[apparmor] [PATCH 15/36] apparmor: Add profile introspection file to interface

Wed May 15 01:01:22 UTC 2013

On 05/14/2013 05:27 PM, Seth Arnold wrote:
> On Wed, May 01, 2013 at 02:31:00PM -0700, John Johansen wrote:
>> Add the dynamic profiles file to the interace, to allow load policy
>> introspection.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> Acked-by: Kees Cook <kees at ubuntu.com>
> 
>> +/**
>> + * __next_profile - step to the next profile in a profile tree
>> + * @profile: current profile in tree (NOT NULL)
>> + *
>> + * Perform a depth first taversal on the profile tree in a namespace
> 
> 'taversal'

nah I'd rather use 'traversal'

> 
>> + * Returns: next profile or NULL if done
>> + * Requires: profile->ns.lock to be held
>> + */
>> +static struct aa_profile *__next_profile(struct aa_profile *p)
>> +{
>> +	struct aa_profile *parent;
>> +	struct aa_namespace *ns = p->ns;
>> +
>> +	/* is next profile a child */
>> +	if (!list_empty(&p->base.profiles))
>> +		return list_first_entry(&p->base.profiles, typeof(*p),
>> +					base.list);
>> +
>> +	/* is next profile a sibling, parent sibling, gp, subling, .. */
> 
> 'subling'
> 
what you don't have 'sublings'? I swear a couple of my siblings are
sublings :)

>> +/**
>> + * seq_show_profile - show a profile entry
>> + * @f: seq_file to file
>> + * @p: current position (profile)    (NOT NULL)
>> + *
>> + * Returns: error on failure
>> + */
>> +static int seq_show_profile(struct seq_file *f, void *p)
>> +{
>> +	struct aa_profile *profile = (struct aa_profile *)p;
>> +	struct aa_namespace *root = f->private;
>> +
>> +	if (profile->ns != root)
>> +		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
>> +	seq_printf(f, "%s (%s)\n", profile->base.hname,
>> +		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
> 
> Now that unconfined is a mode, should this be made more complicated to
> reflect (unconfined) as well?
> 
there is an update to the mode output it just comes in a different patch