Update Unconfined, the unconfined flag and default allow

2025-03-04 08:24:42 +01:00 · 2024-07-25 07:10:22 +00:00 · 2024-07-25 07:10:22 +00:00 · e0b0df4263
commit e0b0df4263
parent 59c7f2c454
1 changed files with 37 additions and 1 deletions
--- a/Unconfined,-the-unconfined-flag-and-default-allow.md
+++ b/Unconfined,-the-unconfined-flag-and-default-allow.md
@ -1 +1,37 @@
-foo
+# Introduction
+
+The relationship between the unconfined profile, the unconfined flag, and the default-allow flag is can be confusing, and requires some knowledge of how AppArmor mediation works and why.
+
+# short circuiting mediation
+
+AppArmor does short circuiting of mediation when ever it can to reduce the performance impact mediation can have. Ideally when AppArmor is not enforcing policy it would have no overhead, allowing it to be enabled on systems and made available for the cases where mediation is desired.
+
+Unfortunately it is not possible to have zero overhead but AppArmor strives to reduce overhead where ever possible. Where possible, it does this by doing quick low overhead checks about mediation before entering into code that can have a performance impact. If mediation is not required the only overhead is the early check.
+
+## unconfined check
+
+## mediated check
+
+
+# mediation classes and compatibility
+
+
+
+
+# flags=(unconfined)
+
+unconfined status
+
+# flags=(default_allow)
+
+
+
+
+# unconfined profile
+
+The unconfined profile is the default profile for every policy namespace. It has the unconfined flag set and a special predefined state machine that does not generally do mediation.
+
+reserved "unconfined" name
+
+no status
+