[apparmor] [PATCH 12/27] apparmor: remove sid from profiles
John Johansen
john.johansen at canonical.com
Wed Nov 21 17:13:05 UTC 2012
On 11/21/2012 08:28 AM, Kees Cook wrote:
> On Tue, Nov 20, 2012 at 08:39:52PM -0800, John Johansen wrote:
>> The sid is not going to be a direct property of a profile anymore, instead
>> it will be directly related to the label, and the profile will pickup
>> a label back reference.
>>
>> For null-profiles replace the use of sid with a per namespace unique
>> id.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>
>
>> diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
>> index 95979c4..aadcbf8 100644
>> --- a/security/apparmor/include/policy.h
>> +++ b/security/apparmor/include/policy.h
>> @@ -127,6 +127,8 @@ struct aa_namespace {
>> struct aa_ns_acct acct;
>> struct aa_profile *unconfined;
>> struct list_head sub_ns;
>> +
>> + atomic_t uniq_null;
>> };
>
> Drop empty line?
>
> After that,
>
> Acked-by: Kees Cook <kees at ubuntu.com>
>
> (Yay, no sid!)
>
Sigh I wish. We have to have a sid because it is used in audit, net, and some of the
ipc (signals). Its just that the sid will not be a direct property of the profile
instead its a property of the label, and their will be a sid table to lookup labels,
and a label tree to lookup labels via profiles.
And the labels themselves are of course sets of profiles. You are going to have fun
with the next set of patches
More information about the AppArmor
mailing list