[apparmor] [PATCH 22/32] apparmor: update how unconfined is handled
seth.arnold at canonical.com
Thu Jan 31 01:46:42 UTC 2013
On Wed, Jan 16, 2013 at 01:28:51PM -0800, John Johansen wrote:
> ns->unconfined is being used read side without locking, nor rcu but is
> being updated when a namespace is removed. This works for the root ns
> which is never removed but has a race window and can cause failures when
> children namespaces are removed.
> Also ns and ns->unconfined have a circular refcounting dependency that
> is problematic and must be broken. Currently this is done incorrectly
> when the namespace is destroyed.
> Fix this by forward referencing unconfined via the replacedby infrastructure
> instead of directly updating the ns->unconfined pointer.
> Remove the circular refcount dependency by making the ns and its unconfined
> profile share the same refcount.
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: Digital signature
More information about the AppArmor