[apparmor] [PATCH v2] libapparmor: ENOENT should only signify label not found in label queries

Seth Arnold seth.arnold at canonical.com
Sat Aug 10 01:23:42 UTC 2013 

On Fri, Aug 09, 2013 at 12:11:02PM -0700, Tyler Hicks wrote:
> It may be useful to applications that do AppArmor queries to know if the
> subject label in the query is unknown to the kernel. For example, the
> corresponding profile may have been removed/renamed.
> 
> This patch eliminates all potential return locations of aa_query_label()
> that may have errno set to ENOENT, except for the write() to
> apparmorfs/.access that sets ENOENT when the subject label isn't found
> by the kernel.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> ---
> 
> After giving it some thought, we don't want to support applications doing test
> queries during their initialization. However, it is helpful if applications can
> be notified if the subject label in their query has been renamed/removed.
> 
> * Changes in v2:
>   - Update changelog and function comments to *not* mention the possibility of
>     doing test queries
>   - Only mention that ENOENT signifies that the kernel doesn't know about the
>     subject label in the query

Acked-by: Seth Arnold <seth.arnold at canonical.com>

It'd be nice if the comment at the top described the different
EPROTONOSUPPORT vs EPROTO errors as well, but since all the source is
there, it's not really pressing. Change or not as you wish. :)

Thanks

>  libraries/libapparmor/src/kernel_interface.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/libraries/libapparmor/src/kernel_interface.c b/libraries/libapparmor/src/kernel_interface.c
> index 34f9579..1b604fc 100644
> --- a/libraries/libapparmor/src/kernel_interface.c
> +++ b/libraries/libapparmor/src/kernel_interface.c
> @@ -684,7 +684,9 @@ static void aafs_access_init_once(void)
>   * @audited: upon successful return, will be 1 if query should be audited and 0
>   *           if not
>   *
> - * Returns: 0 on success else -1 and sets errno
> + * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
> + *          ENOENT, the subject label in the query string is unknown to the
> + *          kernel.
>   */
>  int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
>  		   int *audited)
> @@ -708,8 +710,11 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
>  	}
>  
>  	fd = open(aafs_access, O_RDWR);
> -	if (fd == -1)
> +	if (fd == -1) {
> +		if (errno == ENOENT)
> +			errno = EPROTONOSUPPORT;
>  		return -1;
> +	}
>  
>  	memcpy(query, AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE);
>  	errno = 0;
> @@ -717,6 +722,10 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
>  	if (ret != size) {
>  		if (ret >= 0)
>  			errno = EPROTO;
> +		/* IMPORTANT: This is the only valid error path that can have
> +		 * errno set to ENOENT. It indicates that the subject label
> +		 * could not be found by the kernel.
> +		 */
>  		return -1;
>  	}
>  
> @@ -725,8 +734,7 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
>  	(void)close(fd);
>  	errno = saved;
>  	if (ret != QUERY_LABEL_REPLY_LEN) {
> -		if (ret >= 0)
> -			errno = EPROTO;
> +		errno = EPROTO;
>  		return -1;
>  	}
>  
> -- 
> 1.8.3.2
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130809/315d09c5/attachment.pgp>

More information about the AppArmor mailing list