[apparmor] [PATCH 18/32] apparmor: provide base for multiple profiles to be replaced at once
John Johansen
john.johansen at canonical.com
Sat Jan 26 09:21:44 UTC 2013
On 01/26/2013 12:40 AM, Seth Arnold wrote:
> On Fri, Jan 25, 2013 at 11:50:20PM -0800, John Johansen wrote:
>>>> + if (unpack_str(e, &name, "namespace")) {
>>>> + if (*ns && strcmp(*ns, name)) {
>>>> + audit_iface(NULL, NULL, "invalide ns change", e, error);
>>>> + } else if (!*ns)
>>>> + *ns = name;
>
>> the ns from the pack stream is only set if the policy being loaded
>> specifies one. We only get into the conditional block setting it if
>>
>> + if (unpack_str(e, &name, "namespace")) {
>>
>> succeeds.
>>
>> If its not specified then it should be, but isn't, set to null *sigh*
>
> Okay, so the first branch (*ns && strcmp(*ns, name)) is aimed primarily
> at a future use where the kernel loading code _expects_ a namespace in
> the packed stream (LXC?) and the "else if (!*ns)" is the code path that
> you _wanted_ to be default when the packed stream sets a namespace, but
> because the = NULL is missing in aa_replace_profiles(), is accidentally
> skipped?
>
> Is that about right?
>
err not exactly. If namespace is specified here its, loading profiles
into a child namespace. So preseeding the child, this can certainly be
used with lxc but really any case where namespaces are used.
Eg. For stress testing I like to run a few copies of the test suite
at the same time, out of the same directory. I have taken to doing
things like
for i in `seq 1 10` ; do aa-namespace -n tests$i ; sudo aa-exec -p :test$i://unconfined make tests &; done
which will run the test suite 10 times, one each in a different
policy namespace. This lets the testsuite profile replacements not
need to worry about competing replacements on profiles as the
same set of test programs is reused in different ways through out
the test suite
> Where else might eventually call aa_unpack _without_ wanting to know the
> namespace set in a stream? Could the if(!*ns) go away and just write
> into *ns regardless? It feels like it'll always be needed.
>
so I have updated to do
*ns = NULL;
on fn entry, so it will be null unless a namespace is specified.
aa_replace_profiles will then properly inherit the current namespace
if no name is specified.
We don't want to specify the current namespace name here because
that would be specifying the name of a child namespace.
That is I may be in namespace foo, and it could have a child namespace
foo.
More information about the AppArmor
mailing list