On Fri, 2012-06-15 at 22:38 +0200, intrigeri wrote: > Hi John, Ben and all other involved ones, > > I'd like to see this moving forward, since the Wheezy freeze is coming > soon. See bellow explicit questions.
Me too; thanks for the mail.
> John Johansen wrote (07 Jun 2012 16:45:36 GMT) :
> > On 06/07/2012 07:34 AM, Ben Hutchings wrote:
>
> >> If we don't want to restrict sockets used by the kernel, don't we need
> >> to store the kern flag for later use by aa_revalidate_sk()?
> >>
> > For how apparmor is generally deployed it can get away with this, the
> > kernel bits generally bail out earlier on the check for unconfined.
>
> > That is not to say it isn't a good idea, or that it shouldn't be done.
> > The fact is this patch is going to be replaced with completely rewritten
> > controls, that do store info on the socket, it just hasn't happened yet
> > due to resources and priorities (not my priorities).
>
> Ben, is this a blocker?
I want to be convinced that this is not a bug, or else get a fix for it.
> >> Since denied has already been masked with ~quiet_mask, this condition
> >> can never be true.
> >>
> > indeed
>
> Ben, is this a blocker?
[...]
This clearly is a bug and I want to be convinced that it is harmless or
else get a fix for it.
Ben.
--
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
- Albert Camus
signature.asc
Description: This is a digitally signed message part
