[apparmor] [PATCH 10/36] apparmor: allow setting any profile into the unconfined state
Seth Arnold
seth.arnold at canonical.com
Thu May 9 01:51:09 UTC 2013
On Wed, May 01, 2013 at 02:30:55PM -0700, John Johansen wrote:
> Allow emulating the default profile behavior from boot, by allowing
> loading of a profile in the unconfined state into a new NS.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
... with the caveat / note that the following hunk _may_ require
userspace changes. (Those changes may already have been made.)
> index 69894ad..c69f7c4 100644
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -510,12 +510,16 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
> goto fail;
> if (!unpack_u32(e, &tmp, NULL))
> goto fail;
> - if (tmp)
> + if (tmp & PACKED_FLAG_HAT)
> profile->flags |= PFLAG_HAT;
> if (!unpack_u32(e, &tmp, NULL))
> goto fail;
> - if (tmp)
> + if (tmp == PACKED_MODE_COMPLAIN)
> profile->mode = APPARMOR_COMPLAIN;
> + else if (tmp == PACKED_MODE_KILL)
> + profile->mode = APPARMOR_KILL;
> + else if (tmp == PACKED_MODE_UNCONFINED)
> + profile->mode = APPARMOR_UNCONFINED;
> if (!unpack_u32(e, &tmp, NULL))
> goto fail;
> if (tmp)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130508/ceaf03b2/attachment.pgp>
More information about the AppArmor
mailing list