Re: [PATCH 04/13] AppArmor: core policy routines

[John Johansen]

On 07/15/2010 08:33 AM, Eric Paris wrote:
> On Wed, Jul 14, 2010 at 8:43 PM, John Johansen
> <john.johansen@xxxxxxxxxxxxx> wrote:
>> The basic routines and defines for AppArmor policy.  AppArmor policy
>> is defined by a few basic components.
>>      profiles - the basic unit of confinement contain all the information
>>                 to enforce policy on a task
>>
>>                 Profiles tend to be named after an executable that they
>>                 will attach to but this is not required.
>>      namespaces - a container for a set of profiles that will be used
>>                 during attachment and transitions between profiles.
>>      sids - which provide a unique id for each profile
>>
>> Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
>> ---
> 
>> +       PFLAG_MMAP_MIN_ADDR = 0x80,     /* profile controls mmap_min_addr */
> 
> You don't actually support this per ?domain? mmap_min_addr and I'm not
> sure how you ever can (given the nature of round_hint_to_min()) so
> maybe you should rip it all out rather than having the half
> implemented stuff in patches 4 and 6?

Right, it wasn't actually ever intended as a per domain value, just a constraint
on the domain setting the value.  As it currently isn't supported I will rip
those bits out.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/