mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update AppArmorDelegation

John Johansen 2018-09-18 09:13:13 +00:00
parent 6a17f055a8
commit 531d9753b7
1 changed files with 30 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
AppArmorDelegation.md

@ -11,6 +11,22 @@ Related Documentation
todo todo
# Availability of Delegation
The following table identifies which version of AppArmor different types of delegation are available in.
| **Temporary Delegation** | Policy Directed | Application Directed |
|--------------|-----------------|----------------------|
| object based | ? | ? |
| rule based | ? | ? |
| **Permanent Delegation** | Policy Directed | Application Directed |
|--------------|-----------------|----------------------|
| object based | ? | ? |
| rule based | ? | ? |
Introduction Introduction
============ ============
@ -84,40 +100,33 @@ task and policy based
rule to delegate and control delegation rule to delegate and control delegation
It is important to understand that delegation is in AppArmor can be viewed in different ways. It is important to understand that delegation in AppArmor can be viewed in different ways.
object vs. rule ##object vs. rule
* object based - when an object (file handle, socket, ...) is delegated between tasks. * object based - when an object (file handle, socket, ...) is delegated between tasks.
* rule based - when rules are used to extend what a task can do * rule based - when rules are used to extend what a task can do
Policy directed vs. Application directed ##Policy directed vs. Application directed
* Policy directed (implicit) - the delegation is specified by rules in policy * Policy directed - the delegation is specified by rules in policy
* Application directed (explicit) - the application takes action to delegate some authority * Application directed - the application takes action to delegate some authority. The ability to do this is it self mediated by policy.
Temporary vs. Permanent ##Temporary vs. Permanent
* Temporary/Dynamic - temporary delegation only last the life time the task the delegation was made to. Object based delegation is always temporary, where rule based delegation may be temporary or permanent. * Temporary/Dynamic - temporary delegation only last the life time the task the delegation was made to. Object based delegation is always temporary, where rule based delegation may be temporary or permanent.
* Permanent - permanent delegation is always rule based and is a way of extending a profile permanently. Permanent delegation is the only form of delegation that is not strictly task based. * Permanent - permanent delegation is always rule based and is a way of extending a profile permanently. It requires a trusted user space helper to update the policy rules. Permanent delegation is the only form of delegation that is not strictly task based.
| ** ?????? ** | Temporary/Dynamic | Permanent |
|--------------|-----------------|----------------------|
| object based | always | - |
| rule based | supported | with trusted helper |
??? dynamic includes ??? dynamic includes
## Availability of Delegation
The following table identifies which version of AppArmor different types of delegation are available in. ## Inheritance
??? add inheritance to the table ???
Temporary
| **Temporary Delegation** | Policy Directed | Application Directed |
|--------------|-----------------|----------------------|
| object based | ? | ? |
| rule based | ? | ? |
| **Permanent Delegation** | Policy Directed | Application Directed |
|--------------|-----------------|----------------------|
| object based | ? | ? |
| rule based | ? | ? |
How Delegation is Expressed How Delegation is Expressed