Le 12/12/2016 à 11:50, Guillaume Munch a écrit :
Thank you for investigating this approach. I have seen that according to
<http://wiki.apparmor.net/index.php/FAQ#Is_AppArmor_policy_Default_Deny_.28White_listing.29>,
AppArmor profiles are meant to be based on white lists instead of
black lists. But I agree with you that writing a white list is going to
be complicated, if only because converters are user-configurable and
AppArmor profiles less user-friendly. This suggests the question, should
the converters themselves not each have an AppArmor profile instead?
I prefer the white list approach too. I propose for now to have a
profile that whitelists only what is required for the converters we ship
with.
Does apparmor allow to extend a white list in a different file? Meaning,
can a user add a separate file to some apparmor.d/ directory to make a
particular converter work?
I presume that we have no way to have apparmor profiles apply only to
converters marked as needauth, right?
JMarc
