From AppArmor
Jump to: navigation, search

Related Docs

AppArmor Policy Table of Contents

AppArmor Policy Namespaces Table of Contents

Cross namespace communication

Task 1 in ns1, task 2 in ns2

how permissions are resolved - if ns1 is parent and ns2 is child and visible (in view) - if ns1 is sibling to ns2 and visible (ie in view)

- if ns1 is parent and ns2 is child (ns2 can't see ns1) - if ns1 is sibling or sibling descendant to ns2 and not visible (ns1 can't see ns2, ns2 can't see ns1)

Namespaces and their interaction with Stacking

Namespaces can be used in combination with stacking to enforce confinement from different policy sets at the same time. This allows the system and a container to share a kernel and have each enforcing policy at the same time. The system can enforce restrictions on the container, and the container can have policy enforcing restrictions on the tasks in the container from the containers point of view.

For full details see Using Stacking in combination with Policy Namespaces.