[apparmor] [PATCH 18/36] apparmor: add basic support for implicit labeling of files
Seth Arnold
seth.arnold at canonical.com
Thu May 16 22:38:06 UTC 2013
On Wed, May 01, 2013 at 02:31:03PM -0700, John Johansen wrote:
> The labeling of files is implied by the set of rules and profiles.
> Add the ability to set implicit labels on files to reduce the number
> of path and rule lookups that are needed.
> +static bool __aa_label_remove(struct aa_labelset *ls, struct aa_label *label);
> +void aa_label_kref(struct kref *kref)
> +{
> + struct aa_label *l = container_of(kref, struct aa_label, count);
> + struct aa_labelset *ls = labels_set(l);
> + unsigned long flags;
> +
> +
> + write_lock_irqsave(&ls->lock, flags);
> + (void) __aa_label_remove(ls, l);
> + write_unlock_irqrestore(&ls->lock, flags);
> +
> + /* TODO: if compound label and not invalid add to reclaim cache */
> + call_rcu(&l->rcu, label_free_rcu);
> +}
I know you said The Future would make this not matter, but
__aa_label_remove() and the locking could be replaced with
aa_label_remove() in this function.
> + label->sid = aa_alloc_sid();
> + if (label->sid == AA_SID_INVALID)
> + return false;
Not really a problem here, but under what kind of load would we
eventually wrap sids?
> +struct aa_label *aa_label_alloc(int size, gfp_t gfp)
> +{
> + struct aa_label *label;
> +
> + AA_WARN(size < 1);
> +
> + label = kzalloc(sizeof(*label) + sizeof(struct aa_label *) * (size - 1),
> + gfp);
Can this be turned into BUG_ON? We'd never want size <= 0 here...
> @@ -915,7 +917,7 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
> const char **info)
> {
> if (profile) {
> - if (profile->flags & PFLAG_IMMUTABLE) {
> + if (profile->label.flags & FLAG_IMMUTABLE) {
> *info = "cannot replace immutible profile";
> return -EPERM;
> } else if (noreplace) {
"immutible"
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130516/bad91b15/attachment.pgp>
More information about the AppArmor
mailing list