[apparmor] re-enabling set profile

John Johansen john.johansen at canonical.com
Thu Dec 16 07:26:58 GMT 2010

On 12/15/2010 04:25 PM, Seth Arnold wrote:
> So then, would you replace "unconfined:pid nnnnn" with the profile you really want?
not exactly envision just re-enabling the /proc/<pid>/attr/interface, and having it
setup the replacement profile struct using existing profiles.

> That'd force all unconfined tasks to check if they are being replaced on  .. 
> Some? All? LSM hooks?

yep.  It would be part of the unconfined/profile check done in select lsm hooks.
But this is already what we have to do now, replacement is no longer guarenteed
to roll out atomically just that it will happen, when the task is running.
Thankfully the check is lockless and has very low overhead.

Basically all we are doing is slightly enhancing the current profile replacement
mechanism, and leveraging it to do set profile.  It won't entail any additional
checks in the case when a profile isn't being flagged as replaced, and only a
little extra when a profile is being replaced.

More information about the AppArmor mailing list