On 4/10/2019 5:52 AM, Stephen Smalley wrote:
On Tue, Apr 9, 2019 at 5:40 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
This patchset provides the changes required for
the AppArmor security module to stack safely with
"exclusive" security modules, those being SELinux and
Smack.
What's the use case? Who would use such support?
A device uses a Smack three domain policy for system
protection. It Uses AppArmor policy to maintain application
isolation.
-------------------------------------------------------------------
| Smack floor domain |
-------------------------------------------------------------------
| Smack System domain |
-------------------------------------------------------------------
| Smack User domain |
| ---------- ---------- --------- ---------- ---------- |
| |AppArmor| |AppArmor| |AppArmor| |AppArmor| |AppArmor| |
| | Fred | | Wilma | |Barney | | Betty | | Dino | |
| ---------- ---------- ---------- ---------- ---------- |
-------------------------------------------------------------------
Each of the security modules is used in the way it was designed. Neither
has to be stretched beyond its original goals. Yes, you can implement the
system using either Smack or AppArmor (or maybe even SELinux) but by using
each for what it is best at you make it much easier.
