mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

apparmor(7): clarify the effect of reloading a profile.

Browse source 
LP: #1608075

Partly fixes: https://bugs.debian.org/826218

(cherry picked from commit 967d394ef4)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
intrigeri 2018-01-29 11:27:13 +00:00 committed by John Johansen
parent 4a76852648
commit 54725ee516
1 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
parser/apparmor.pod
View file

@ -70,9 +70,12 @@ with B<.> (except for the root B</>) so profiles are easier to manage
(e.g. the F</usr/sbin/nscd> profile would be named F<usr.sbin.nscd>). (e.g. the F</usr/sbin/nscd> profile would be named F<usr.sbin.nscd>).
Profiles are applied to a process at exec(3) time (as seen through the Profiles are applied to a process at exec(3) time (as seen through the
execve(2) system call); an already running process cannot be confined. execve(2) system call): once a profile is loaded for a program, that
However, once a profile is loaded for a program, that program will be program will be confined on the next exec(3). If a process is already
confined on the next exec(3). running under a profile, when one replaces that profile in the kernel,
the updated profile is applied immediately to that process.
On the other hand, a process that is already running unconfined cannot
be confined.
AppArmor supports the Linux kernel's securityfs filesystem, and makes AppArmor supports the Linux kernel's securityfs filesystem, and makes
available the list of the profiles currently loaded; to mount the available the list of the profiles currently loaded; to mount the