mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update AppArmorDelegation

John Johansen 2019-09-19 10:22:59 +00:00
parent 1c17397cea
commit b6f8f79089
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
AppArmorDelegation.md

@ -168,7 +168,7 @@ profile two {
```
### Delegation task labels
### Task labels under delegation
In AppArmor delegation is exposed to the label by appending the
Delegate information to the profile name (label) with character
@ -294,6 +294,10 @@ Does the whole delegation get dropped or do we do intersections.
### Delegation of exec rules
- if delegated rule set has a matching exec rule it causes the profile to transition (the delegator allowed this), it does not replace the delegator though.
- if the delegated rule set does not have a matching exec rule. The delegator is checked to see if the rule set can be delegated to the new target. What is the new target? when the label existing of multiple profiles.
- if no delegation allowed the rule set dropped.
exec rule will cause delegated blob to transition. It says this is inheritable to X
don't put exec rules in delegated rule sets unless you want this