[apparmor] change_hat_v behavior
Steve Beattie
sbeattie at ubuntu.com
Sun Jul 18 01:55:23 BST 2010
On Fri, Jul 16, 2010 at 08:07:20PM -0700, John Johansen wrote:
> Currently AppArmor does not log change_hat probing failures as that is
> part of the api (a program may make several attempts to switch before
> it finds a matching hat).
This behavior can be particularly true of the mod_apparmor apache module,
where it can probe a few different hats before hitting one that exists.
And as far as I'm aware, mod_apparmor is the largest user of the
interface.
The current behavior logs change_hat calls for learning mode, correct?
> With the addition of change_hat_v a vector of hats is passed, and we
> could (but don't currently) log a message if no hats are match. Do
> we want to make this change?
I think this is makes sense. If nothing else, we can try it and back it
out if we don't like it.
What is the status of change_hat_v(), by the way? I've forgotten, and
regardless of what we decide here for logging, mod_apparmor should be
converted over to make use of change_hat_v().
Thanks, JJ.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100717/24410bad/attachment.pgp
More information about the AppArmor
mailing list