The AppArmor debate begins
Posted Apr 27, 2006 15:16 UTC (Thu) by vmole
In reply to: The AppArmor debate begins
Parent article: The AppArmor debate begins
Lots of applications need temporary files with unpredictable names. For these, your AppArmor profile will have something like "/tmp/*" allowed. Or consider a mail reader, that might allow access to "/var/mail/**" (AA designation for all subdirs of "/var/mail", IIRC). Or, consider one that was pointed out on the LKML: The bind9 profile was "/**", i.e. everything, under the assumption that it would be running chroot("/var/named"), but there's no way for AA to enforce that expectation.
Another thing to realize is that a lot of the objections are to AA using paths in the kernel. This leads to AA trying to convert dentry values to paths, which is both expensive and unreliable.
to post comments)