support matching xattr keys but not values (!362) · Merge requests · AppArmor / apparmor

Eric Chiang requested to merge ericchiang/apparmor:parser-xattrs-keys into master Apr 09, 2019

Support profiles that choose to match the presence of an extended attribute without validating its value. This lets AppArmor target xattrs with binary data, such as security.ima and security.evm values. For example, it's now possible to write a profile such as:

profile signed_binaries /** xattrs=(security.ima) {
	// ...
}

Both presence and value matches can be used in the same profile. To match a signed xattr, target both the xattr and the security.ima value:

profile python_script /** xattrs=(
	security.evm
	security.apparmor="python"
) {
	// ...
}

Signed-off-by: Eric Chiang ericchiang@google.com

support matching xattr keys but not values

Merge request reports