[apparmor] [PATCH 24/32] apparmor: allow setting any profile into the unconfined state
John Johansen
john.johansen at canonical.com
Thu Jan 31 09:44:12 UTC 2013
On 01/30/2013 11:01 PM, Seth Arnold wrote:
> On Wed, Jan 16, 2013 at 01:28:53PM -0800, John Johansen wrote:
>> Allow emulating the default profile behavior from boot, by allowing
>> loading of a profile in the unconfined state into a new NS.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>
>> @@ -198,7 +198,7 @@ struct aa_profile {
>> struct aa_dfa *xmatch;
>> int xmatch_len;
>> enum audit_mode audit;
>> - enum profile_mode mode;
>> + long mode;
>
> I didn't see anything that required this change in the patch -- is that
> coming in the future, too?
>
no. Its there just perhaps not obvious. We need to guarentee mode is long
for alignment and atomic read/write purposes.
The don't need an atomic read/modify/write cycle like atomic ops give
just the guarentee that the data will read/written as a single unit.
We look at the long flags locklessly, on the read side but can handle them
being a little stale, and on the write side the modification are protected
by a lock.
More information about the AppArmor
mailing list