On 11/21/2012 08:28 AM, Kees Cook wrote:
> On Tue, Nov 20, 2012 at 08:39:52PM -0800, John Johansen wrote:
>> The sid is not going to be a direct property of a profile anymore, instead
>> it will be directly related to the label, and the profile will pickup
>> a label back reference.
>>
>> For null-profiles replace the use of sid with a per namespace unique
>> id.
>>
>> Signed-off-by: John Johansen <john.johan...@canonical.com>
>
>
>> diff --git a/security/apparmor/include/policy.h
>> b/security/apparmor/include/policy.h
>> index 95979c4..aadcbf8 100644
>> --- a/security/apparmor/include/policy.h
>> +++ b/security/apparmor/include/policy.h
>> @@ -127,6 +127,8 @@ struct aa_namespace {
>> struct aa_ns_acct acct;
>> struct aa_profile *unconfined;
>> struct list_head sub_ns;
>> +
>> + atomic_t uniq_null;
>> };
>
> Drop empty line?
>
> After that,
>
> Acked-by: Kees Cook <k...@ubuntu.com>
>
> (Yay, no sid!)
>
Sigh I wish. We have to have a sid because it is used in audit, net, and some
of the
ipc (signals). Its just that the sid will not be a direct property of the
profile
instead its a property of the label, and their will be a sid table to lookup
labels,
and a label tree to lookup labels via profiles.
And the labels themselves are of course sets of profiles. You are going to have
fun
with the next set of patches
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
