On 11/21/2012 08:28 AM, Kees Cook wrote: > On Tue, Nov 20, 2012 at 08:39:52PM -0800, John Johansen wrote: >> The sid is not going to be a direct property of a profile anymore, instead >> it will be directly related to the label, and the profile will pickup >> a label back reference. >> >> For null-profiles replace the use of sid with a per namespace unique >> id. >> >> Signed-off-by: John Johansen <john.johan...@canonical.com> > > >> diff --git a/security/apparmor/include/policy.h >> b/security/apparmor/include/policy.h >> index 95979c4..aadcbf8 100644 >> --- a/security/apparmor/include/policy.h >> +++ b/security/apparmor/include/policy.h >> @@ -127,6 +127,8 @@ struct aa_namespace { >> struct aa_ns_acct acct; >> struct aa_profile *unconfined; >> struct list_head sub_ns; >> + >> + atomic_t uniq_null; >> }; > > Drop empty line? > > After that, > > Acked-by: Kees Cook <k...@ubuntu.com> > > (Yay, no sid!) > Sigh I wish. We have to have a sid because it is used in audit, net, and some of the ipc (signals). Its just that the sid will not be a direct property of the profile instead its a property of the label, and their will be a sid table to lookup labels, and a label tree to lookup labels via profiles.
And the labels themselves are of course sets of profiles. You are going to have fun with the next set of patches -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor