hat_name needs to be available in the same way as profile_name

Bug #1441524 reported by Thomas E. Horner
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

to use a unique hat for each domain with apparmor i want to use something alike the following configuration:

# Last Modified: Tue Apr 7 20:13:22 2015
# Author: Thomas Horner

  ^mydomainname.com flags=(complain) {
    #include <abstractions/apache2-common>
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/mysql>
    #include <abstractions/user-tmp>
    #include <abstractions/php5>

    /home/@{profile_name}/** r,
    /home/@{profile_name}/www/gallery/var/** rw,
    /var/log/apache2/logs/@{profile_name}.log w,
  }

this is, however, not possible as the profile_name of cause contains the full profile name and not only the hat name itself:
/usr/sbin/apache2//mydomainname.com

so it would be necessary to provide a @{hat_name} in the same way as @{profile_name} which could be used instead.
hat_name would contain only mydomainname.com

# Last Modified: Tue Apr 7 20:13:22 2015
# Author: Thomas Horner

  ^mydomainname.com flags=(complain) {
    #include <abstractions/apache2-common>
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/mysql>
    #include <abstractions/user-tmp>
    #include <abstractions/php5>

    /home/@{hat_name}/** r,
    /home/@{hat_name}/www/gallery/var/** rw,
    /var/log/apache2/logs/@{hat_name}.log w,
  }

possibly even the first occurrence of mydomainname.com could be replaced by @{hat_name}:

# Last Modified: Tue Apr 7 20:13:22 2015
# Author: Thomas Horner

  ^@{hat_name} flags=(complain) {
    #include <abstractions/apache2-common>
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/mysql>
    #include <abstractions/user-tmp>
    #include <abstractions/php5>

    /home/@{hat_name}/** r,
    /home/@{hat_name}/www/gallery/var/** rw,
    /var/log/apache2/logs/@{hat_name}.log w,
  }

by that it would be sufficient to create links for each domain, all pointing to the same one file for all domains which would greatly simplify the isolation between domains when using mod_php.

Christian Boltz (cboltz)
tags: added: aa-feature aa-kernel aa-parser
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.