Please add fine-grained uid/gid qualifiers
Bug #1697090 reported by
Jamie Strandboge
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Triaged
|
Undecided
|
Unassigned |
Bug Description
Filing this feature request as a bug so it can be tracked.
Currently we have the 'owner' qualifier. It would be nice if we had uid and gid checks for things like file rules. Eg,
owner foo @{PROC}/** r,
(I'm not suggesting syntax-- iirc there is already a design for the new syntax)
It would be really nice if we could tie this in to dac_read_search and dac_override since often times applications have strict permissions on directories (eg 700) or files (eg, 400) for privilege separation, but (sometimes mistakenly) rely on the fact that root can access these files.
To post a comment you must log in.