Comment 18 for bug 1849753

In response to Jamie's question in #12 the no answer is no. Delegation works because it allows a subject with explicit access to an object to delegate that access to another. An important part of delegation is that it is not just delegating the object but inheritance and passing of the object is controlled beyond the initial passage of the object.

One of the problems with most traditional capability systems is they don't correctly allow control of the inherited object which has proved to be problematic and also does not map well back to a type system.

Allowing for an fd_inherit rule breaks the inheritance control in apparmor's delegation model.