Friday, 6 September 2013

Re: Dealing with AppArmor policy for hardware-specific access devices

On 13-09-06 02:22 PM, Jamie Strandboge wrote:
> In discussing this with others, I prefer '3' over the others. It requires
> slightly more work for the porter over '1' and '2', but it is loads better
> than what we have now (nothing) and AppArmor syntax for file access is
> straightforward and easily covered by documentation. '3' provides the
> greatest flexibility and is robust. '2' and '3' allow for us to create
> different categories for the devices too-- ie, for the sensor device or
> gps we have /etc/apparmor.d/abstractions/hardware/sensors.d/ and
> /etc/apparmor.d/abstractions/hardware/gps.d/ and the appropriate policy
> groups simply include these directories as needed. In considering '3', we
> can also move this outside of /etc completely, and instead ship the policy
> in /usr/share/apparmor/hardware/*.
>
> I'd like to move forward on '3' soon, are there any objections?

I like 3 better also, since it's simple. No races, no issues with possible
hot-plug devices, easier to test, easier to audit, etc.

+1 on #3.

Marc.


--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel