Support for static file labels
Bug #1444679 reported by
Tyler Hicks
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| AppArmor |
Confirmed
|
Wishlist
|
Unassigned | ||
| apparmor (Ubuntu) |
Confirmed
|
Medium
|
Unassigned | ||
Bug Description
It would be nice to have the ability to place static labels on files and make rules conditional upon the existence of a given label.
A rule can grant permission conditionally based on the label= conditional.
Eg.
label=foo rw, # a generic access rule for any rule type that maps rw permissions, so file, network, unix, ...
file label=bar r, # only allow r access to files with label of bar
The label on an object can be set via an assignment rule.
file create label:=foo /dev/bar,
The labels are stored in the security xattr.
| description: | updated |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #1 |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #2 |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #3 |
| Changed in apparmor (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
| tags: | added: application-confinement |
To post a comment you must log in.
This feature is something we should think about to improve ubuntu-core hardware access for frameworks. In the 15.04 scheme, udev will add a tag to the devices that frameworks are allowed to access, then the launcher will query udev for matching tags and setup a cgroup for the framework service/binary to run under. This means that access controls are happening outside of the expressed policy in a separate component. This feature would allow us to clean this up by having udev add the framework's static label to the devices and we can have policy like 'file label=foo-framework /dev/** rw,' (or similar) and not require policy recompiles. This would obviate the need for a device cgroup, simplify the launcher and allow policy to be expressed in one place.