hat_name needs to be available in the same way as profile_name
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| AppArmor |
New
|
Undecided
|
Unassigned | ||
Bug Description
to use a unique hat for each domain with apparmor i want to use something alike the following configuration:
# Last Modified: Tue Apr 7 20:13:22 2015
# Author: Thomas Horner
^mydomainname.com flags=(complain) {
#include <abstractions/
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
#include <abstractions/
#include <abstractions/php5>
/home/
/home/
/var/
}
this is, however, not possible as the profile_name of cause contains the full profile name and not only the hat name itself:
/usr/sbin/
so it would be necessary to provide a @{hat_name} in the same way as @{profile_name} which could be used instead.
hat_name would contain only mydomainname.com
# Last Modified: Tue Apr 7 20:13:22 2015
# Author: Thomas Horner
^mydomainname.com flags=(complain) {
#include <abstractions/
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
#include <abstractions/
#include <abstractions/php5>
/home/
/home/
/var/
}
possibly even the first occurrence of mydomainname.com could be replaced by @{hat_name}:
# Last Modified: Tue Apr 7 20:13:22 2015
# Author: Thomas Horner
^@{hat_name} flags=(complain) {
#include <abstractions/
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
#include <abstractions/
#include <abstractions/php5>
/home/
/home/
/var/
}
by that it would be sufficient to create links for each domain, all pointing to the same one file for all domains which would greatly simplify the isolation between domains when using mod_php.
| tags: | added: aa-feature aa-kernel aa-parser |
