On 3/8/25 05:03, engelflor...@posteo.de wrote:
Hi,
What is the priority if two profiles match. E.g. /usr/bin/cat matches on
profiles /usr/bin/c* and /usr/bin/ca*. What profile is it using?
It is approximately longest left non-glob match wins. It has changed some
over the years, from just being a length hint of how long the left match
is before hitting globbing, to the kernel actually keeping a small buffer,
to provide a more refined match.
So example in order of match order
/usr/bin/example
/usr/bin/*
/usr/bin/**
If we are talking exact match (eg. /usr/bin/example) then the first
exact match wins (match is short circuited), so load order would
matter.
However if there isn't an exact match, a complete search is done
for the best match. If there are two or more with the same best
left match length then there will be a conflict and the exec will
be failed.
I use Nixos and have generate profiles for all programs which are
installed by my configuration. I then want to add a default profile
which is only used if no other profile matches.
I don't think I can do that wit profile inheritence, because if i switch
from the default profile it always switches to the systemd profile. If i
add inheritence to the systemd profile it selects the default profile
and not the more specific ones
ix, or inheritance fallback really only works for this if you are using
stacking, because ix default to the current confinement, not a default.
ix is transition that's primary use is role based profiles.
The stacking I mentioned is probably not what you want either, as having
multiple profiles on an application can get messy.
I tried it with a config like this
```
so /nix/store/ ... has priority over default /**
profile /nix/store/***-systemd/** flags=(attach_disconnected) {
# allow everything
capability,
network,
mount,
remount,
umount,
pivot_root,
ptrace,
signal,
dbus,
unix,
file,
}
...
profile default /** flags=(attach_disconnected) {
capability,
network,
mount,
remount,
umount,
pivot_root,
ptrace,
signal,
dbus,
unix,
file,
# Deny some sensitive files
deny /home/florian/.ssh/{,**} mrwlk,
}
```
