[apparmor] [PATCH 22/32] apparmor: update how unconfined is handled
Seth Arnold
seth.arnold at canonical.com
Thu Jan 31 01:46:42 UTC 2013
On Wed, Jan 16, 2013 at 01:28:51PM -0800, John Johansen wrote:
> ns->unconfined is being used read side without locking, nor rcu but is
> being updated when a namespace is removed. This works for the root ns
> which is never removed but has a race window and can cause failures when
> children namespaces are removed.
>
> Also ns and ns->unconfined have a circular refcounting dependency that
> is problematic and must be broken. Currently this is done incorrectly
> when the namespace is destroyed.
>
> Fix this by forward referencing unconfined via the replacedby infrastructure
> instead of directly updating the ns->unconfined pointer.
>
> Remove the circular refcount dependency by making the ns and its unconfined
> profile share the same refcount.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130130/695edf13/attachment.pgp>
More information about the AppArmor
mailing list