[apparmor] [PATCH 23/32] apparmor: provide the ability to boot with a default profile set on init
john.johansen at canonical.com
Thu Jan 31 09:52:06 UTC 2013
On 01/30/2013 10:59 PM, Seth Arnold wrote:
> On Wed, Jan 30, 2013 at 10:27:49PM -0800, Seth Arnold wrote:
>>> - /* unconfined profiles don't have a mode string appended */
>>> - if (!unconfined(profile))
>>> + /* 'unconfined' profile don't have a mode string appended */
>>> + unconfined = unconfined(profile) && profile == profile->ns->unconfined;
>>> + if (!unconfined)
>>> mode_len = strlen(mode_str) + 3; /* + 3 for _() */
>> Oh, this is a bit unfortunate. (Also, && feels wrong, should it be
>> ||?) Can unconfined() be extended to handle this case? Would it be
>> wrong elsewhere?
> Okay, ignore the second bit here, the next patch explains it. :)
well yes and no. We are putting out a mode except on the "unconfined"
profile. So even if the profile is in the unconfined state it still
gets a mode.
As much as I'd like to stick a mode on "unconfined" that breaks with
what is expected, so we will keep the exception there
> I'm still curious about && vs || though.
because I should have thought about it more, || isn't what we are trying
to do here, the 'unconfined' profile will be caught by unconfined(profile)
so there would be no need for it
What we actually want is, don't print a mode on if the profile is the
namespaces 'unconfined' profile, so we can actually drop the && and
just go with
profile == profile->ns->unconfined
More information about the AppArmor