[apparmor] [PATCH RFC] Add profile-based libapparmor query interface
John Johansen
john.johansen at canonical.com
Fri Mar 8 02:07:30 UTC 2013
On 03/07/2013 04:26 PM, Seth Arnold wrote:
> On Thu, Mar 07, 2013 at 04:17:39PM -0800, Tyler Hicks wrote:
>>> Am I just overcomplicating things?
>>
>> No, it is a potentially valid use case but I'm trying to keep this
>> interface simple so that most applications don't have to worry about
>> bitwise operations of four permission masks that come from the kernel.
>> It seems like overkill to me in most cases.
>
> Getting the bitfiddling right in one place sounds like a good idea to
> me, too :)
>
>> Does the AA kernel code do any type of audit rate limiting like this?
>
> I thought it had some rate limiting in place, but now all I see is some
> debugging code:
>
it mostly relies on printk_ratelimit() and the audit subsystem throwing
away messages when it hits its limit. However there we do so simple
duplicate message elimination in the capability code.
/* Do simple duplicate message elimination */
ent = &get_cpu_var(audit_cache);
if (profile == ent->profile && cap_raised(ent->caps, cap)) {
put_cpu_var(audit_cache);
if (COMPLAIN_MODE(profile))
return complain_error(error);
return error;
More information about the AppArmor
mailing list