[apparmor] [PATCH 6/6] Update documentation for change_hatv, change_hat_varags and change_onexec
Steve Beattie
steve at nxnw.org
Fri Feb 18 04:46:27 UTC 2011
On Thu, Feb 17, 2011 at 08:30:06PM -0800, John Johansen wrote:
> On 02/17/2011 08:19 PM, Steve Beattie wrote:
> > On Thu, Feb 17, 2011 at 05:22:20PM -0800, John Johansen wrote:
> >> @@ -51,9 +71,6 @@ original profile will not happen, and the current task will be killed.
> >> If the I<magic_token> matches the original token, then the process will
> >> change back to the original profile.
> >>
> >> -If the program wants to change to a subprofile that it can never
> >> -change back out of, the application should call aa_change_hat() with a
> >> -I<magic_token> of I<0>.
> >
> > Has this behavior changed? While the preferred mechanism for a one-way
> > transition is to use aa_change_profile(), there is a slight semantic
> > difference in that aa_change_profile() changes to a separate (global)
> > profile, while aa_change_hat() can only change to a hat within the
> > current profile.
> >
>
> Yes it changed, with 2.4 (the rewrite that hit Karmic) IIRC. We discussed
> this and it was decided the small semantic change was worth doing as we
> had change_profile and none of the consumers of change_hat were coded to
> deal with getting a 0 when generating their random token so that it was
> possible they would fail due to generating a 0 token.
>
> Its true that change_profile isn't relative to the current profile
> like change_hat, but the best I can come up with now is adding a new
> fn as this is now what the upstream abi is.
No, I don't think an additional function is necessary. I just had
forgotten the discussion and semantic change.
ACK from me on the patch, with Seth's cleanups applied.
Thanks.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110217/3d1f5ca7/attachment.pgp>
More information about the AppArmor
mailing list