mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update DeprecateProfilePathName

John Johansen 2020-07-19 08:05:59 +00:00
parent 45492a44d3
commit 45dad3d0e6
1 changed files with 5 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
DeprecateProfilePathName.md

@ -28,11 +28,10 @@ There are several reasons that these types of profile names were deprecated.
- Path based profile names could contain character that some tools (audit, top, ps, ..) could not properly handle. At best this would result in names being encoded (eg. by the audit subsystem), but in other cases the name would be cut off, dropped, or even cause the application to crash.
- Path based profile names can be long, especially if they used alternations or stacking was in use. This made them less than ideal for introspection tools (top, ps, ...) that would cut off
- Path based profile names can be long, especially if they used alternations or stacking was in use. This made them less than ideal for introspection tools (top, ps, ...) that could cut them off. It also could make applications fail if their buffers were too small.
Not cross distro compatible
- The use of regular expressions in path based profile names forced escaping of characters to distinguish them from regular expression characters. This made referencing profiles by their names cumbersome and again could cause problems with introspection tools. Switching to a simple profile name and attachment removes this problem by moving the regex into the attachment which is not used by system introspection tools.
Profile rules that reference profile names
- Encoded regexes
- Regexs in the rules
- Each rule referencing the profile name would need to be updated when the profile name was updated to different location
- The use of path based profile names is not cross distro compatible, as applications may be stored in different locations on different distros. Updating a profile to a different location for a distro also required updating all profile's and rules that referenced the profile name, which could mean updating dozens of locations in policy. With splitting the location and attachment this means rules referencing the profile do not have to be updated, making porting policy between distros much easier.
- Simple profile names are easier for users to read, compare, and write.