[apparmor] [PATCH v2] libapparmor: ENOENT should only signify label not found in label queries

Tyler Hicks tyhicks at canonical.com
Sat Aug 10 01:27:11 UTC 2013 

On 2013-08-09 18:23:42, Seth Arnold wrote:
> On Fri, Aug 09, 2013 at 12:11:02PM -0700, Tyler Hicks wrote:
> > It may be useful to applications that do AppArmor queries to know if the
> > subject label in the query is unknown to the kernel. For example, the
> > corresponding profile may have been removed/renamed.
> > 
> > This patch eliminates all potential return locations of aa_query_label()
> > that may have errno set to ENOENT, except for the write() to
> > apparmorfs/.access that sets ENOENT when the subject label isn't found
> > by the kernel.
> > 
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > ---
> > 
> > After giving it some thought, we don't want to support applications doing test
> > queries during their initialization. However, it is helpful if applications can
> > be notified if the subject label in their query has been renamed/removed.
> > 
> > * Changes in v2:
> >   - Update changelog and function comments to *not* mention the possibility of
> >     doing test queries
> >   - Only mention that ENOENT signifies that the kernel doesn't know about the
> >     subject label in the query
> 
> Acked-by: Seth Arnold <seth.arnold at canonical.com>
> 
> It'd be nice if the comment at the top described the different
> EPROTONOSUPPORT vs EPROTO errors as well, but since all the source is
> there, it's not really pressing. Change or not as you wish. :)

I thought about doing that, but obviously didn't. For no good reason
other than that I didn't put a lot of thought into those errno values
and didn't want to commit to them with documentation. ENOENT is really
the only one that I applications should be relying on at this time.

Does that sound reasonable?

Tyler

> 
> Thanks
> 
> >  libraries/libapparmor/src/kernel_interface.c | 16 ++++++++++++----
> >  1 file changed, 12 insertions(+), 4 deletions(-)
> > 
> > diff --git a/libraries/libapparmor/src/kernel_interface.c b/libraries/libapparmor/src/kernel_interface.c
> > index 34f9579..1b604fc 100644
> > --- a/libraries/libapparmor/src/kernel_interface.c
> > +++ b/libraries/libapparmor/src/kernel_interface.c
> > @@ -684,7 +684,9 @@ static void aafs_access_init_once(void)
> >   * @audited: upon successful return, will be 1 if query should be audited and 0
> >   *           if not
> >   *
> > - * Returns: 0 on success else -1 and sets errno
> > + * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
> > + *          ENOENT, the subject label in the query string is unknown to the
> > + *          kernel.
> >   */
> >  int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
> >  		   int *audited)
> > @@ -708,8 +710,11 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
> >  	}
> >  
> >  	fd = open(aafs_access, O_RDWR);
> > -	if (fd == -1)
> > +	if (fd == -1) {
> > +		if (errno == ENOENT)
> > +			errno = EPROTONOSUPPORT;
> >  		return -1;
> > +	}
> >  
> >  	memcpy(query, AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE);
> >  	errno = 0;
> > @@ -717,6 +722,10 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
> >  	if (ret != size) {
> >  		if (ret >= 0)
> >  			errno = EPROTO;
> > +		/* IMPORTANT: This is the only valid error path that can have
> > +		 * errno set to ENOENT. It indicates that the subject label
> > +		 * could not be found by the kernel.
> > +		 */
> >  		return -1;
> >  	}
> >  
> > @@ -725,8 +734,7 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
> >  	(void)close(fd);
> >  	errno = saved;
> >  	if (ret != QUERY_LABEL_REPLY_LEN) {
> > -		if (ret >= 0)
> > -			errno = EPROTO;
> > +		errno = EPROTO;
> >  		return -1;
> >  	}
> >  
> > -- 
> > 1.8.3.2
> > 
> > 
> > -- 
> > AppArmor mailing list
> > AppArmor at lists.ubuntu.com
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> > 



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130809/1708e9e1/attachment.pgp>

More information about the AppArmor mailing list