the watch point data from the rules. I am still tinkering with it, so currently the broadest possible watch point is inserted. However this should not be a problem from a dev standpoint as it just means more events to check perms against. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
