[apparmor] [PATCH 24/32] apparmor: allow setting any profile into the unconfined state

John Johansen john.johansen at canonical.com
Thu Jan 31 09:44:12 UTC 2013

On 01/30/2013 11:01 PM, Seth Arnold wrote:
> On Wed, Jan 16, 2013 at 01:28:53PM -0800, John Johansen wrote:
>> Allow emulating the default profile behavior from boot, by allowing
>> loading of a profile in the unconfined state into a new NS.
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> @@ -198,7 +198,7 @@ struct aa_profile {
>>  	struct aa_dfa *xmatch;
>>  	int xmatch_len;
>>  	enum audit_mode audit;
>> -	enum profile_mode mode;
>> +	long mode;
> I didn't see anything that required this change in the patch -- is that
> coming in the future, too?
no. Its there just perhaps not obvious. We need to guarentee mode is long
for alignment and atomic read/write purposes.

The don't need an atomic read/modify/write cycle like atomic ops give
just the guarentee that the data will read/written as a single unit.

We look at the long flags locklessly, on the read side but can handle them
being a little stale, and on the write side the modification are protected
by a lock.

More information about the AppArmor mailing list