Re: [AppArmor #5 0/13] AppArmor security module

From: Tetsuo Handa
Date: Sat Jul 17 2010 - 03:41:18 EST

Next message: Piotr JaroszyÅski: "Re: [PATCH V3] VFIO driver: Non-privileged user level PCI drivers"
Previous message: auto401300: "netfilter/iptables stopped logging 2.6.35-rc"
In reply to: John Johansen: "Re: [AppArmor #5 0/13] AppArmor security module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

John Johansen wrote:
> > 75 void aa_info_message(const char *str)
> > 76 {
> > 77 struct common_audit_data sa;
> > 78 COMMON_AUDIT_DATA_INIT_NONE(&sa);
> > 79 sa.aad.info = str,
> > 80 printk(KERN_INFO "AppArmor: %s\n", str);
> > 81 if (audit_enabled)
> > 82 aa_audit(AUDIT_APPARMOR_STATUS, NULL, GFP_KERNEL, &sa, NULL);
> > 83 }
> >
It will work but you meant "sa.aad.info = str;" rather than "sa.aad.info = str,".

> > void aa_info_message(const char *str)
> > {
> > printk(KERN_INFO "AppArmor: %s\n", str);
> > if (audit_enabled) {
> > struct common_audit_data sa;
> > COMMON_AUDIT_DATA_INIT_NONE(&sa);
> > sa.aad.info = str;
> > aa_audit(AUDIT_APPARMOR_STATUS, NULL, GFP_KERNEL, &sa, NULL);
> > }
> > }
> >
> > ?
> >
> Anything more specific? :)
>
I thought you don't need to call COMMON_AUDIT_DATA_INIT_NONE() if !audit_enabled.
Maybe compiler optimizes it implicitly...

> > 134 static int apparmor_capable(struct task_struct *task, const struct cred *cred,
> > 135 int cap, int audit)
> > 136 {
> > 137 struct aa_profile *profile;
> > 138 /* cap_capable returns 0 on success, else -EPERM */
> > 139 int error = cap_capable(task, cred, cap, audit);
> > 140
> > 141 profile = aa_cred_profile(cred);
> > 142 if (!error && !unconfined(profile))
> > 143 error = aa_capable(task, profile, cap, audit);
> > 144
> > 145 return error;
> > 146 }
> >
> > static int apparmor_capable(struct task_struct *task, const struct cred *cred,
> > int cap, int audit)
> > {
> > /* cap_capable returns 0 on success, else -EPERM */
> > int error = cap_capable(task, cred, cap, audit);
> >
> > if (!error) {
> > struct aa_profile *profile;
> > profile = aa_cred_profile(cred);
> > if (!unconfined(profile))
> > error = aa_capable(task, profile, cap, audit);
> > }
> > return error;
> > }
> >
> > ?
> >
> ?
>
I thought you don't need to call aa_cred_profile() if cap_capable() returned an error.
If you meant to update profile even if cap_capable() returned an error, please add a comment.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Piotr JaroszyÅski: "Re: [PATCH V3] VFIO driver: Non-privileged user level PCI drivers"
Previous message: auto401300: "netfilter/iptables stopped logging 2.6.35-rc"
In reply to: John Johansen: "Re: [AppArmor #5 0/13] AppArmor security module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]