[apparmor] [PATCH 18/32] apparmor: provide base for multiple profiles to be replaced at once
Seth Arnold
seth.arnold at canonical.com
Sat Jan 26 01:15:51 UTC 2013
On Wed, Jan 16, 2013 at 01:28:47PM -0800, John Johansen wrote:
> /**
> * verify_head - unpack serialized stream header
> * @e: serialized data read head (NOT NULL)
> + * @required: whether the header is required or optional
> * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
> *
> * Returns: error or 0 if header is good
> */
> +static int verify_header(struct aa_ext *e, int required, const char **ns)
> {
> int error = -EPROTONOSUPPORT;
> + const char *name = NULL;
> +
> /* get the interface version */
> if (!unpack_u32(e, &e->version, "version")) {
> + if (required) {
> + audit_iface(NULL, NULL, "invalid profile format", e, error);
> + return error;
> + }
>
> + /* check that the interface version is currently supported */
> + if (e->version != 5) {
> + audit_iface(NULL, NULL, "unsupported interface version",
> + e, error);
> + return error;
> + }
> }
>
> +
> /* read the namespace if present */
> + if (unpack_str(e, &name, "namespace")) {
> + if (*ns && strcmp(*ns, name)) {
> + audit_iface(NULL, NULL, "invalide ns change", e, error);
> + } else if (!*ns)
> + *ns = name;
> + }
>
> return 0;
> }
Spelling error, "invalide". :)
How is *ns supposed to work here? verify_header() appears to be called
from aa_unpack(), which is called from aa_replace_profiles(), where the
value does not appear to be set:
ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
{
struct aa_policy *policy;
struct aa_profile *old_profile = NULL, *new_profile = NULL;
struct aa_profile *rename_profile = NULL;
struct aa_namespace *ns = NULL;
const char *ns_name, *name = NULL, *info = NULL; /* XXX */
int op = OP_PROF_REPL;
ssize_t error;
/* released below */
new_profile = aa_unpack(udata, size, &ns_name);
/* ... */
struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns)
{
struct aa_profile *profile = NULL;
int error;
struct aa_ext e = {
.start = udata,
.end = udata + size,
.pos = udata,
};
error = verify_header(&e, ns); /* XXX */
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130125/45919ec9/attachment.pgp>
More information about the AppArmor
mailing list