On 2013-08-09 18:23:42, Seth Arnold wrote: > On Fri, Aug 09, 2013 at 12:11:02PM -0700, Tyler Hicks wrote: > > It may be useful to applications that do AppArmor queries to know if the > > subject label in the query is unknown to the kernel. For example, the > > corresponding profile may have been removed/renamed. > > > > This patch eliminates all potential return locations of aa_query_label() > > that may have errno set to ENOENT, except for the write() to > > apparmorfs/.access that sets ENOENT when the subject label isn't found > > by the kernel. > > > > Signed-off-by: Tyler Hicks <[email protected]> > > --- > > > > After giving it some thought, we don't want to support applications doing > > test > > queries during their initialization. However, it is helpful if applications > > can > > be notified if the subject label in their query has been renamed/removed. > > > > * Changes in v2: > > - Update changelog and function comments to *not* mention the possibility > > of > > doing test queries > > - Only mention that ENOENT signifies that the kernel doesn't know about > > the > > subject label in the query > > Acked-by: Seth Arnold <[email protected]> > > It'd be nice if the comment at the top described the different > EPROTONOSUPPORT vs EPROTO errors as well, but since all the source is > there, it's not really pressing. Change or not as you wish. :)
I thought about doing that, but obviously didn't. For no good reason
other than that I didn't put a lot of thought into those errno values
and didn't want to commit to them with documentation. ENOENT is really
the only one that I applications should be relying on at this time.
Does that sound reasonable?
Tyler
>
> Thanks
>
> > libraries/libapparmor/src/kernel_interface.c | 16 ++++++++++++----
> > 1 file changed, 12 insertions(+), 4 deletions(-)
> >
> > diff --git a/libraries/libapparmor/src/kernel_interface.c
> > b/libraries/libapparmor/src/kernel_interface.c
> > index 34f9579..1b604fc 100644
> > --- a/libraries/libapparmor/src/kernel_interface.c
> > +++ b/libraries/libapparmor/src/kernel_interface.c
> > @@ -684,7 +684,9 @@ static void aafs_access_init_once(void)
> > * @audited: upon successful return, will be 1 if query should be audited
> > and 0
> > * if not
> > *
> > - * Returns: 0 on success else -1 and sets errno
> > + * Returns: 0 on success else -1 and sets errno. If -1 is returned and
> > errno is
> > + * ENOENT, the subject label in the query string is unknown to the
> > + * kernel.
> > */
> > int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
> > int *audited)
> > @@ -708,8 +710,11 @@ int aa_query_label(uint32_t mask, char *query, size_t
> > size, int *allowed,
> > }
> >
> > fd = open(aafs_access, O_RDWR);
> > - if (fd == -1)
> > + if (fd == -1) {
> > + if (errno == ENOENT)
> > + errno = EPROTONOSUPPORT;
> > return -1;
> > + }
> >
> > memcpy(query, AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE);
> > errno = 0;
> > @@ -717,6 +722,10 @@ int aa_query_label(uint32_t mask, char *query, size_t
> > size, int *allowed,
> > if (ret != size) {
> > if (ret >= 0)
> > errno = EPROTO;
> > + /* IMPORTANT: This is the only valid error path that can have
> > + * errno set to ENOENT. It indicates that the subject label
> > + * could not be found by the kernel.
> > + */
> > return -1;
> > }
> >
> > @@ -725,8 +734,7 @@ int aa_query_label(uint32_t mask, char *query, size_t
> > size, int *allowed,
> > (void)close(fd);
> > errno = saved;
> > if (ret != QUERY_LABEL_REPLY_LEN) {
> > - if (ret >= 0)
> > - errno = EPROTO;
> > + errno = EPROTO;
> > return -1;
> > }
> >
> > --
> > 1.8.3.2
> >
> >
> > --
> > AppArmor mailing list
> > [email protected]
> > Modify settings or unsubscribe at:
> > https://lists.ubuntu.com/mailman/listinfo/apparmor
> >
> --
> AppArmor mailing list
> [email protected]
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
