[pkg-apparmor] Bug#771978: Patch: apparmor profile for ps
intrigeri
intrigeri at debian.org
Fri Dec 12 12:53:53 UTC 2014
Hi,
parspes wrote (06 Dec 2014 21:38:36 GMT) :
> An unexpected new compiler directive could cause a problem I agree. I
> would prefer @{pid} to be capitalized and it is a little troublesome
> where an * would suffice IMHO :)
"*" would work, but it would also grant access to various files that
the application doesn't need. So it's good to have an easy, and
maintainable, way to limit access to only the per-pid subdirectories.
> Okay, since Wheezy and Jessie conflict on the includes & tunables,
> then we need to either
> 1) leave those out if there are conflicts
> 2) create separate versioned profiles
> 3) create profiles for Jessie only
> Which is the option I should persue?
In this case, I would focus on testing/sid, and leave it to
backporters to deal with the discrepancies: procps hasn't been
uploaded to wheezy-backports since Wheezy was released, so I would be
surprised if someone did it now *and* someone (else) installed the
backport on a Wheezy system with AppArmor enabled.
> You suggest that we just add a blanket whitelist with code such as
> @{PROC}** r perhaps?
I've suggested "@{PROC}/@{pid}/** r," in another sub-thread.
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list