[apparmor] [PATCH 23/32] apparmor: provide the ability to boot with a default profile set on init

John Johansen john.johansen at canonical.com
Thu Jan 31 09:52:06 UTC 2013


On 01/30/2013 10:59 PM, Seth Arnold wrote:
> On Wed, Jan 30, 2013 at 10:27:49PM -0800, Seth Arnold wrote:
>>> -	/* unconfined profiles don't have a mode string appended */
>>> -	if (!unconfined(profile))
>>> +	/* 'unconfined' profile don't have a mode string appended */
>>> +	unconfined = unconfined(profile) && profile == profile->ns->unconfined;
>>> +	if (!unconfined)
>>>  		mode_len = strlen(mode_str) + 3;	/* + 3 for _() */
>>
>> Oh, this is a bit unfortunate. (Also, && feels wrong, should it be
>> ||?) Can unconfined() be extended to handle this case? Would it be
>> wrong elsewhere?
> 
> Okay, ignore the second bit here, the next patch explains it. :)
>
well yes and no. We are putting out a mode except on the "unconfined"
profile. So even if the profile is in the unconfined state it still
gets a mode.

As much as I'd like to stick a mode on "unconfined" that breaks with
what is expected, so we will keep the exception there

> I'm still curious about && vs || though.
> 
because I should have thought about it more, || isn't what we are trying
to do here, the 'unconfined' profile will be caught by unconfined(profile)
so there would be no need for it

What we actually want is, don't print a mode on if the profile is the
namespaces 'unconfined' profile, so we can actually drop the && and
just go with

  profile == profile->ns->unconfined





More information about the AppArmor mailing list