[apparmor] [PATCH] update aa_change_profile documentation to include ENOENT

Seth Arnold seth.arnold at gmail.com
Mon Oct 22 15:21:25 UTC 2012 

This is great, thanks John.

Tiny typos: anamespace and Namespace. Ack :)
-----Original Message-----
From: John Johansen <john.johansen at canonical.com>
Date: Mon, 22 Oct 2012 00:36:49 
To: <seth.arnold at gmail.com>
Cc: apparmor<apparmor at lists.ubuntu.com>
Subject: Re: [apparmor] [PATCH] update aa_change_profile documentation to
 include ENOENT

On 10/21/2012 05:56 PM, Seth Arnold wrote:
> If I were debugging a problem here, I'd really want to know what influences visibility -- namespaces? apparmor permissions? (Cx pointing outside parent? Px pointing at incorrect name?)
> 
> If you can hit that in a short-and-sweet statement or pointer for more details that's be great.
> 
Alright I went back and checked and currently the only case is not in the
namespace, permission denied is a different error code, and Px, Cx etc
don't play into this at all because it is just the api.

A new version of the patch below expanding on error codes for both
change_profile and change_hat.

---

=== modified file 'libraries/libapparmor/doc/aa_change_hat.pod'
--- libraries/libapparmor/doc/aa_change_hat.pod	2011-08-09 13:47:40 +0000
+++ libraries/libapparmor/doc/aa_change_hat.pod	2012-10-22 07:29:00 +0000
@@ -99,16 +99,25 @@
 
 =item B<EPERM>
 
-The calling application is not confined by apparmor.
+The calling application is not confined by apparmor, the specified
+I<subprofile> is not a I<hat profile>, the task is being ptraced and the
+tracing task does not have permission to trace the specified I<subprofile> or the no_new_privs execution bit is
+enabled.
 
 =item B<ECHILD>
 
 The application's profile has no hats defined for it.
 
+=item B<ENOENT>
+
+The specified I<subprofile> does not exist in this profile but other hats
+are defined.
+
 =item B<EACCES>
 
-The specified I<subprofile> does not exist in this profile or the
-process tried to change another process's domain.
+The specified magic token did not match, and permissions to change to
+the specified I<subprofile> has been denied. This will in most situations
+also result in the task being killed, to prevent brute force attacks.
 
 =back 
 

=== modified file 'libraries/libapparmor/doc/aa_change_profile.pod'
--- libraries/libapparmor/doc/aa_change_profile.pod	2012-02-16 00:34:03 +0000
+++ libraries/libapparmor/doc/aa_change_profile.pod	2012-10-22 07:35:42 +0000
@@ -74,8 +74,9 @@
 
 =item B<EINVAL>
 
-The apparmor kernel module is not loaded or the communication via the
-F</proc/*/attr/current> file did not conform to protocol.
+The apparmor kernel module is not loaded, neither a profile nor anamespace
+was specified or the communication via the F</proc/*/attr/current> file did
+not conform to protocol.
 
 =item B<ENOMEM>
 
@@ -83,12 +84,18 @@
 
 =item B<EPERM>
 
-The calling application is not confined by apparmor.
+The calling application is not confined by apparmor, or the no_new_privs
+bit is set.
 
 =item B<EACCES>
 
 The task does not have sufficient permissions to change its domain.
 
+=item B<ENOENT>
+
+The specified profile does not exist, or is not visible from the current
+Namespace.
+
 =back
 
 =head1 EXAMPLE

More information about the AppArmor mailing list